Title: Packet Filter Access Lists
1Packet Filter Access Lists
2Contents
- Brief explanation of the fire walls
- Network Ports
- ISO 7-Layer TCP/IP 5-Layer
- Access List
- Conclusion
3What is a Firewall?
- A firewall has the basic task of controlling
traffic between different zones of trust. - A firewall is piece of hardware and/or software
which functions in a networked environment to
prevent some communications forbidden by the
security policy.
4Simple Example of A Firewall
5Network (protocol) Ports
- Any data exchange for any network service to or
from a computer uses interface channels of input
and output in its communications protocol. These
interface channels of access are called network
or protocol ports. - The local operating system provides an interface
mechanism that processes use to specify a port or
access it.
6Well known ports (reserved)
- UDP(TCP)
- Port Description
- 7 Echo
- 13 Daytime
- 37 Time
- 53 DNS
- 69 TFTP
- 161 SNTP
- etc.
- TCP
- Port Description
- 21 FTP
- 22 SSH
- 23 Telnet
- 25 SMTP
- 80 HTTP
- 443 HTTPS
- etc
7Two fundamental approaches to port assignment
- The first approach Central Authority
- Everyone agrees to allow a central authority to
assign port numbers as needed and to publish the
list of all assignment. - Then, all software is build according to the
list. The port assignments specified by the
authority are called well-known port assignments. - The second approach Dynamic Binding
- In the dynamic binding approach, ports are not
globally known. - Instead, whenever a program needs a port, the
network software assigns one.
8An Example of a Web Server(sfsu) and a client
9ISO 7-Layer TCP/IP 5-Layer
10The layering principle with TCP/IP data flow
11Cisco as The Market Leader
12Cisco Access Control Lists
- Basic traffic filtering capabilities.
- It can be configured for all network protocol.
- Configure to control access to a network.
13Access Control Lists
- Filter network traffic based on criteria.
- Criteria source/destination address, upper-layer
protocol, or other information. - why? to provide basic level of security for your
network access.
14Access Control Lists (cont.)
- It should be used in firewall routers.
- Provide basic buffer from outside network.
- Access lists must be defined on a per-protocol
basis.
15Types of access lists
- 2 types of access lists basic advanced.
- Basic, it should be used each routed protocol.
- Advanced, it provide additional security
features, and greater control over packet
transmission.
16Advanced Access Lists
- Dynamic Access Lists (lock-and-key).
- Reflective Access Lists (session filtering).
- TCP intercept( prevent DoS attack).
17Creating Access Lists
- Cisco recommends to create the lists on a TFTP(
Trivial FTP) server. - Some protocol requires two separate list for
inbound and outbound traffic - Assigning unique name or number within a
protocol. - Defining the criteria for forwarding or blocking
Packets.
18Defining the criteria
- Router make decision based on the criteria.
- Multiple criteria in multiple, separate access
list statement. - Limited only by available memory.
19Defining Criteria ( cont.)
- The order of criteria statements is important.
- Can not modified the statement.
- Need to use TFTP server.
20Number/name protocol table
21Conceptual Example of Cisco Access Lists