SlideShare a Scribd company logo

Network Security p7 ACL with Established Option.pptx

Download as PPTX, PDF
Z
Zalmaanabdi

Network

Education
1 of 9
One of the challenges that you face using ACLs is that they do not maintain state information. Stateless devices such as routers do not track the state of TCP connections, Cisco IOS extended ACLs provide the established keyword to approximate stateful behavior. The established keyword requires that either the ACK bit or the RST bit to be set in the TCP flags of a packet. Challenges with ACLs
It's important to understand if the traffic is originating from a trusted network and going to an untrusted network or vice versa. One of the tools that can be used to help determine if the traffic is originating externally or if it's return traffic that was originated internally is the establishment bit. before sending and receiving any data TCP three-way handshake should take place normally SYN, SYN-ACK, and ACK. When looking at packets coming into a trusted network means that the connection was initiated from the inside to the outside The reply packet from the Server will have the TCP SYN and ACK bits set. It meets the established keyword criteria and is allowed. During this TCP connection, all packets from the Server will have the ACK bit set, so the TCP connection is allowed.
Allow Connection is established inside Connection is established outside
Allow FTP passive mode Connection is established inside FTP Standard mode (Active ) Connection is established outside FTP passive & Active mode FTP passive mode connection starts from inside “ it is fine”
This case illustrates the need for a firewall which would track the state of the connection and allow both FTP standard mode and passive mode to work. Allow FTP passive mode Connection is established inside FTP Active mode (standard) has an Issue because connection starts from outside FTP server
limitation of relying on packet filters that reference the TCP flags in the TCP header of packets. Imagine the attacker in the topology wants to find out the IP addresses of hosts on the trusted side of the packet filter. Note that the ACL will not permit ping via ICMP echo requests. however the attacker can make clever use of an “ACK scan.” Instead of sending an ICMP echo request, the attacker can send a TCP packet with the ACK bit set to a destination address. Since the ACK bit is set, these packets will match the established keyword reference in the ACL and will be permitted. If there is a host present, that host will respond with a TCP reset (a TCP packet with the RST bit set) in response. The attacker can perform the same sort of exploration as it could with ICMP ping. If a reset response is received, the IP address is active. If not, the IP address is not active. The method is called Packet crafting Limitation of ACL with Established Option
ACL with Established Option
R1 Router1>enable Router1#config t Router1(config)#int gigabitEthernet 0/0/0 Router1 (config-if)# ip add 192.168.2.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#int gigabitEthernet 0/0/1 Router1 (config-if)# ip add 192.168.1.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 Router1(config)#access-list 100 permit tcp any any established Router1(config)#interface gigabitEthernet 0/0/0 Router1(config-if)#ip access-group 100 in Router1 (config-if)#exit R2 Router2>enable Router2#config t Router2(config)#int gigabitEthernet 0/0/0 Router2 (config-if)# ip add 192.168.2.2 255.255.255.0 Router2 (config-if)#no shutdown Router2(config-if)#exit Router1(config)#int gigabitEthernet 0/0/1 Router1 (config-if)# ip add 192.168.3.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1

Recommended

Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Gabriela Martínez
 
Conns connlimits
Conns connlimitsConns connlimits
Conns connlimitsAleksei Kurepin
 
Point to point protocol | PPP - Nitish Jadia
Point to point protocol | PPP - Nitish JadiaPoint to point protocol | PPP - Nitish Jadia
Point to point protocol | PPP - Nitish JadiaNitish Jadia
 
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...rediani
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTmayank's it solution pvt.ltd
 
Firewalls
FirewallsFirewalls
Firewallshemantag
 

Recommended

Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Gabriela Martínez
 
Conns connlimits
Conns connlimitsConns connlimits
Conns connlimitsAleksei Kurepin
 
Point to point protocol | PPP - Nitish Jadia
Point to point protocol | PPP - Nitish JadiaPoint to point protocol | PPP - Nitish Jadia
Point to point protocol | PPP - Nitish JadiaNitish Jadia
 
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...
26.2.1 Packet Tracer - Configure Extended IPv4 ACLs - Scenario 1 - ITExamAnsw...rediani
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
Asa packet-flow-00
Asa packet-flow-00Asa packet-flow-00
Asa packet-flow-00vinaydewangan11
 
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTTCP/IP 3RD SEM.2012 AUG.ASSIGNMENT
TCP/IP 3RD SEM.2012 AUG.ASSIGNMENTmayank's it solution pvt.ltd
 
Firewalls
FirewallsFirewalls
Firewallshemantag
 
Introduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express TechnologyIntroduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express Technologyijsrd.com
 
Networking answers
Networking answersNetworking answers
Networking answersDevendra Pani
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdfssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsSerious_SamSoul
 
計概
計概計概
計概allan3160
 
Tcp Ip Overview
Tcp Ip OverviewTcp Ip Overview
Tcp Ip OverviewAmir Malik
 
Firewall
FirewallFirewall
FirewallManikyala Rao
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
aktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdfaktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdfSaranshChauhan15
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptxAlmaOraevi
 
Itep
ItepItep
ItepSofia Palawan
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.pptaymenshykh
 
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Suemi Iarussi
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basicssanjoysanyal
 
Network and TCP performance relationship workshop
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshopKae Hsu
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
Tcp
TcpTcp
Tcpgiaolvq
 
IntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docxIntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docxmariuse18nolet
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 

More Related Content

Similar to Network Security p7 ACL with Established Option.pptx

Introduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express TechnologyIntroduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express Technologyijsrd.com
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdfssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsSerious_SamSoul
 
Tcp Ip Overview
Tcp Ip OverviewTcp Ip Overview
Tcp Ip OverviewAmir Malik
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
aktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdfaktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdfSaranshChauhan15
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptxAlmaOraevi
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.pptaymenshykh
 
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Suemi Iarussi
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterNetProtocol Xpert
 
Network and TCP performance relationship workshop
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshopKae Hsu
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
IntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docxIntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docxmariuse18nolet
 

Similar to Network Security p7 ACL with Established Option.pptx (20)

Introduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express TechnologyIntroduction to VIP with PCI Express Technology
Introduction to VIP with PCI Express Technology
 
Networking answers
Networking answersNetworking answers
Networking answers
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Lecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignmentsLecture 5 internet-protocol_assignments
Lecture 5 internet-protocol_assignments
 
計概
計概計概
計概
 
Tcp Ip Overview
Tcp Ip OverviewTcp Ip Overview
Tcp Ip Overview
 
Firewall
FirewallFirewall
Firewall
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
aktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdfaktu-computer-network-quantum-rotated.pdf
aktu-computer-network-quantum-rotated.pdf
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptx
 
Itep
ItepItep
Itep
 
TCPIP SLIDES.ppt
TCPIP SLIDES.pptTCPIP SLIDES.ppt
TCPIP SLIDES.ppt
 
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
Monitoramento transmissao hacje2014 03-07 00-50-27-_8.1
 
QoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS RouterQoS Classification on Cisco IOS Router
QoS Classification on Cisco IOS Router
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basics
 
Network and TCP performance relationship workshop
Network and TCP performance relationship workshopNetwork and TCP performance relationship workshop
Network and TCP performance relationship workshop
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
Tcp
TcpTcp
Tcp
 
IntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docxIntroductionTransport LayerTransport Layer forms the bas.docx
IntroductionTransport LayerTransport Layer forms the bas.docx
 

Recently uploaded

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 

Recently uploaded (20)

Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 

Network Security p7 ACL with Established Option.pptx

  • 1.
  • 2. One of the challenges that you face using ACLs is that they do not maintain state information. Stateless devices such as routers do not track the state of TCP connections, Cisco IOS extended ACLs provide the established keyword to approximate stateful behavior. The established keyword requires that either the ACK bit or the RST bit to be set in the TCP flags of a packet. Challenges with ACLs
  • 3. It's important to understand if the traffic is originating from a trusted network and going to an untrusted network or vice versa. One of the tools that can be used to help determine if the traffic is originating externally or if it's return traffic that was originated internally is the establishment bit. before sending and receiving any data TCP three-way handshake should take place normally SYN, SYN-ACK, and ACK. When looking at packets coming into a trusted network means that the connection was initiated from the inside to the outside The reply packet from the Server will have the TCP SYN and ACK bits set. It meets the established keyword criteria and is allowed. During this TCP connection, all packets from the Server will have the ACK bit set, so the TCP connection is allowed.
  • 5. Allow FTP passive mode Connection is established inside FTP Standard mode (Active ) Connection is established outside FTP passive & Active mode FTP passive mode connection starts from inside “ it is fine”
  • 6. This case illustrates the need for a firewall which would track the state of the connection and allow both FTP standard mode and passive mode to work. Allow FTP passive mode Connection is established inside FTP Active mode (standard) has an Issue because connection starts from outside FTP server
  • 7. limitation of relying on packet filters that reference the TCP flags in the TCP header of packets. Imagine the attacker in the topology wants to find out the IP addresses of hosts on the trusted side of the packet filter. Note that the ACL will not permit ping via ICMP echo requests. however the attacker can make clever use of an “ACK scan.” Instead of sending an ICMP echo request, the attacker can send a TCP packet with the ACK bit set to a destination address. Since the ACK bit is set, these packets will match the established keyword reference in the ACL and will be permitted. If there is a host present, that host will respond with a TCP reset (a TCP packet with the RST bit set) in response. The attacker can perform the same sort of exploration as it could with ICMP ping. If a reset response is received, the IP address is active. If not, the IP address is not active. The method is called Packet crafting Limitation of ACL with Established Option
  • 9. R1 Router1>enable Router1#config t Router1(config)#int gigabitEthernet 0/0/0 Router1 (config-if)# ip add 192.168.2.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#int gigabitEthernet 0/0/1 Router1 (config-if)# ip add 192.168.1.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 Router1(config)#access-list 100 permit tcp any any established Router1(config)#interface gigabitEthernet 0/0/0 Router1(config-if)#ip access-group 100 in Router1 (config-if)#exit R2 Router2>enable Router2#config t Router2(config)#int gigabitEthernet 0/0/0 Router2 (config-if)# ip add 192.168.2.2 255.255.255.0 Router2 (config-if)#no shutdown Router2(config-if)#exit Router1(config)#int gigabitEthernet 0/0/1 Router1 (config-if)# ip add 192.168.3.1 255.255.255.0 Router1 (config-if)#no shutdown Router1(config-if)#exit Router1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1