Abstract
Access control lists are a set of commands that are imprinted on a device. This device usually acts as an interface between the computers and other devices across a network. The access control list help manage a network in many ways. One of the main ways ACLs are used is for safety. When applied to the immediate interface of the network to the external connection, ACLs can limit access to the internal network. ACLs are also used to limit network traffic within an enclosed network by limiting certain traffic that is not meant for the internal network. ACL can also be used to ensure that the computers that not needed on the internet are denied that access. In short, Access Control Lists are a way to manage network traffic to and from a closed network.
The mentioned company has a growing network that requires the use of access control lists. These lists will ensure that the network is protected from outside sources that may intrude on the network. These ACLs also control the network within the working environment. Some modifications are made within the network to ensure that the ACLs can function as described. The most notable addition to the diagram is that of a second router and a demilitarized zone (DMZ). This feature increases the security of the network within by allowing an increased ACL feature from inbound traffic using extended access lists softening in the way in with standard access lists.
This document details the various access lists that are employed to achieve the specific goals and requirements put forward by the company. To achieve this, a number of permissions and limitations had to be put forward thus realizing the goals and targets put forward by the company.
Problem Statement
A company requires its network structure to implement ACLs to curb illegal activities. These activities include external telneting, pinging, ftp, access to certain sections of the network as well as the access of certain devices to the internet. With a proper ACLs diagram shown below, the problems are mitigated and solutions provided in the creation of the ACLs thereafter.
ACL Diagram
Standard Access Lists (SAL)
Standard Access Lists refer to access lists that are general in nature. These do not specify the nodes or even the protocols that need managing.
Introduction
In the company structure mentioned in the problem, some SALs have been recommended immediately. These ACLs require the specialist working on the ACLs to manage a general aspect of the network. The standard access lists from the solution to the problem involve denying the computer with the IP address 172.16.5.15/16 from accessing the internet. All the other ACLs are extended as they specify which IP addresses to limit access or which IP addresses to allow access.
Creating SAL
Creating SAL involves the use of certain command structures on a device such as the router. For proper recovery or correction however, it is advisable to perform the stated steps from a different device first. An example of a good SAL is when an interface on a router permits access through it from any to any device IP address. This allows communication between several computers over the network without any limitation.
In the problem stated earlier however, the best example is that of the Computer being denied access to the internet. This ACL affects only one computer and is therefore a SAL. The SAL will deny the computer from using the internal router from sending packets to the external router. This in essence denies the computer access to the internet. For example,
Host1/Admin(conifig) # access-list ACL_OUT deny tcp 172.16.5.15/16 255.255.255.0 172.16.0.0
Extended Access Lists (EAL)
Extended access control lists on the other hand allow the user to specify several IP addresses, several protocols and even limit certain types of communication. Such strength allows EALs to be used in a wide perspective.
Introduction
In the problem stated earlier, EALs are used to limit and allow certain network access by certain packet from different sections of the network. These EALs are the backbone of most ACLs in use today. In the solution to the problem stated earlier, most of the ACLs provide the much-needed cover to access and limit network traffic. In the case of limiting inbound traffic from performing telnet operations, pinging or using ftp, only EALs can accomplish this. It is this kind of inbound traffic that limit the functionality of the internal network
Creating EAL
- Preventing traffic meant for the internet from moving out of the Ethernet interfaces: Host1/Admin(conifig) # access-list OUTBOUND deny TCP host 172.16.0.0 255.255.255.0 to 172.16.5.254 255.255.255.0
Application
The access control lists in the solutions provided are thus used to permit or deny access from one device to another. This is a measure to control the network and thus providing security to the legitimate individuals operating within the confines of the network. ACLs as shown in the solutions to the stated problem are applied to the devices by controlling either inbound traffic or outbound traffic. The point of control is all-dependent on the device that requires protection.
The application of the control lists mentioned above helps to solve a wide range of problems evident from the original diagram. These ACLs help in solving certain crucial problems that are evident in the system. The ACLs allow the system to prevent telneting from the external internet. This in itself is a loophole that would otherwise open up the company to hacking and loss of data.
The ACLs also allow the implementation of internal network control by ensuring that the network communication that is meant for heading outside the network does not get back into the network. This in itself is a milestone and prevents any further loss to data.
The ACL is applied in the prevention of access by the pinging applications from the external networks into the internal networks. By limiting the inbound traffic from sending a ping to the internal devices at the external router, this is made possible.
The ACL implementing the prevention of the network information meant for the internet from accessing the internal network works to limit internal network traffic. This application is on the internal router that manages the internal network flow of packets.
The ACL that is meant to control the ftp is also a crucial implementation. FTP is used to ensure that the files that are within a network do not get lost in the network system. By limiting access to the internal network from ftp programs, there is the prevention of the possibility of loss or addition of files into the main system.
Justification
The ACLs used in solving the problems stated with the original system are all justifiable and explainable. The ACLs stated are all used and described in the order with which they provide the necessary solutions to specific problems that are best solved by them. Their justifications lie in the problem and the solutions. As shown below, each ACL is justified by explaining its functionality and why it is necessary to implement it where it was implemented.
When using the ACL that limits external networks from sending telnet signals into the network as the external router, the intention is to ensure that the internal network is always not accessible to unauthorized telnet activities. Telnet allows devices in a network the capability of controlling other devices as if one was physically there. This poses a great threat to the company and provides fraudsters with the ability to infiltrate the company network and destroying or stealing company information. The placement of the ACL on the inbound traffic on the external router is strategic and acts as the first wall of defense from such intrusion.
The external router also has an ACL preventing ftp from the internet sources inbound into the network. This feature protects the filing system in the internal network from such infiltration. It provides the internal network with the security it requires from programs implementing File Transfer Protocol. This protocol is used to allow certain programs to gain access to filling systems, to manipulate such systems and thus controlling them. Such programs pose a big threat to this company, thus justifying the placement of such an ACL at the inbound ports of the external router. This ensures that the ftp protocol is muzzled on the way in.
The ping operation is also closed for traffic into the network at the external router. This is done to limit the loss of sensitive data such as IP addresses to elements from the internet. These elements may in turn use the IP addresses for fraudulent purposes if they gain access to them. The ping operation is also known as a toll for clogging networks. When a single computer is pinged severally, it can suffer from DOS attack. Placing the ACL on the external router prevents such a scenario. This thus ensures that the system is devoid of such a problem.
Other networks are denied from access to the 172.16.3.0 section of the internal network. Danger also lurks in the internal network. This is made clear by the information shown by the internal elements of the network. Some individuals may use the information in the internal network to access and manipulate the sales made. The sales team is the arm of the company that rakes in the money. This means that they sub-network is equally crucial. Without the proper use and control of information used in such a network, the company can be brought down to its knees by the touch of a button. Placing the ACL on the outbound interface of the internal router ensures that any access to that section of the network is completely forbidden.
A computer that does not require access to the internet is denied this access at the outbound point of the internal router. This is justified by the fact that for this computer to access the internet, it requires to communicate with the internal router first before contacting the external router. This solution ensures that the computer can only communicate with computers within the network but not the router on the outside part of the network.
All the above-mentioned access control lists work to provide either limitations or definite access within the company’s network. These ACL act as firewalls in some instants and as gate passes in others, however, the main goal is network management to help avoid certain situations that prevent or even limit the functionality of a network. The security of any network is paramount, and this network is not an exception. Through the justification process shown above, it is rather evident that it is necessary for the ACL’s placement in the strategic positions that they are in
Conclusion
The use of ACLs is not only limited to routers, servers are also known to implement them. It is however important to note that ACLs do not perform as well as firewalls do. It is however important to have them as they provide a secondary wall of protection. ACLs are used in routers because of the basic nature of routers. “Clever” routers are capable of being configured to perform some of these functions automatically. These routers always provide the individual network with certain permissions that allow the network the comfort of enjoying such network management at the touch of a button.
ACLs also provide the managerial aspects as seen in the problem solution for the company mentioned above. With proper configuration of the network, the individuals tasked with managing the network are capable of editing or even completely changing the tasks implemented and thus ensuring a completely secure network. The network is able to adapt to the changing scenario around the network. The individuals managing the network are able to have a hands-on means of ensuring nothing wrong happens to the network functionality.
The company above can function properly and its owners can rest easy knowing that most of their problems are sorted. This is because issues that would otherwise cripple the company are completely eradicated by the implementation of the ACLs. This clearly shows that when applied properly, ACLs can provide security for low standard networks and thus prevent data loss, theft and any other type of illegal activity.
As the network is connected to the internet, it is important to note that the means used to access networks are changing drastically. This leads to the need for constant training of the network administrators who manage the ACLs. This is because if they are left behind in terms of information, this could become the network’s weakness. The individuals working with the system need to be completely adept. They need to be completely ready to work as required and provide the necessary knowledge in the implementation of the ACLs. The lack of this may prove disastrous for the company, as the internet is not very forgiving.
References:
Bhaiji. (2008). Network Security Technologies And Solutions (CCIE Professional Development Series). Cisco Press.
Claise. (2007). Network Management: Accounting And Performance Strategies, 1/e. Cisco Press.
De, C. D. (2007). Self-defending networks: The next generation of network security. Indianapolis, IN: Cisco Press.
Sedayao, J. (2001). Cisco IOS access lists. Sebastopol, CA: O'Reilly & Associates.
Tanaka, B. (2010). Take Control of Permissions in Snow Leopard. Sebastopol: TidBITS.
