infrastructure security features
A network access control list (ACL) is made up of rules that either allow access to a computer environment or deny it.
They are used to filter traffic in our networks as required by the security policy.
Access control entries (ACE) are entries in an access control list containing information describing the access rights related to a particular security identifier or user. Each access control entry contains an ID, which identifies the subject group or individual.
An access control list may have several access control entries with each one defining the access rights of different groups or individuals.
With an ACL you can filter packets for a single or group of IP address or different protocols, such as TCP or UDP.
The devices that are facing unknown external networks, such as the Internet, need to have a way to filter traffic. So, one of the best places to configure an ACL is on the edge routers.
A routing device with an ACL can be placed facing the Internet and connecting the DMZ (De-Militarized Zone), which is a buffer zone that divides the public Internet and the private network.
The DMZ is reserved for servers that need access from the outside, such as Web Servers, app servers, DNS servers, VPNs, etc.
You can also configure an ACL in this router to protect against specific well-known ports (TCP or UDP).
ACLs are directly configured in a device’s forwarding hardware, so they do not compromise the end performance.Placing a stateful firewall to protect a DMZ can compromise your network’s performance.While ACLs might not provide the level of security that a stateful firewall offer, they are optimal for endpoints in the network that need high speed and necessary protection.
1. Standard ACL
The standard ACL aims to protect a network using only the source address.
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security.Standard ACLS can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399.This is an example
The standard ACL aims to protect a network using only the source address.
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security.Standard ACLS can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399.This is an example
It is the most basic type and can be used for simple deployments, but unfortunately, it does not provide strong security.Standard ACLS can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399.This is an example
2. Extended ACL
With the extended ACL, you can also block source and destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).The ACL’s outgoing rules can further filter packets to only pass those that came from certain destinations. Although extended ACLs let you filter a wider range of packets, these lists are static.ACL Number Ranges
With the extended ACL, you can also block source and destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).
You can also use an extended ACL to filter traffic based on protocol information (IP, ICMP, TCP, UDP).
The ACL’s outgoing rules can further filter packets to only pass those that came from certain destinations. Although extended ACLs let you filter a wider range of packets, these lists are static.
ACL Number Ranges
3. Dynamic ACL
Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.These dynamic ACL entries determine whether and how the interface should route the user’s packets. You can configure network interfaces with static standard and extended ACLs to enforce general access control policies while using dynamic ACLs to make the network more responsive.
Dynamic ACLs, rely upon extended ACLs, Telnet, and authentication. This type of ACLs are often referred to as “Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.
These lists permit access to a user to a source or destination only if the user authenticates to the device via Telnet.
These dynamic ACL entries determine whether and how the interface should route the user’s packets. You can configure network interfaces with static standard and extended ACLs to enforce general access control policies while using dynamic ACLs to make the network more responsive.
4. Reflexive ACL
Reflexive ACLs are also referred to as IP session ACLs. These type of ACLs, filter traffic based on upper layer session information.They react to sessions originated inside the router to whether permit outbound traffic or restrict incoming traffic. The router recognizes the outbound ACL traffic and creates a new ACL entry for the inbound. When the session finishes, the entry is removed.
infrastructure security features
Reviewed by ohhhvictor
on
September 13, 2022
Rating:
Reviewed by ohhhvictor
on
September 13, 2022
Rating:
No comments: