Additional Access List Features In Brief
In this chapter, I’ll discuss IP access list security features. Two are slight deviations of the commonly used numbered access lists and will be discussed in detail: session filtering using reflexive access lists and lock and key security using dynamic access lists. I’ll also address enhancements to access list configurations using named access lists, access list comments, and time−based access lists.
An access list is a sequential series of filters. Each filter is made up of some sort of matching criteria and action. The action within the filter is always either a permit or a deny. The criteria by which the access list matches upon can be as simple as a source address or as complex as a source address, a destination address, a protocol, a port, and flags. When access lists are configured, a packet is compared against the filter rules contained within the access list. At the first filter rule, a matching criteria is applied. If a match occurs at this rule, the packet is permitted or denied based on the configured action of the filter rule. If a match does not occur, the packet is compared against the second rule configured within the filter and the matching process is again applied. If a packet is compared against all the rules configured within the filter and a match does not occur, the router must have some default action method of determining what should happen to the packet. The configured default action for the Cisco implementation of access lists is to deny any packet that is subjected to each filter rule contained within an access list and does not match any of them. This filter rule does not display in any configured access list and is the default action for an access list. This is referred to as an implicit deny any.
Note Routers compare addresses against the access list conditions one by one. The order of the conditions is critical for proper operation of the access list because the first match in an access list is used. If the router does not find a match, the packet is denied because of the implicit deny any at the end of each access list.
The two primary uses of access lists in security−related implementations are for packet filtering and traffic selection. Packet filtering helps to control a packet or flow of packets through an internetwork. This allows the router to limit network traffic, thus providing a finer granularity of control for restricting network access. Traffic selection is used to determine what traffic the router should consider “interesting” in order to invoke a certain feature or security operation.
Access list types may be identified by either a number or a name. Table 7.1 shows the access list types and the number range available for each.
When determining whether or not to configure access lists on a production router, take the following rules into consideration prior to applying the configuration change to the router:
Organization—Organization of your access lists should be such that the more specific access entries are configured first and the more general entries are listed toward the bottom of the list.
Precedence—Configure your access list such that the more frequently matched conditions are placed before less frequently matched conditions. This alleviates load on the router’s CPU.
Implicit action—If the purpose of your access list is to deny a few devices and permit all others, you must remember to add the permit any statement because the access list has at the end an implicit deny any that will not appear in the configuration.
Additions—New access list entries are always added to the end of the existing access list. When you’re using numbered access, it is best to copy the access list configuration to a text editor, make the necessary changes to the access list, and then reapply the access list to the router. Access list entries cannot be selectively deleted with numbered access lists;however, they can be selectively deleted with named access lists.