Figure 41 An access control list can reduce the risks of internetworking

PC PC PC PC PC RM Irisrcr pnnlfir

PC PC PC PC PC RM Irisrcr pnnlfir

The users in this network require access to the Internet's content for marketing purposes. This requires that TCP/IP sessions be permitted to flow in both directions through the connection to the Internet. The users are concerned, however, about exposing their internal hosts to attack from the Internet. Therefore, access control lists can be used to exclude UDP access to ports E0 and E1 from S0 either universally or per application type. In this example, anyone attempting to access these ports from the S0 port using the UDP protocol will be denied access. No such restrictions are placed on ports E0 and E1. The cumulative access control lists (one per port) would resemble the contents of Table 4-1.

Table 4-1: Access Control Lists for the Network in Figure 4-1

Port Number

Allowed Access To

Denied Access To

E0

E1

N/A

S0

N/A

E1

E0

N/A

S1

N/A

S0

N/A

E0 using UDP

E1 using UDP

The access control list example presented in Figure 4-1 and Table 4-1 is based on port-level and application-level permissions. It is possible to program access based on IP addresses, too. You can explicitly allow or deny access based on an individual IP address or an entire range of addresses.

As useful as ACLs may be, they are not a panacea: You must view them in the perspective of the entire networked computing environment. Therefore, it is important to remember two factors about securing an IP network. First, ACLs must be kept current. Daily administrative activities might include such things as moves, changes, deletions, and additions of both interfaces and address ranges. Lists that are not kept up to date to reflect such changes in the network become less and less effective. Second, ACLs are best regarded as just one layer in an overall network security scheme. Other valid, and valuable security mechanisms include host-level authentication, encryption of transmitted data, use of firewalls at network borders, as well as many others. You must assess the risks inherent in your own operating environment and identify specific controls to minimize your exposure to those risks. Access control lists may be quite useful, but they provide only one type of protection for one part of your internetwork. Therefore, it is highly unlikely that you can adequately protect your networked computing assets without supplementary security mechanisms.

0 0

Post a comment