XpressLearn Home

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 1.50 out of 5)
Loading ... Loading ...
Format this document for printing Print This Post
Basic Security using Access Lists

Consider the need to secure services for access only by certain computers. The HR computers need access to a Payroll system that no one else needs to use. The HR Payroll application resides on the server subnet with an IP address of 10.0.4.100 and runs on port 443(ssl). The HR workstation subnet is 10.0.3.0/24 and will be the only network allowed to access the application.

hostname CentralLanRouter
!
interface FastEthernet0/0
description Infrastructure Subnet
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/1
description Employee Subnet
ip address 10.0.2.1 255.255.255.0
!
interface FastEthernet1/0
description HR Subnet
ip address 10.0.3.1 255.255.255.0
!
interface FastEthernet1/1
description Server Subnet
ip address 10.0.4.1 255.255.255.0
ip access-class 100 in
!
access-list 100 remark ACL to protect HR Server
access-list 100 permit tcp 10.0.3.0 0.0.0.255 host 10.0.4.100 eq 443
access-list 100 deny ip any host 10.0.4.100
access-list 100 permit ip any any

The access list 100 defined above accomplishes the following:

Allows IP addresses of 10.0.3.x to access the host 10.0.4.100 via SSL
Denies all other IP addresses from accessing the host 10.0.4.100 via any port
Allows any IP address to access any host

<!–adsense#inlinepostad–>

The access list 101 below keeps the server from initiating connections out to other workstations. This would be used as an additional security measure, in case the Payroll server was compromised. In the event an intruder got console access to server, you wouldn’t want it to have the ability to ftp files off the server to another location.

interface FastEthernet1/1
description Server Subnet
ip address 10.0.4.1 255.255.255.0
ip access-class 100 in
ip access-class 101 out
!
access-list 101 remark ACL to restrict outbound access from the HR server
access-list 101 permit tcp host 10.0.4.100 10.0.3.0 0.0.0.255 gt 1023
access-list 101 deny ip host 10.0.4.100
access-list 101 permit ip any any

The order of the statements in the access list is the magic, since they get processed line by line from top to bottom.

Author Info:

 
 
Scott's profession is a Senior Network Engineer at a Healthcare related company in Nashville, TN. When he is not trying to secure a network or come up with a design for a new project, he enjoys spending time with his family. You can find out more at: http://www.scottp.net

Similar Posts:

 

Leave a Reply