Chapter 1 Introduction We speaking in the preamble, the router's access table is the frontier position of the network defense. We also said that the access table provides a mechanism that controls information flow through the router's different interfaces. This mechanism allows users to use access tables to manage information flow to formulate network-related policies in the company. These strategies can describe security features and reflect the priority level of traffic. For example, a organization may wish to allow or reject access to the I NTERNET to internal Web servers, or allow the internal local area network (LAN) to send traffic to a wide area network (Wi D Earea NetWork, WA) N) AT M backbone network. These situations, as well as some of the functions, can achieve the purpose by accessing the table. The goal of this chapter is to let readers understand the content of the book. First, introduce some concepts in the C i S C O professional field, first briefly describe the functionality of the router, and some basic knowledge of the C i S C O access table. Then, the entire book provides a general description, mainly to describe the knowledge content will be described in the subsequent chapter. 1.1 Cisco Professional Reference Guide C I S C O Professional Reference Guide Series provides some information and a series of practical instances of the C I S C O device, and readers can use these knowledge to meet special needs of their own units. The first book of the reference guide series sets the access table and provides the use of various types of access tables, access to the creation and format of the table, and details to interfaces and operations. We provide a series of instances for a variety of distinct access table types. In the example, we give a general format, including a general description of the application scenario or problem, used to explain the router LAN or WA N interface. Network diagram. Then, the I O S statement of the access table is then described, which can be used to solve the application or problem. Each access table instance includes the basic principles of the access table for implementation. 1.2 The task of the router is from the viewpoint of operation, and the role of the router is to transfer packets (P A C K e t) from a network to another network. The router works on the network layer, which is implemented in accordance with the Open Systems Interconnection, O S i) reference model, which implements the function of the third layer. By detecting the network address of the message, the router can be used to determine the goal of the message stream, and create and maintain the routing table. In the past 20 years, people have developed more than 5 0 routing protocols, while Route Information Protocol, RIP, Open Shortest Path First, OSPF, Border Gateway Agreement (Border Gateway Protocol is just three kinds of more than 5 0 in various protocols. From a secure perspective, the router is "frontier position" to protect the network. This protection is achieved by creating access tables to allow or reject messages through the router's interface. C I S C O The router's router supports two types of access tables: basic access tables and extended access tables. Basic access table controls the information flow based on the network address. The extended access table performs information flow control over the data type in the network address and the transfer. Although the access table can be considered to protect the first level of the network, the currently implemented router does not actually verify the information field in the packet, nor does it maintain information about the connection status. In other words, each packet is verified, and the router does not judge whether a message is part of a legal dialog.
In the past two years, the C ISCO system company has made some important functional enhancements on the ability of the visits, including a certain day, a certain day of a certain day, to detect the inward or outward traffic. Function, inserting a dynamic entry in standard and extended access tables, as well as the ability to prevent hackers from attacking WE B servers and other network devices. We will tell the type and feature of the C I S C O access table, including the context-based access control table (C O N TET, C B A c) and the REFLEXIVE ACL). C B A C is the core of the FireWall Feature Set, F F S). F F is a revision of a specific code in some C I S C O router model. Starting from iOS 12.0T, C B A C appears in 8 0 0, 1 6 0 0, 1 7 2 0, 3 6 0 0 and 7 2 0 0 series routers. It is characterized by maintaining a status information of an existing connection, performs application layer information for limited T C P and U D P protocols, which adds higher security than traditional access tables. The self-reverse access control table is a new feature that appears in Cisco IOS 1 1. 3. Reflexive ACL maintains a certain degree of "PD S e U D O S T A TET" information, once the legal dialog is established, it creates a dynamic entry in traditional A c1. The subsequent message is compared to dynamic entry in the Anti-A C1 to determine if these messages are part of the connection. After the session is over, the dynamic entry in the A C1 is deleted. However, the anti-access control table does not understand the high-level protocol and is not suitable for use with multi-channel protocols such as File Transfer Protocol, F T. The C B A C and the Anti-Visiting Control Table will be described in detail later in this book. 1.3 Book Preview This section will make a general description of the subsequent chapter of the book. The author recommends that the basic knowledge of I O s and how to use the access table is not familiar with the reader, you should first read some chapters in the order of this book. In the final 5, the modular structure is used, and each chapter sets an type of access table, so if the reader is more familiar with the beginning of the chapter, you can read the information and specific types of the following five chapters according to your own needs. Access table instance. 1.3.1 Software and hardware writing and application access tables requires a basic understanding of the hardware and software for C I S C O routers. Understanding the hardware of the router facilitates how the router works, and how to configure the router. Chapter 2 will briefly introduce the basic software and hardware of the C I S C O router, including how to configure a router through the E x E C mode of operation. 1.3.2 Cisco Access Table Basic Readers understand the basics of the C I S C O Access Table after the Basic Software and Hardware of the router. Chapter 3 defines and elaborates various types of access tables and its format, and how to use the keyword in various types of access tables, and introduce how to pass standards in a series of instances and ISO statements. Access tables and extended access tables reach the expected function. 1.3.3 Dynamic Access Table Chapter 4 discusses the high-level packet filtering technology of the router, and discusses how to use dynamic access tables, dynamic access tables are often referred to as L O c k - a n d - k e y safe. Use a dynamic access table to allow users to write I O s statements in the router to insert dynamic tablets into standard access tables or extended access tables. Dynamic access tables will be turned on during user authentication. In contrast, ordinary access tables are fixed, while L O c k - a n d - k e y security features are more flexible than ordinary access tables.
1.3.4 Time-based access table Traditional access tables There is a defect, once the access table is applied to an interface, if not delete, they remain valid. In this way, if you want to achieve different rules and strategies in different days of a certain day, users must delete the current access table and then use the new access table. The router administrator may not be willing to do such a thing, especially when you use a new filtering mechanism at 5 pm on Friday. C isco system company now solves this problem, adding time-based access tables in iOS, so now, security policies and other packet filters can be generated based on a certain period of time and / or one day in a week. effect. Chapter 5 describes the operation based on time-based access tables and contains some access table instances that can meet some of the units of special needs. 1.3.5 Self-Reverse Access Table The Self-Visit Table is a dynamic access table more flexible version. We will tell how to make the access table dynamically on the need to be turned on, and the self-denial can adapt to the single-channel application. Other chapters also include a series of access table configuration instances, readers can directly reference these instances, or make some simple modifications to meet special operational needs. 1.3.6 Access Control Based on context Although the context-based access table is a functional enhancement to the traditional access table, it can only support single-channel applications. That is, the reader cannot use a multi-channel application such as F t P using the anti-access table. Chapter 7 will learn about access control based on context, which is similar to the anti-access table, but it can support multi-channel applications and J A V A modules, and can provide real-time warnings and audit trace functions. In the process of talking about C B A C, a series of timeout orders used to manage packet filtration will be described. 1.3.7 TCP Intercept and Network Address Transformation Chapter 8 discusses two relatively new router functions, a function to access a more common hacker attack (called SYN flood), another is based on Safety needs, or an organization requires more effective addresses and must make the router to perform address conversion. First, the three-stage handshake process of T C P will be discussed. When the WE B server is loaded over, the process can generate a certain impact on the WE B function, and the WE B server may refuse legitimate service requests. After understanding the resources of S Y n flooding how to swallow the computer, the T c P interception will be explained, including its intercepting process and monitoring mode, the step of configuring each mode, and the I O S statement embodied in this feature. Chapter 8 Other Parts Discussion Network Address Transformation (Network Address TR A N S L A T I O N, N AT), including the conversion of the internal I P address of the tissue into the I p address of the I N t e R N e t, and the like. 1.3.8 IPSec Chapter 9 discusses what they want to achieve people who are interested in people based on router-based virtual private network (V P n). I P Safety (IP Security, I P S E C) is a technical collection of creating an encrypted channel based on IP, regardless of its physical topology. I P S e c allows users to establish an encrypted channel in a workstation running Windows 95/98, N T or even L i N u x. Establishing I P S E C channel on the C i S C O router can establish communication relationships between the router. 1.3.9 The last chapter of the traffic shaping tells the different methods of the C I S C O router to process the message stream, including the ability to start the traffic through some interfaces, or selectively discard some packets based on traffic-based types. These technologies are collectively referred to as traffic shaping (TR a ffic shapping), and they are the contents of Chapter 1 0.
