Chapter 4 - Traffic Filtering in the Cisco Internetwork Operating System

Abstract

One of the easiest ways to protect an internet protocol (IP) network from unauthorized access is to filter the traffic at the point where it enters the network. This chapter focuses on different traffic filtering mechanisms available in a Cisco router. A very important step to security is the capability to control the flow of data within a network. This can be accomplished by utilizing a feature of the Cisco internetwork operating system (IOS) known as an access control list (ACL) that can be used to filter source address, destination address, source port, destination port, and protocol number. Lock-and-key and reflexive access lists were designed to help solve some of the shortcomings of the basic access lists by allowing dynamic entries to be placed in the ACL. This is useful in protecting the network that has to return traffic back through the router. Context-based access control (CBAC) was created to bring additional security to the router platform. CBAC is designed to watch all sessions passing through the router so that attackers have a hard time fooling the router into letting a packet through. It is one of the most secure methods of protecting a network that is currently offered by Cisco. The chapter highlights these techniques, their configuration, and their usage in specific areas. The chapter closes with a discussion on configuring port to application mapping (PAM), focusing on protecting a private network, protecting a network connected to the internet, and protecting public servers connected to the internet.