Password security is one level of an overall approach to securing your internetwork. Passwords are simple, but are also a weak level of security. Passwords are often easy to guess, and even the most complex of passwords can be derived given enough time. To take security to the next level, you will want to limit access to the router on a per packet basis. To accomplish this on Cisco routers, you use access lists.
Access lists are not used for security alone. They also perform other useful functions on Cisco routers whenever certain traffic must be identified on a per-packet basis. Access lists are useful when you need to filter traffic off low-bandwidth links or to trigger certain events such as the initiation of a dial-up connection to another router. This paper will focus primarily on the security uses of access lists, since access lists are specified in the Network Security section of the CCNA exam objectives, although the basic principles for creating access lists are the same regardless of what you are trying to accomplish with them.
An access list is a list of criteria used for identifying certain traffic, along with instructions for what action to take when this particular traffic is found. When access lists are executed, traffic is compared to certain patterns specified in the access list. When a match is found, then an action is taken as specified by the access list. The action to take is either to permit the traffic (allow the packet to pass through the router) or to deny it (drop the packet). Access lists are most often made up of a number of patterns for comparison, and packet information is compared to each one in turn until either a match is found, or the end of the list is reached. Before looking at the actual IOS syntax for creating access lists, let's examine how they work in general. Here is an example of an access list:
|Criteria to compare||Action to take|
|Traffic destined for network X?||Deny|
|Traffic destined for host Y?||Permit|
|Traffic originating from host Z?||Permit|
|Traffic using port N?||Deny|
In the preceding table is a list of criteria against which each packet will be compared. If the information in the packet matches the criteria in the comparison, then the associated action will be taken. Using the table, if a packet contains a destination address on network X, then it will be denied (the packet will be dropped). No further comparisons will be made for this packet; it will simply be dropped because it matched the first line in the list. If the packet is NOT destined for network X, then it will be compared to the criteria specified in the next line. In this case, if the packet is not destined for network X, the router will determine if the destination address is that of host Y. If it is, then the packet will be allowed to flow through the router. Again, no more comparisons will be made. Once a packet matches a line in the access list, the corresponding action is taken, and no further comparisons are made.
It is very important to remember the point above because it makes the order in which you specify criteria in your access list critical. Consider the following four hosts:
|Arthur||network 1, host 1|
|Dipsy||network 1, host 2|
|Kermit||network 2, host 1|
|Kipper||network 3, host 1|
Assume that you have a router that connects network 1, network 2, and network 3, and that you are configuring an access list on that router. The access list will filter traffic based on the following criteria:
|Criteria to compare||Action to take|
|Traffic destined for network 1?||Deny|
|Traffic destined for host Dipsy?||Permit|
|Traffic destined for host Kipper?||Permit|
|Traffic destined for network 3?||Deny|
Read the access list criteria in the table above, and pay attention to the order in which they are specified. Can traffic from network 2 or network 3 reach the host named Dipsy? The second line explicitly permits traffic destined for host Dipsy, so you might think that traffic could reach Dipsy. The fact is, though, that no traffic from networks 2 and 3 can reach the host Dipsy. Dipsy resides on network 1. Traffic destined for Dipsy will, of course, also be destined for network 1 in order to reach Dipsy. Any traffic destined for network 1, including traffic destined for Dipsy, will match line one of the access list. The action specified by line one is Deny, so the traffic will be dropped. No further comparisons will be made for these packets! The traffic destined for Dipsy will never be compared to the criteria specified in line two, because it will already have been dropped by matching line one. When creating access lists, the order in which you enter your criteria is critical to the effects of the access list.
What happens when a packet does not match any of the criteria specified in an access list? That is a very good question. If a packet should make it past the last line of an access list and not match any of the comparison criteria, the router needs to know whether to permit or deny it. The safest option, from a security perspective, is to deny it, and that is what Cisco routers will do. There is a term for this default action at the end of an access list -- "implicit deny any." It is never actually stated in the access list or printed in any configuration (hence the "implicit" in the name), but it is a part of every access list on a Cisco router. The "implicit deny any" ensures that any packet that does not match some explicitly stated access list criteria will be dropped once it passes the end of the list.
It is important to remember the "implicit deny any." If it is your intention to allow any traffic that does not meet any of your stated criteria, you must add to the access list a line that explicitly permits this traffic. This line will be the last line of the access list, and will permit the traffic before it is dropped by the "implicit deny any."