CISCO - Security Features (ACLs, VPNs)

Previous
Quiz
Next

Cisco provides different security tools for network protection and access management. ACLs and VPNs are two prominent examples.

1. Access Control Lists (ACLs)

In a network environment with many network devices; a lot of incoming and outgoing data traffic occurs. This results in bandwidth constraints, which impairs the transmission of critical data. To control this, you must first identify the network devices that consume the most bandwidth using a traffic monitoring tool. Once the devices have been identified, you can apply Access Control List (ACL) policies to the network devices to establish data priority during transmission. Network Configuration Manager is useful since it allows you to apply ACL policies to several devices at once by executing configuration files in bulk.

ACLs are rules and regulations configured on network devices such as routers and firewalls to restrict incoming and outgoing network traffic. They act as filters, allowing or denying communication-based on IP addresses, protocols, or ports. ACLs control network traffic by granting or refusing access based on source and destination IP addresses, ports, protocols, and other criteria. ACLs are made up of access control entries (ACEs) that describe whether to allow or refuse a packet. Some common types of ACLs in Cisco are as follows −

  • Standard ACLs − These ACLs filter traffic based solely on the source IP address and are often used near the destination to limit network access. They are often used to the destination to control which devices can access specific parts of the network. Standard ACLs are numbered between 1-99 and 1300-1999.
  • Extended ACLs − Extended ACLs filter traffic based on source and destination IP addresses, protocols like TCP, UDP, and ICMP, port numbers, and specialized application protocols. They are often used closer to the source to prevent excessive network traffic. Extended ACLs are numbered between 100-199 and 2000-2699.
  • Named ACLs − Named ACLs have descriptive names, which makes them easier to maintain and comprehend, particularly in complicated networks. Named ACLs enable both regular and extended filtering. They allow updates without eliminating the entire ACL, making them more adaptable to changes in regulations. These have descriptive names rather than numbers, making them easier to manage and understand in complex configurations.
  • Dynamic ACLs (Lock-and-Key ACLs) − Dynamic ACLs allow users to receive network access upon successful authentication, resulting in a dynamic entry in the ACL. It commonly authenticates via Telnet or SSH and requires integration with AAA (Authentication, Authorization, and Accounting) services.
  • Reflexive ACLs − Reflexive ACLs offer stateful packet filtering by generating temporary ACL entries depending on outward traffic and allowing only valid return traffic. It is widely used for perimeter security, allowing return traffic for outbound sessions but blocking entering traffic unless it is part of an existing connection.
  • IPv6 ACLs − Cisco also provides ACLs for IPv6 traffic, which provide filtering for IPv6-specific headers and protocols. IPv6 ACLs provide similar filtering to IPv4 ACLs, including source/destination IP, protocol, and port, but are specifically designed to handle IPv6 addresses and features.
  • VLAN ACLs (VACLs) − VACLs allow filtering within VLANs on switches, regulating access between devices on the same VLAN. It is mostly used in network segmentation to manage intra-VLAN traffic. VACLs apply to all traffic within a VLAN, not only routing-based ACLs.
  • Port ACLs − PACLs are applied directly to Layer 2 switch ports to filter traffic based on Layer 3 addresses or Layer 2 properties. It is useful for securing single switch ports or enforcing security policies across network segments. PACLs are primarily used on Cisco switches to provide fine-grained control over port-level traffic.

CISCO's Access Control Lists Security Features

Some of the common CISCO's VPN security Features are as follows −

  • Filtering by Source IP − Standard ACLs simply control access based on packets' source IP addresses. They are simple to configure and are commonly used to grant or restrict access to specified subnets or IP addresses.
  • Granular Filtering Options − Extended ACLs enable more precise control by filtering depending on source and destination IP addresses, protocol types, port numbers, and even individual apps.
  • Easy Management with Names − Named ACLs employ descriptive names instead of numbers, which makes management easier, especially in complicated installations.
  • Authentication Integration − Frequently used with AAA (Authentication, Authorization, and Accounting) to authenticate users before granting temporary access.
  • Stateful Filtering − Reflexive ACLs provide stateful inspection by only permitting return traffic during established sessions, which means they watch outbound activity and construct temporary entries to allow return traffic.
  • Intra-VLAN Filtering − VLAN ACLs (VACLs) are used on switches to filter traffic within VLANs, giving administrators control over communication that does not leave the VLAN but flows between devices on the same VLAN.
  • Port-Specific Filtering − Port ACLs (PACLs) are applied to specific Layer 2 switch ports to filter traffic based on Layer 3 addresses (IP addresses) or Layer 2 addresses.
  • Protecting the Control Plane − Control Plane Policing employs ACLs to safeguard network devices' control planes, thereby preventing denial-of-service (DoS) assaults that could overwhelm the router's CPU.

How to configure Access Control List (ACL) on a Cisco route?

Configuring an Access Control List (ACL) on a Cisco router involves some set of steps; these are as follows −

Step 1: Access the Routers Configuration Mode

Log in to the router, and then enter Global Configuration Mode −

Router> enable 
Router# configure terminal

Step 2: Decide on ACL Type (Standard or Extended)

Standard ACLs − To create a Standard ACL, use either numbered or named ACLs

Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

Extended ACLs − For extended ACLs, use more specific criteria −

Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 eq 80

2. Virtual private networks (VPNs)

VPNs build secure tunnels over public networks, allowing data to be safely transferred from one network to another. Cisco provides different VPN solutions that protect data security, integrity, and authentication.

  • IPSec VPN − This is commonly used for secure site-to-site communication across the internet. IPSec provides data encryption, authentication, and integrity.
  • SSL VPN − Secure Socket Layer VPNs enable remote users with secure access via a web browser, eliminating the need for a full VPN program. SSL VPNs provide flexibility and can be utilized in contexts where IPSec may be limited.
  • AnyConnect − Cisco's AnyConnect VPN provides remote users with a secure, flexible, and seamless connection. It supports different protocols, including SSL and IPSec, and can add features like endpoint posture assessment and virus prevention.

CISCO's VPN security Features

Some of the common CISCO VPNs Security Features are as follows −

  • Encryption − Encrypts data packets to ensure confidentiality. IPSec supports several encryption protocols, including AES (Advanced Encryption Standard) and 3DES (Triple Data Encryption Standard).
  • Authentication − Secure authentication and session formation are achieved using protocols such as IKE (Internet Key Exchange), IKEv2, and ESP (Encapsulating Security Payload).
  • Data Integrity − SHA-1 and SHA-256 hashing algorithms are used to ensure that data has not been tampered with.
  • Web-Based Access − SSL VPNs let users access resources via a secure web browser rather than dedicated VPN software, making them more flexible and accessible.
  • SSL/TLS Encryption − Encrypts traffic with SSL/TLS protocols, ensuring high security and session integrity.
  • Endpoint Security − Ensures secure access by checking the device's health or posture before connecting.
  • Clientless VPN − A web browser allows users to access web-based applications, file shares, and email, making it very handy in BYOD (Bring Your Device) contexts.
  • Multi-Protocol Support − Supports both SSL and IPSec, providing administrators the ability to design the VPN based on their needs.
  • Posture Assessment − Checks the device's security state (antivirus, software updates) before giving access, ensuring that only compliant devices can connect to the network.
  • Adaptive Security − Uses the Cisco Adaptive Security Appliance (ASA) to provide sophisticated threat defence, such as malware protection and traffic analysis.
  • Dynamic Access Policies − Enforces access policies based on user roles, device type, and location to provide more detailed control.
  • Always-On VPN − Ensures that a secure VPN connection is always operational, lowering the likelihood of unprotected internet sessions.
  • Unified Configuration − FlexVPN employs the IKEv2 protocol, which simplifies VPN configuration and deployment for a variety of VPNs, including site-to-site, remote access, and DMVPN.
  • Scalability and Compatibility − Supports DMVPN (Dynamic Multipoint VPN) for scalable and dynamic connections. FlexVPN also connects with older VPN configurations, giving it flexibility.
  • Security and Resilience − Anti-replay protection, dead-peer identification, and IKEv2-based authentication ensure that VPN connections are secure and robust.

Each of these Cisco security features may be improved to meet unique security needs, assisting in the development of strong network defences and ensuring safe remote access. Cisco's ACL features are extremely flexible, allowing for a wide range of scenarios and applications, such as filtering by IP, protocol, time, state, and VLAN. Because of their flexibility, they are ideal for complete network security management, allowing for exact control over traffic flow and access at many network layers.

Print Page
Previous
Next
Advertisements