Access Control Lists

Packet filtering
  • Used to allow or deny traffic
    • Also used for NAT, QoS, etc.
  • Defined on the ingress or egress of an interface
    • Incoming or outgoing
  • ACLs can evaluate on certain criteria
    • Source IP, Destination IP, TCP port numbers, UDP port numbers, ICMP
  • Deny or permit
    • What happens when an ACL matches the traffic?
  • ACLs have evolved through the years
    • More options and features available for traffic filtering
Firewall rules
  • Access control lists (ACLs)
    • Allow or disallow traffic based on tuples
    • Groupings of categories
      • Source IP, Destination IP, port number, time of day, application, etc.
  • A logical path
    • Usually top-to-bottom
  • Can be very general or very specific
    • Specific rules are usually at the top
  • Implicit deny
    • Most firewalls include a deny at the bottom
      • Even if you didn't put one

Comments

Post a Comment

Popular posts from this blog

Spanning Tree Protocol

Image
Loop protection Connect two switches to each other They'll send traffic back and forth forever There's no "counting" mechanism at the MAC layer This is an easy way to bring down a network And somewhat difficult to troubleshoot Relatively easy to resolve IEEE standard 802.1D to prevent loops in bridged (switched) networks (1990) Switch operation Forwarding decisions made by MAC address Keeps a big table of MAC address that have been seen All forwarding decisions are filtered through this list If the destination MAC is unknown, the frame is flooded Sent to every switch port in the local subnet/VLAN Hopefully the destination station will respond Flooding is hopefully a temporary process Directed traffic resumes when the MAC is seen STP port states Blocking - Not forwarding to prevent a loop Listening - Not forwarding and cleaning the MAC table Learning - Not forwarding and adding to the MAC table Forwarding - Data passes through and is fully operational Disabled - Admini...
Read more

Unicasts, Multicasts, and Broadcasts

Image
Unicast One station sending information to another station Send information between two systems Web surfing, file transfers Does not scale optimally for streaming media Multicast Delivery of information to interested systems One to many Multimedia delivery, stock exchanges Very specialized Difficult to scale across large networks Broadcast Send information to everyone at once One packet, received by everyone Limited scope - the broadcast domain Routing updates, ARP requests Not used in IPv6 - focus on multicast
Read more

Protocol Data Units

PDU (Protocol Data Unit) A unit of transmission A different group of data at different OSI layers Ethernet operates on a frame of data It has no idea what's inside IP operates on a packet of data Inside is TCP or UDP segment, UPD datagram TCP or UDP PDU - TCP segment, UDP datagram Maximum Transmission Unit (MTU) Maximum IP packet to transmit - but not fragment Fragmentation show things down Losing a fragment loses an entire packet Requires overhead along the path Difficult to know the MTU all the way through the path Automated methods are often inaccurate, especially when ICMP is filtered Troubleshooting MTU MTU sizes are usually configured once Based on the network infrastructure and don't change often A significant concern for tunneled traffic The tunnel may be smaller than your local Ethernet segment What if you send packets with Don't Fragment (DF) set? Routers will respond back and tell you to fragment Hope you get the ICMP message! Troubleshoot using ping Ping with DF...
Read more