Introduction to ingress access control mechanism

Source: Internet
Author: User

This article introduces the ingress access control mechanism. It is believed that each network management system will involve access control when setting a router. Today, we will introduce the ingress router to you in this regard, this section focuses on context-based access control. Www.2cto.com
Generally, a route can only check packets at the network layer or transport layer. CBAC can intelligently filter TCP and UDP-based sessi on at the application layer, CBAC can open a temporary channel in firewall access-list to allow external connections originating from the internal network and check sessions in both internal and external directions. 1. Data Packets arrive at the firewall's external interface. 2. Check whether data packets are allowed to pass through outbound access-list by this interface. If data packets fail, they are discarded here. Do not perform the following steps. 3. The data packet checked through the access list is determined and recorded by the CBAC check. This information is recorded in a new status list to provide a quick channel for the next connection. 4. If CBAC does not define a telnet application check, data packets can be sent directly from this interface. 5. Based on the status information obtained in step 3, CBAC inserts a temporary access list entry in inbound access list of s0, this temporary channel is defined to allow incoming data packets from the outside. 6. The next External inbound data packet reaches s0, which is part of the previously sent telnet session connection, after the access list check on the s0 port, enter the temporary channel established in step 5. 7. The data packets that are allowed to enter are checked by CBAC, and the connection status list is updated as needed based on the updated status information, the inbound access list temporary channel is also modified to allow only valid data packets to enter. 8. all incoming and outgoing s0 packets belonging to the current connection are checked to update the status list and modify the access list of the temporary channel as needed. At the same time, data packets are allowed to pass through s0 ports. 9. The current connection is terminated or timed out. The connection status list entry is deleted, and the access list entry temporarily opened is also deleted. All required applications, including those that want to be checked by CBAC, must be allowed to pass the configured port, but all applications that require CBAC check must be disabled.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.