ISCW10S05L04用访问列表来管理安全.ppt

Cisco Device Hardening Mitigating Threats and Attacks with Access Lists Standard and Extended ACLs Cisco routers support two basic types of IP ACLs: Standard IP ACL: Filters IP packets based on the source address only Extended IP ACL: Filters IP packets based on several attributes, including: Protocol type (IP, ICMP, UDP, TCP, or protocol number) Source and destination IP addresses Source and destination TCP and UDP ports Identifying ACLs Cisco routers can identify ACLs using two methods: ACL number: The number of the ACL determines which protocol it is filtering: 1 to 99 and 1300 to 1999: Standard IP ACLs 100 to 199 and 2000 to 2699: Extended IP ACLs ACL name: You provide the name of the ACL: Names contain alphanumeric characters. Names cannot contain spaces or punctuation and must begin with an alphabetic character. Guidelines for Developing ACLs Base ACLs on the security policy. Write ACL out: Write out what you want this ACL to accomplish. This is the time to think about potential problems. Set up a development system: This allows you to copy and paste statements easily. It also allows you to develop a library of ACLs. Store the files as ASCII text files. Apply ACL to a router and test: If at all possible, run your ACLs in a test environment before placing them into production. Applying ACLs to Router Interfaces Inbound (in): Data flows toward router interface Outbound (out): Data flows away from router interface Traffic Filtering Use ACLs to filter ingress and egress from routers and firewall appliances. Use ACLs to disable and limit services, ports, and protocols. IP Address Spoofing Mitigation: Inbound IP Address Spoofing Mitigation: Outbound DoS TCP SYN Attack Mitigation:Blocking External Access DoS TCP SYN Attack Mitigation:Using TCP Intercept DoS Smurf Attack Mitigation Filtering Inbound ICMP Messages Filtering Outbound ICMP Messages Filtering UDP Traceroute Messages Basics of Distributed DoS Attacks Distributed DoS attacks exploit specific ports. AC