chapter 9 intermediate tcp /ip/ access control lists (acls)

1© 2004, Cisco Systems, Inc. All rights reserved.

Chapter 9

Intermediate TCP/IP/ Access Control Lists (ACLs)

222© 2004, Cisco Systems, Inc. All rights reserved.

Objectives

333© 2004, Cisco Systems, Inc. All rights reserved.

TCP Operation

The transport layer is responsible for the reliable transport of and regulation of data flow from source to destination.

444© 2004, Cisco Systems, Inc. All rights reserved.

Synchronization or Three-Way Handshake

555© 2004, Cisco Systems, Inc. All rights reserved.

Denial-of-Service Attacks

666© 2004, Cisco Systems, Inc. All rights reserved.

Simple Windowing

777© 2004, Cisco Systems, Inc. All rights reserved.

TCP Sequence and Acknowledgment Numbers

888© 2004, Cisco Systems, Inc. All rights reserved.

Positive ACK

• Acknowledgement is a common step in the synchronization process which includes sliding windows and data sequencing.

999© 2004, Cisco Systems, Inc. All rights reserved.

Protocol Graph: TCP/IP

101010© 2004, Cisco Systems, Inc. All rights reserved.

UDP Segment Format

111111© 2004, Cisco Systems, Inc. All rights reserved.

Port Numbers

121212© 2004, Cisco Systems, Inc. All rights reserved.

Telnet Port Numbers

131313© 2004, Cisco Systems, Inc. All rights reserved.

Reserved TCP and UDP Port Numbers

141414© 2004, Cisco Systems, Inc. All rights reserved.

Ports for Clients

• Whenever a client connects to a service on a server, a source and destination port must be specified.

• TCP and UDP segments contain fields for source and destination ports.

151515© 2004, Cisco Systems, Inc. All rights reserved.

Port Numbering and Well-Known Port Numbers

• Port numbers are divided into three different categories:

well-known ports

registered ports

dynamic or private ports

161616© 2004, Cisco Systems, Inc. All rights reserved.

Port Numbers and Socket

171717© 2004, Cisco Systems, Inc. All rights reserved.

Comparison of MAC addresses, IP addresses, and port numbers

• A good analogy can be made with a normal letter.

• The name on the envelope would be equivalent to a port number, the street address is the MAC, and the city and state is the IP address.

181818© 2004, Cisco Systems, Inc. All rights reserved.

Summary

19© 2004, Cisco Systems, Inc. All rights reserved.

Access Control Lists (ACLs)

202020© 2004, Cisco Systems, Inc. All rights reserved.

Objectives

212121© 2004, Cisco Systems, Inc. All rights reserved.

What are ACLs?

• ACLs are lists of conditions used to test network traffic that tries to travel across a router interface. These lists tell the router what types of packets to accept or deny.

222222© 2004, Cisco Systems, Inc. All rights reserved.

How ACLs Work

232323© 2004, Cisco Systems, Inc. All rights reserved.

Protocols with ACLs Specified by Numbers

242424© 2004, Cisco Systems, Inc. All rights reserved.

Creating ACLs

252525© 2004, Cisco Systems, Inc. All rights reserved.

The Function of a Wildcard Mask

262626© 2004, Cisco Systems, Inc. All rights reserved.

Verifying ACLs

• There are many show commands that will verify the content and placement of ACLs on the router.

show ip interface

show access-lists

Show running-config

272727© 2004, Cisco Systems, Inc. All rights reserved.

Standard ACLs

282828© 2004, Cisco Systems, Inc. All rights reserved.

Extended ACLs

292929© 2004, Cisco Systems, Inc. All rights reserved.

Named ACLs

303030© 2004, Cisco Systems, Inc. All rights reserved.

Placing ACLs

• Standard ACLs should be placed close to the destination.

• Extended ACLs should be placed close to the source.

313131© 2004, Cisco Systems, Inc. All rights reserved.

Firewalls

A firewall is an architectural structure that exists between the user and the outside world to protect the internal network from intruders.

323232© 2004, Cisco Systems, Inc. All rights reserved.

Restricting Virtual Terminal Access

333333© 2004, Cisco Systems, Inc. All rights reserved.

Summary

343434© 2004, Cisco Systems, Inc. All rights reserved.

Question/Answer