Docstoc

FIREWALL

Document Sample
FIREWALL Powered By Docstoc
					                          firewall
These are the set of instructions that are used to restrict unauthorized access
From outside environment to inside network.



                                                hardware firewall
                                               Watch guard and pix firewall etc.
         firewall

                                               software firewall
                                               Norton (windows).
                                               Check-point (linux)
                                               Access-control-list (acl)
                                               (router and switch)
   How the acl works ?



111.20.15.63                            Is there any
                                          Firewall ?
                                                                 no

                                                           (full access)



      LAN
      99.0.0.0                          IS there any match ?




                               permit                          Deny
                               (Yes)                           (No)


                         Full access                       No access
         Features of ACL (access-control-list)

       Each acl is identify by name or number.
      We can create multiple acls but at a time one acl will be implement.
      Only one acl will be activate on every interface of router.
      Each acl has two parts i.e.
      How to create ?
      Where to implement ?
      Each new acl is stored at the bottom of acl table.


Acl no        Ip address         deny               permit

              12.3.5.41           deny               -------------
100
             192.16.3.7                              permit
10                                 ------
             172.15.65.48         deny               -------------
5
             65.0.0.0             deny
56                                                   ------------
Types of acl (access-control-list)

     Standard acl

     Extended acl

     Named acl
                   Standard acl

It is identify by numbers 1— 99 , 1300 –- 1999.
It is used to deny or permit all the services of an ip or network.
It is created and implement on destination by seeing source address.


                  Inbound acl and outbound acl




      Serial interface           Ethernet interface
                          syntax
                        How to create ?
Router(config)#access-list access-list no. deny or permit source address w.c.m.
Router(config)#access-list access-list no. deny or permit any


                        Where to implement ?

Router(config)#interface e0/0
Router(config-if)# ip access-group access-list no out
Router(config-if)#exit

                   Or

Router(config)#int s0/0
Router(config-if)# ip access-group access-list in
Router(config-if)# exit
       S0/0                   S2
                                     S2               S0     S0
       50.1   S0              60.1
                                     60.2             70.1   70.2
              50.2


       E0/0                 E0                     E0                  E0
       10.1                 20.1                   30.1                40.1




Pc-1                                        Pc-3                    Pc-4
                     Pc-2
10.2                                        30.2                    40.2
                     20.2
                       practical


Router(config)#access-list 12 deny 20.0.0.2 0.0.0.0
Router(config)#access-list 12 deny 30.0.0.2 0.0.0.0
Router(config)#access-list 12 deny 40.0.0.2 0.0.0.0
Router(config)#access-list 12 permit any

Router(config)#interface e0/0
Router(config-if)#ip access-group 12 out

Router#show access-lists
Router#show ip interface
Router#show access-list 12(access-list name)
Router#show run
Router#show start
Router(config)#no access-list 12
                 Extended acl

It is identify by numbers 100—199 and 2000—2699.
It is used to deny or permit particular services of an ip or network.
It is created and implement on source by seeing source address,
 destination address and protocol etc.

                 Inbound acl and outbound acl




       Ethernet interface              Serial interface
                                   syntax
                              How to create ?

Router(config)#access-list access-list no. deny or permit protocol source address
Wild card mask destination address wild card mask eq or neq or lt or gt or range
Service name or port no.
Router(config)#access-list access-list no. deny or permit ip any any

                             Where to implement ?


Router(config)#interface e0/0
Router(config)#ip access-group access-list no. In
Router(config-router)# exit
        S0/0                    S2
        50.1   S0                      S2               S0     S0
                                60.1   60.2             70.1
               50.2                                            70.2

        E0/0                  E0                      E0                      E0
        10.1                  20.1                    30.1                    40.1




Pc--1                 Pc--2                                           Pc--4
                                              Pc--3
10.2                  20.2                                            40.2
                                              30.2
                            practical

Router(config)#access-list 100 deny tcp 10.0.0.2 0.0.0.0 20.0.0.2 0.0.0.0 eq 23
Router(config)#access-list 100 permit ip any any

Router(config)# int e0/0
Router(config-if)# ip access-group 100 in
Router(config-if)#exit

Or

Router(config)# int s0/0
Router(config-if)# ip access-group 100 out
Router(config)# exit
                 Named acl ( Standard acl)

Router(config)# ip access-list standard ccie (name of standard acl)
Router(config-std-nacl)# deny 20.0.0.2 0.0.0.0
Router(config-std-nacl)# deny 30.0.0.2 0.0.0.0
Router(config-std-nacl)# permit any

Router(config)#int e0
Router(config-if)#ip access-group ccie out
Router(config-if)# exit

                     or

Router(config)#int s0
Router(config-if)#ip access-group ccie out
Router(config)# exit
         Extended acl (named acl)

Router(config)# ip access-list extended cwnp (name of extended)
Router(config-ext-nacl)# deny host 10.0.0.2 host 20.0.0.2 eq 23
Router(config-ext-nacl)# permit ip any any

Router(config)# int e0/0
Router(config-if)# ip access-group cwnp in
Router(config-if)# exit
                           or
Router(config)#int s0
Router(config-if)# ip access-group cwnp out
Router(config-if)#exit

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:0
posted:10/24/2012
language:
pages:15