Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
24 Cards in this Set
- Front
- Back
|
TCP
|
-connection oriented
-reliable -full duplex -congestion control mechanism |
|
|
TCP session
|
-SYN starts the session
-ACK for expected packet received -FIN when session is finished. |
|
|
TCP/UDP ports
|
0 -1023 -- well known port
1024 - 49151 - registered ports all else - private/dynamic ports |
|
|
TCP well known ports
|
- HTTP - 80
- SMTP - 25 - FTP - 20/21 - DNS - 53 - SNMP - 161 |
|
|
acl guidelines
|
-use in firewall routers
-use on routers in two parts of the network to control traffic -use it on border routers -use it on each network protocol on border router interfaces. |
|
|
The Three Ps
|
- per protocol
- per direction - per interface |
|
|
acl role
|
- limit network traffic to increase performance
- traffic flow control - basic security for network access - decide which type of traffic to forward or block at router interfaces. - control which areas a client can access - screen hosts to permit or deny access |
|
|
Inbound ACLs
|
incoming packets are processed before they are routed to the outbound interface.
-inbound ACL is efficient b/c it saves the overhead of routing lookups if the packet is discarded. |
|
|
outbound ACL
|
incoming packets are routed to the outbound interface and then they are processed through outbound ACl
|
|
|
implicit deny
|
deny all traffic is not in the ACL but it is implied at the end of the list.
|
|
|
standard ACL
|
- allow to permit or deny traffic from source IP
|
|
|
extended ACL
|
-filter packets based protocol type, source and destination and source TCP or UDP, destination UDP/TCP,
|
|
|
where to place ACL
|
- locate extended ACL close to the source of the traffic denied.
-place standard ACL close to destination. |
|
|
dynamic ACL
|
- depends on telnet connectivity, authentication and extended ACLs
|
|
|
how does dynamic ACL work
|
-users who want to traverse the router are blocked by the extended ACL until they use telnet to connect to the router and authenticate.
The telnet connection is dropped and a single entry dynamic ACL is added to the extended ACL. |
|
|
when to use dynamic ACL
|
-to allow specific remote users or group to access a host within the network connecting via internet.
-allow a subset of hosts from a local network to access a host on a remote network that's protected by firewall. |
|
|
benefits of dynamic ACL
|
-authenticate individual users.
-simplified management in large internetworks. -reduce network breakins -dynamic user access through firewall without interfering with other security restrictions. |
|
|
Reflexive ACL
|
force a reply from the destination of a known recent outbound packet to go to the source of that outbound packet
|
|
|
benefits of reflexive ACL
|
-greater control of what traffic to allow in the network
-provide a true from of session filtering than an extended ACL with the established parameter. -secure network against hackers and can be included as firewall security -provide security against spoofing and DoS attacks. |
|
|
use of reflexive ACL
|
- allow IP traffic sessions originating from their network while denying IP traffic for sessions orginating outside the network.
|
|
|
how reflexive ACL works
|
-examines the outbound traffic when it sees a new connection, adds an entry ot the temp ACL to allow repies back in.
-not applied directly to the interface, but nested witin an extended named IP ACL applied to the interface. |
|
|
established parameter
|
-established option does not work with application that dynamically alter the source port for the session traffic. Only checks ACK and RST bits not source and destination address.
|
|
|
time based ACL
|
allow for access control based on time.
Specifiy a time range that defines specific times and day of the week. |
|
|
benefits of time based ACL
|
-offer the network administrator more control over premitting or denying access to the resource.
-allows network administrators to control logging messages. |
