Wednesday, November 16, 2011

Module 11: Access Control Lists (ACLs) / Overview


Overview
Network administrators must be able to deny unwanted access to a network and allow authorized users to access necessary services. Security tools such as passwords, callback equipment, and physical security devices are helpful. However, they often lack the flexibility of basic traffic filters and the specific controls that most administrators prefer. For example, a network administrator may want to allow users access to the Internet, but not permit external users Telnet access into the LAN.
Routers provide the capability to filter traffic, such as blocking Internet traffic, with access control lists (ACLs). An ACL is a sequential list of permit or deny statements that apply to addresses or upper-layer protocols. This module will introduce standard and extended ACLs as a way to control network traffic and explain how they are used as part of a security solution.
This module includes tips, considerations, recommendations, and general guidelines on how to use ACLs. It also includes the commands and configurations needed to create ACLs. Finally, this module provides examples of standard and extended ACLs and describes ACL placement on router interfaces.
An ACL can be as simple as a single line that permits packets from a specific host or it can be a complex set of rules and conditions that defines network traffic and determines the router processes. While many of the advanced uses of ACLs are beyond the scope of this course, this module provides details about standard and extended ACLs, the proper placement of ACLs, and some special applications of ACLs.
This module covers some of the objectives for the CCNA 640-801 and ICND 640-811 exams. 
Students who complete this module should be able to perform the following tasks: 
  • Describe the differences between standard and extended ACLs
  • Explain the rules for placement of ACLs
  • Create and apply named ACLs
  • Describe the function of firewalls
Use ACLs to restrict virtual terminal access 
Posted by at No comments:

Summary of Module 10

Summary
This page summarizes the topics discussed in this module.
The transport layer of the OSI model is responsible for the reliable transport and regulation of data flow from a source to a destination. TCP makes sure that each host on the network is ready and willing to communicate.
A three-way handshake is a process that ensures that each side is ready for data transmission and allows each device to determine the initial sequence number. A three-way handshake starts with a host initiating a connection. The other host receives a packet, records a sequence number and then replies with an ACK. The initiating host then responds back and finalizes the connection.
DoS attacks are designed to deny services to legitimate hosts that attempt to establish connections. It is used by hackers to halt system response. SYN flooding is one type of DoS attack. It exploits the normal three-way handshake and causes targeted devices to ACK to source addresses that will not complete the handshake. Spoofing occurs when a receiving device replies to a non-existent, unreachable IP address and is placed in a wait state until it receives the final ACK from the initiator. In addition to software specifically created as a defense against these kinds of attacks, an administrator can decrease the connection timeout period and increase the connection queue size.
Breaking data into smaller pieces is called segmenting and is done with TCP. Once the data is segmented, it must be transmitted to the destination device. TCP applies sequence numbers to the data segments so that the receiver can reassemble the bytes properly and the sender knows when all the segments have been received. Windowing is the process of flow control that regulates how much data is sent during a given transmission period. TCP uses a sliding window when determining transmission size. A sliding window allows for devices to negotiate a window size to allow for more than one byte to be sent during a single transmission.
Many protocols use PAR to provide reliability. With PAR, the source sends a packet, starts a timer, and waits for an ACK before it sends the next packet. If the timer expires before the source receives an ACK, the source retransmits the packet and resets the timer. TCP uses expectational ACKs in which the Acknowledgment Number refers to the next octet that is expected.
UDP provides connectionless, non-guaranteed transmission of packets at Layer 4 of the OSI model. Since UDP does not use windowing or acknowledgments, application layer protocols must provide error detection.
A port number must be associated with the conversation between hosts to ensure that the packet reaches the appropriate service on the server. Port numbers have the following assigned ranges:
  • The Well Known Ports are those from 0 through 1023
  • The Registered Ports are those from 1024 through 49151
  • The Dynamic and/or Private Ports are those from 49152 through 65535
The three methods of addressing include port numbers, which are located at the transport layer and serviced by the network layer. The network layer assigns the logical or IP address and the data link layer assigns the physical or MAC address.

Posted by at No comments:

Comparison of MAC addresses, IP addresses, and port numbers


Comparison of MAC addresses, IP addresses, and port numbers 
10.2.6 This page will describe the three types of addresses in reference to the OSI model. Port numbers are located at the transport layer and are serviced by the network layer. The network layer assigns the logical address, or IP address, and is then serviced by the data link layer, which assigns the physical address, or MAC address.
A good analogy can be made with a normal letter. The address on a letter consists of a name, street, city, and state. These can be compared to the port, MAC, and IP address used for network data. The name on the envelope would be equivalent to a port number, the street address is the MAC, and the city and state is the IP address. Multiple letters can be mailed to the same street address, city and state, but contain different names on the letters. For instance, two letters could be mailed to the same house with one addressed to John Doe and the other to Jane Doe. This is analogous to multiple sessions with different port numbers. 
This page concludes this lesson. The next page will summarize the main points from this module. 


Posted by at No comments:

Port numbering and well-known port numbers / Example of multiple sessions between hosts

Port numbering and well-known port numbers
10.2.4 This page will discuss the three categories of port numbers.
Port numbers are represented by 2 bytes in the header of a TCP or UDP segment. This 16-bit value can result in port numbers ranging from 0 to 65535. The three categories of port numbers are well-known ports, registered ports, and dynamic or private ports. The first 1023 ports are well-known ports. These ports are used for well-known network services such as FTP, Telnet, or DNS. 
Registered ports range from 1024 to 49151. Ports between 49152 and 65535 are defined as dynamic or private ports.
The Interactive Media Activity will help students become more familiar with port numbers.
The next page will give an example of multiple sessions.
Example of multiple sessions between hosts 
10.2.5 This page will explain how port numbers are used to track multiple sessions that can occur between hosts. The source and destination port numbers combine with the network address to form a socket. A pair of sockets, one on each host, forms a unique connection. For instance, a host might have a Telnet connection through port 23 and an Internet connection through port 80. The IP and the MAC addresses would be the same because the packets are received from the same host. Therefore, each conversation on the source side needs its own port number, and each service requested needs its own port number.
 In the Lab Activity, students will enable HTTP on a router and observe well-known ports.
The next page will discuss the three types of addresses.
Posted by at No comments:

Ports for clients


Ports for clients
10.2.3 This page will discuss source ports, which are set by clients.
Whenever a client connects to a service on a server, a source and destination port must be specified. TCP and UDP segments contain fields for source and destination ports. Destination ports, or ports for services, are normally defined using the well-known ports. Source ports set by the client are determined dynamically.
In general, a client determines the source port by randomly assigning a number above 1023. For example, a client that attempts to communicate with a Web server will use TCP and assign the destination port as 80 and the source port as 1045. When the packet arrives at the server, it moves up to the transport layer and eventually to the HTTP service, which operates at port 80. The HTTP server responds to the clients request with a segment that uses port 80 as the source and 1045 as the destination. Clients and servers use ports to distinguish which process each segment is associated with.
The next page will teach students about the three categories of port numbers.
Posted by at No comments:

Ports for services

Ports for services
10.2.2 Services running on hosts must have a port number assigned to them so communication can occur. A remote host attempting to connect to a service expects that service to use specific transport layer protocols and ports. Some ports, which are defined in RFC 1700, are known as the well-known ports. These ports are reserved in both TCP and UDP. 
These well-known ports define applications that run above the transport layer protocols. For example, a server that runs FTP will use ports 20 and 21 to forward TCP connections from clients to its FTP application. This allows the server to determine which service a client requests. TCP and UDP use port numbers to determine the correct service to which requests are forwarded.
The next page will discuss ports in greater detail.
Posted by at No comments:

Multiple conversations between hosts

Multiple conversations between hosts
10.2.1 At any given moment, thousands of packets that provide hundreds of different services travel through a modern network. Many servers use a multitude of services and this causes unique problems for the addressing of packets. If a server is running both SMTP and HTTP, it uses the destination port field to determine what service the source is requesting. The source cannot construct a packet destined for just the server IP address because the destination would not know what service was being requested. A port number must be associated with the conversation between hosts to ensure that the packet reaches the appropriate service on the server. If a server could not distinguish between different conversations, a client could not send an e-mail and browse a Web page at the same time. A method for transport layer conversations to be separated must be used.
Hosts running TCP/IP associate ports at the transport layer with certain applications. Port numbers are used to keep track of different conversations that cross the network at the same time. Port numbers are needed for a host to communicate with a server that uses multiple services. Both TCP and UDP use port or socket numbers to pass information to the upper layers.
Application software developers have agreed to use the well-known port numbers that are defined in RFC1700. Any conversation bound for the FTP application uses the standard port number 21. Conversations that do not involve applications with well-known port numbers are assigned port numbers that have been randomly selected from within a specific range. These port numbers are used as source and destination addresses in the TCP segment. 
Port numbers have the following assigned ranges:
  • The Well Known Ports are those from 0 through 1023
  • The Registered Ports are those from 1024 through 49151
  • The Dynamic and/or Private Ports are those from 49152 through 65535
Systems initiating communication requests use port numbers to select proper applications. Source port numbers for these requests are dynamically assigned by the originating host, and are usually a number larger than 1023. Port numbers in the range of 0-1023 are considered public port numbers and are controlled by the Internet Assigned Numbers Authority (IANA).
Post office box numbers are a good analogy for port numbers. A piece of mail may be sent to a zip code, city, and P.O. box. The zip code and city direct mail to the correct general mail facility while the P.O. box ensures the item is delivered to the one individual to whom the mail is addressed. Similarly, the IP address gets the packet to the correct server, but the TCP or UDP port number guarantees the packet is passed to the correct application.
The next page will discuss well-known ports.
Posted by at No comments:
Subscribe to: Comments (Atom)