>> Let's say you have some hosts on a particular subnet that should have access to other subnetsin your autonomous system with the exception of a specific subnetwhere servers are storing sensitive data or maybe one specific hostfrom that subnet should be allowed to access a specific serviceon a certain machine but not others.There could even be government privacy regulations that require you to preventor allow packets from reaching certain servers.Enter the stateless packets filter which through a set of rules let's packets inor denies their entrance to a network.Let's packets out or denies their exit from a network.The best example of a stateless packets filter is an IP ACL access control listwhich will permit or deny packets from entering the inboundor exiting outbound the network based on criteria such as source IP address,destination IP address, protocol, and port.IP ACLs exist at layers 3 and above.So they don't use Mac addresses as a criteria since Mac addresses exist in layer 2 frames.If you did want to filter at layer 2, you would use a Mac ACL.Other types of ACLs include a VLAN ACL and a port ACL.This unit will focus on an IP ACL using Cisco routers.IP ACLs can be configured on a router or a stand alone firewalllike Cisco's ASA, adaptive security appliance.An access control list has multiple lines of instructionsthat are processed in a sequential order.And order does matter unlike a shopping list.When my wife gives me a shopping list, the order in which I get the items doesn't matter.I could get the milk, bread, eggs, cereal, ice cream, taco kit,and pancake mix in any order I want.However, the order of instructions in an ACL is crucial.Ordering the instructions incorrectly could actually do the oppositeof what you wanted to do.Certain packets that should be denied will be permitted.Certain packets that should be permitted will be denied.In the world of cyber security, that sets you up to be breachedor for possible denial of service.An ACL is a list of multiple instructions or statements.Some instructions permit traffic.Others deny traffic.As soon as a packet matched to a statement based on source IP address, destination IP address,protocol, or port, the packet is either permittedor denied regardless of what comes later in the ACL.If a general statement in one of the first few linesof an ACL denies a specific packet, it's denied.Even if there's a more specific statement later in the ACL that would permit the packet.The packet will never reach that line because as soon as a match is made,the packet is dealt with at that line.There's no branching or looping.There's no comparing general statements to more specific ones.ACLs are processed from the first lineand then all the subsequent lines sequentially down until a match is found.If no statements in the configured ACL match a packet,the packet will meet an explicit deny any statement at the end of every ACL.That just discards the packet.After all, if we have no instruction that deals with the packet in our configured statementsfrom a cyber security perspective, it makes sense to just drop the packet insteadof letting it into or out of a network.
转载于:https://www.cnblogs.com/sec875/articles/10028596.html
相关资源:JAVA上百实例源码以及开源项目