Foundation Summary

The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your SNRS exam, a well-prepared candidate should at a minimum know all the details in each "Foundation Summary" section before going to take the exam.

ACLs filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the ACLs.

The two main tasks involved in using ACLs are as follows:

• Create an ACL by specifying an ACL number or name and access conditions.

• Apply the ACL to interfaces or terminal lines.

Cisco IOS Software supports the following types of ACLs for IP:

• Standard IP ACLs

• Extended IP ACLs

• Reflexive ACLs

At the end of every ACL is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet is blocked. Table 11-3 lists the commands used to mitigate attacks on IOS routers.

Table 11-3. Commands for Preventing Attacks Against the Cisco IOS

Router

Table 11-3. Commands for Preventing Attacks Against the Cisco IOS

Router

Command

Description

no service tcp-small-servers no service udp-small-servers

Prevents abuse of the small services from DoS or other attacks

no service finger

Avoids releasing user information to possible attackers

no cdp running no cdp enable

Avoids releasing information about the router to directly connected devices

no ntp enable

Prevents attacks against the NTP service

Command

Description

no ip directed-broadcast

Prevents attackers from using the router as a Smurf amplifier

snmp-server party... authentication md5 secret ...

Configures MD5-based SNMPv2 authentication. Enable SNMP only if it is needed in your network

ip http authentication method

Authenticates HTTP connection requests (if you've enabled HTTP on your router)

ip http access-class list

Further controls HTTP access by restricting it to certain host addresses (if you have enabled HTTP on your router)

4 PREV

0 0

Post a comment