To fully understand access lists, you must first understand inverse masks, known more commonly as wildcard masks. A wildcard mask specifies which bits in an IP address should be ignored when that address is compared with another IP address. Normal IP masks that are used for subnetting use a Boolean AND operation to derive a network mask or a subnet address. To perform the Boolean AND operation, you AND a value of 0 to another value of 0 or 1, and the result is a value of 0. Only a value of 1 ANDed with another value of 1 will result in a value of 1, resulting in a value of 1 if and only if both bits are 1. A Boolean OR operation, which is used for wildcard masks, is the exact
opposite of the AND operation. To perform a Boolean OR operation, you OR a value of 1 to another value of 1 or 0 and the result is a value of 1. Only a 0 ORed with another 0 value will result in a 0 value, resulting in a value of 0 if and only if both bits are 0. Wildcard masks set a 0 for each bit of the address that should be matched exactly and a 1 for each bit where anything will match; the 1 bits are frequently referred to as don’t care bits and the 0 bits are referred to as do care bits.
In order to define the difference between the Boolean AND operation and the Boolean OR operation, we will create a truth table. Figure 7.1 displays a truth table for the Boolean AND operation and the Boolean OR operation.
Boolean AND (used for subnet masks)
192.168.10.10 = 11000000101010000000101000001010
255.255.255.0 = 11111111111111111111111100000000
192.168.10.0 = 11000000101010000000101000000000
Boolean OR (used for wildcard masks)
192.168.10.10 = 11000000101010000000101000001010
0.0.0.255 = 00000000000000000000000011111111
192.168.10.255 = 11000000101010000000101011111111
Figure 7.1: Truth table for Boolean operations.
Subnet masks make use of the Boolean AND operation to derive a network or subnet. Access lists make use of the Boolean OR operation, which is the inverse of the AND operation, to come to the same conclusion. The AND operation derives a network or subnet address from the host address and mask. A 1 is set in the mask to correspond to each bit of the network address, and a 0 is set for each bit of the host address. The Boolean AND operation is performed on each bit, and the result is the network or subnet number. The OR operation derives a network from the host address and inverse mask. A 0 is set in the mask to correspond to each bit of the network address, and a 1 is set for each bit of the host address. The Boolean OR operation is performed on each bit, and the result is the network or subnet number. In IP terms, the result of using the inverse mask is that all hosts within the 192.168.10.0 subnet are matched. Any address within the range of 192.168.10.1 through 192.168.10.254 will match that particular wildcard mask combination.
Standard Access Lists
An access list defined with a number ranging from 1 to 99 is a standard access list. A standard access list is used to permit or deny packets based solely on the source IP address. The source address is the number of the network or host from which the packet is being sent. The source address is followed by a wildcard mask, which is used to specify the bit positions that must match. Standard access lists can be used as either an inbound or outbound filter, or as both. When a standard access list is used as an inbound filter, the router checks the source address of the packet and compares that address with each entry within the access list. If the access list is configured with a permit statement for that source IP address, the router breaks out of the access list and processes the packet accordingly. If the access list is configured with a deny statement or does not match any other filter rule defined within the access list, the packet is dropped. When a standard access list is used as an outbound packet filter, the packet is received by the router and switched to the proper outbound interface. At this point the router will compare the source address against the filter rules contained within the access list. If the access list permits that packet, the router forwards the packet out to the interface toward its final destination, and if the packet matches a deny statement or does not match any other filter rule defined within the access list, the packet is dropped.
Standard access lists also support a feature known as implicit masks. Implicit masks can be used by not issuing a wildcard mask after the IP address specified within the access list. Implicit masks use a mask of 0.0.0.0, and as mentioned earlier in the section “Wildcard Masks,” a mask of all 0s instructs the router to match all bits within the address in order to permit or deny the packet.
One more thing you should know about standard access lists is that they should be placed as close to the intended destination as possible.
Extended Access Lists
Extended access lists provide more flexibility in the specification of what is to be filtered. An access list defined with a number ranging from 100 to 199 is an extended IP access list. An extended access list can be configured to be static or dynamic; the default is static. An extended access list is used to permit or deny packets based on multiple factors such as protocol, source IP address, destination IP address, precedence, Type−of−Service (TOS), and port. An extended access list also supports the use of logging, which creates an informational logging message about any packet that matches a filter rule within the list.
Extended access lists can filter according to protocol and protocol features. When configuring an extended access list for different protocols, you will notice the command syntax for the extended access list for each protocol is different; these changes must be taken into consideration prior to configuring the access list or you could inadvertently open a security hole. Different IP protocol configurations will be discussed in “Immediate Solutions” later in this chapter. Protocols that can be matched upon when configuring extended access lists are listed in Table 7.2.
Extended access lists should be placed as close to the source as possible, in part because of their capability to filter packets using a finer granularity of controls. This also prevents wasting unnecessary bandwidth and processing power on packets that are to be dropped anyway.