Routers aren’t great at performing complex filtering but network administrators can configure them to perform basic screening of network traffic. Learn how standard access control lists and extended access control lists may be used to implement network security policies.
- [Instructor] Routers also play an important role in network security. Routers often sit in front of network firewalls, and can perform filtering that reduces the load on the network firewall. Routers are not great at performing complex filtering, but network administrators can configure them to perform basic screening of network traffic. As an example, let's take a look at the filtering technology available in Cisco routers. While the syntax I'll describe in these examples is specific to Cisco devices, all routers can perform the same basic functionality.
One exam tip, before we dive into this material. You won't need to know how to configure Cisco devices when you take the CISSP exam. You should, however, be familiar with the type of filtering that you can perform on a router, and how it differs from the capabilities of a firewall. Cisco routers support the concept of access control lists. While you most often hear this term used to describe file system permissions, in this case, access control lists are similar to firewall rules. Cisco devices support two types of access control lists, standard and extended.
The standard access control list allows administrators to block inbound traffic based upon the source IP address. To create a standard access control list, you use the access list command, which has the following syntax. The command begins with the word access-list, and is then followed by the access control list number, which is assigned by the administrator and must be unique. Standard access control lists may have numbers between one and 99.
Next goes either the word Permit or Deny, depending upon whether this list is intended to allow or block traffic. And then the last two entries of the list specify the source IP address, and the mask that should be applied to that address. For example, assume that we want to write a standard access control list that blocks all inbound traffic from network addresses in the range 10.3.1.0 to 10.3.1.255.
We write this using the syntax access-list, and then we give it a number, let's use one. We write deny to specify the rule will block traffic, then we write the IP network address that we're blocking, 10.3.1.0, and then we need to make sure this includes all addresses in the range 10.3.1.0 to 10.3.1.255, so we use the mask 0.0.0.255. That's all there is to writing a standard access control list on a Cisco router.
Standard lists are limiting, because they only allow blocking in a very blunt way, by source IP address. That's okay if you're trying to block an address or network completely, but it doesn't provide much flexibility. Cisco also allows administrators to perform more complex filtering through the use of extended access control lists. These lists allow administrators to block traffic based upon source and destination addresses, protocols, and ports.
We won't go into the specifics of extended access control lists in this course, but if you're interested in learning more about this technology, we offer many Cisco networking courses that may interest you, including Cisco Certified Entry Networking Technician Essential Training. So if extended access control lists begin to approach the functionality of a firewall, why do we need firewalls? Well, firewalls differ from routers in a number of ways. First, firewalls are purpose-specific devices, and are much more efficient at performing complex filtering than routers.
Second, firewalls have advanced rule capabilities. They allow you to create rules that are conditional upon the time of day, users involved, and other criteria. Finally, firewalls offer more advanced security functionality. They can incorporate threat intelligence, perform application inspection, and integrate with intrusion prevention systems to provide enhanced protection to a network. While firewalls do offer advanced security protection, administrators may still choose to place some access control lists at the router level to filter traffic before it reaches the firewall.
This reduces the burden on down-stream devices.
Learn about communication and networking best practices, including TCP/IP networking, network security devices, and secure network design and management. Instructor and cybersecurity expert Mike Chapple also includes coverage of converged protocols, network encryption, and wireless networking. You can find Mike's companion study books for this series at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- IP addressing
- Switches and routers
- Content distribution networks
- Designing secure networks
- Specialized networking
- Managing secure networks
- Working with virtualized networks like SDNs
- Detecting and preventing network attaches
- Transport encryption
- Wireless networking
- Host security