Packet Filter Access Lists

1
Packet Filter Access Lists

• Osamu Ueno
• Gideon Kho

2
Contents

• Brief explanation of the fire walls
• Network Ports
• ISO 7-Layer TCP/IP 5-Layer
• Access List
• Conclusion

3
What is a Firewall?

• A firewall has the basic task of controlling
  traffic between different zones of trust.
• A firewall is piece of hardware and/or software
  which functions in a networked environment to
  prevent some communications forbidden by the
  security policy.

4
Simple Example of A Firewall
5
Network (protocol) Ports

• Any data exchange for any network service to or
  from a computer uses interface channels of input
  and output in its communications protocol. These
  interface channels of access are called network
  or protocol ports.
• The local operating system provides an interface
  mechanism that processes use to specify a port or
  access it.

6
Well known ports (reserved)

• UDP(TCP)
• Port Description
• 7 Echo
• 13 Daytime
• 37 Time
• 53 DNS
• 69 TFTP
• 161 SNTP
• etc.

• TCP
• Port Description
• 21 FTP
• 22 SSH
• 23 Telnet
• 25 SMTP
• 80 HTTP
• 443 HTTPS
• etc

7
Two fundamental approaches to port assignment

• The first approach Central Authority
• Everyone agrees to allow a central authority to
  assign port numbers as needed and to publish the
  list of all assignment.
• Then, all software is build according to the
  list. The port assignments specified by the
  authority are called well-known port assignments.
• The second approach Dynamic Binding
• In the dynamic binding approach, ports are not
  globally known.
• Instead, whenever a program needs a port, the
  network software assigns one.

8
An Example of a Web Server(sfsu) and a client
9
ISO 7-Layer TCP/IP 5-Layer
10
The layering principle with TCP/IP data flow
11
Cisco as The Market Leader
12
Cisco Access Control Lists

• Basic traffic filtering capabilities.
• It can be configured for all network protocol.
• Configure to control access to a network.

13
Access Control Lists

• Filter network traffic based on criteria.
• Criteria source/destination address, upper-layer
  protocol, or other information.
• why? to provide basic level of security for your
  network access.

14
Access Control Lists (cont.)

• It should be used in firewall routers.
• Provide basic buffer from outside network.
• Access lists must be defined on a per-protocol
  basis.

15
Types of access lists

• 2 types of access lists basic advanced.
• Basic, it should be used each routed protocol.
• Advanced, it provide additional security
  features, and greater control over packet
  transmission.

16
Advanced Access Lists

• Dynamic Access Lists (lock-and-key).
• Reflective Access Lists (session filtering).
• TCP intercept( prevent DoS attack).

17
Creating Access Lists

• Cisco recommends to create the lists on a TFTP(
  Trivial FTP) server.
• Some protocol requires two separate list for
  inbound and outbound traffic
• Assigning unique name or number within a
  protocol.
• Defining the criteria for forwarding or blocking
  Packets.

18
Defining the criteria

• Router make decision based on the criteria.
• Multiple criteria in multiple, separate access
  list statement.
• Limited only by available memory.

19
Defining Criteria ( cont.)

• The order of criteria statements is important.
• Can not modified the statement.
• Need to use TFTP server.

20
Number/name protocol table

• .

21
Conceptual Example of Cisco Access Lists