With the rapid development of Internet/Intranet, all enterprises and institutions in China are building local networks and connecting them to the Internet. However, information network security has always been a concern for us, therefore, this article proposes to build a firewall architecture for a computer network by using the access control list (ACL) under the router.
The global security policies of an organization should be determined based on security analysis and business needs analysis. Because network security is closely related to firewalls, we must correctly set network security policies, to maximize the role of the firewall.
The network firewall security policy defines which packets are allowed or prohibited to pass and use network services, and the rules for using these services. In addition, each rule in the network firewall security policy should be implemented in actual applications. Next we will implement security policies through the access control list under the vro to achieve the firewall function, and describe its implementation and application in detail.
Role of the access control list
The access control list is a list of commands applied to the router interface. These command lists are used to tell the router which packets can be received and which packets need to be rejected. Whether a data packet is received or denied can be determined by specific instructions such as the source address, Destination Address, port number, and protocol. By flexibly adding access control lists, ACL can be used as a powerful tool for network control to filter data packets from inbound and outbound router interfaces.
After creating an access control list, you can restrict network traffic, improve network performance, and control communication traffic. This is also a basic security measure for network access. After configuring the access control list on the vro interface, you can perform security detection on the inbound interface, outbound interface, and data packets relay through the vro.
IP Address Access Control List category
Standard IP Address Access Control List
When we want to block all communication traffic from a certain network, allow all communication traffic from a specific network, or reject all communication traffic from a certain protocol cluster, you can use the standard access control list to achieve this goal. The standard access control list checks the source address of the route packet to allow or deny all traffic through the router's egress Based on the IP address of the network, subnet, or host.
List of Extended IP Address Access Control
The extended access control list checks both the source address of the data packet, the destination address of the data packet, and the specific protocol type and port number of the data packet. The extended access control list is more flexible and scalable, that is, you can allow certain protocols of communication traffic to pass through the same address, rather than using other protocols.
Named Access Control List
The table number must be used in the standard and extended access control lists, and a character string composed of letters or numbers should be used in the named access control list to replace the preceding number. The named Access Control List can be used to delete a specific control entry, so that we can easily modify it during use.
When using the named Access Control List, the vroios IOS 11.2 or later versions are required, and multiple ACLs cannot be named with the same name. Different types of ACLs cannot use the same name.
Wildcard mask
The wildcard mask is a 32-bit numeric string. It is divided into four eight-bit groups with a dot number. Each group contains eight-bit. In the wildcard mask bit, 0 indicates "check the corresponding bit", and 1 indicates "do not check the corresponding bit ". The wildcard mask and IP address are paired. The wildcard mask and subnet mask work in different ways. In the IP subnet mask, numbers 1 and 0 are used to determine whether the network, subnet, or the IP address of the corresponding host. For example, if the network segment 172.16.0.0 is used, the wildcard mask should be 0.0.255.255.
In the wildcard mask, the 255.255.255.255.255 can be used to represent all IP addresses. Because "all" indicates that all 32 bits do not check the corresponding bits, which can be replaced by "any. The wildcard mask of 0.0.0.0 indicates that all 32 bits must be matched, so that only one IP address can be represented by host. Therefore, in the access control list, you can select one of the methods to describe the network, subnet, or host.(