Securing the Network
Many simple device configuration techniques can add to the
security of the network. To a great extent, these often fall into the category
of commonsense practices, such as using administrative access passwords on all
device access points.
As Cisco moves more and more devices to IOS-based command
structures, access lists remain a need-to-know technology. While not a complete
security solution, access lists are an integral part of any security
program.
Standard access lists filter based on source address alone,
creating a simple, yet powerful, tool for blocking all traffic or access to a
host, subnet, or network. Standard ACLs can be used for traffic filtering,
limiting access to Telnet sessions, limiting access to Web browsers trying to
access a Cisco router or switch, filtering routing updates, and focusing
commands like debug ip packet to conserve router resources.
Extended access lists can be used to filter on protocol, source
address, destination address, source and destination port identifiers for TCP
and UDP traffic, and various powerful options. The TCP Established option can be
used to limit TCP traffic only to what originated within the network.
Named access lists are a variation on the numbered ACLS supporting
for standard and extended versions. Named ACLs are easier to create than
numbered lists, and allow limited editing and deletion of specific statements
that can’t be done with numbered lists. They can be descriptive of their purpose
and, therefore, easier for follow-up support to work with. Some IOS features and
all IOS versions prior to 11.2 don’t support named ACLs, requiring some thought
in mixed environments. Some newer features like reflexive ACLs only work with
named lists, so it’s probably safe to say they’re going to be a bigger, rather
than smaller, part of the future.
Sections
Comments (0 posted)
Syndication
