Đang chuẩn bị liên kết để tải về tài liệu:
Lecture CCNA security partner - Chapter 8: Access Control Lists for threat mitigation

Cisco provides basic traffic filtering capabilities with access control lists (ACL). This chapter covers the benefits of ACLs and describes their building blocks. The chapter describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments. | Access Control Lists for Threat Mitigation 1 • Lists the benefits of ACLs • Describes the building blocks and operational framework of ACLs • Describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments • Lists design considerations when deploying ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment strategy using ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in order to monitor their impact and effectiveness • Demonstrates how to configure object groups to streamline the implementation of ACLs for threat control • Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs Outline ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world. | Access Control Lists for Threat Mitigation 1 • Lists the benefits of ACLs • Describes the building blocks and operational framework of ACLs • Describes summarizable address blocks in the context of CIDR and VLSM environments, demonstrating how ACL wildcard masks allow for threat mitigation in those environments • Lists design considerations when deploying ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to deploy and verify a threat containment strategy using ACLs • Demonstrates the use of Cisco Configuration Professional and the CLI to correlate ACL log and alarm information in order to monitor their impact and effectiveness • Demonstrates how to configure object groups to streamline the implementation of ACLs for threat control • Demonstrates how to configure ACLs in IPv6 environments, highlighting the operational differences with IPv4 ACLs Outline ACLs provide packet filtering for routers and firewalls to protect internal networks from the outside world. ACLs filter network traffic in both directions by controlling whether to forward or block packets at the router interfaces, based on the criteria that you specify within the ACLs. ACL criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information ACL Fundamentals Host A to access the Human Resources network but prevents Host B from accessing the Human Resources network. Filtering Host B Traffic Ingress Using an ACL • IP address spoofing (inbound) • IP address spoofing (outbound) • DoS TCP SYN attacks (blocking external attacks) • DoS TCP SYN attacks (using TCP intercept) • DoS Smurf attacks • Filtering ICMP messages (inbound) • Filtering ICMP messages (outbound) • Filtering traceroute Using ACLs to mitigate many threats ACLs operate in two ways: • Inbound: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups