Friday, November 30, 2007

Using Cisco's timed access-list (Part2)

Well, in Part1 we saw how easy was to create a timed access-list. Now, lets say you want to apply that access-list today but your company's policy for the web browsing start January 1st, 2008.

I'm sure you will not plan on receiving the new year at your office. So lets resolve this issue.

!
time-range ActivateNewPolicy
absolute start 0:00 1 Jan 2008
!

We had this:

!
ip access-list extended ControlWeb
10 permit tcp any any eq www time-range WebTime
20 deny tcp any any eq www ! This will be matched if WebTime is not in range
30 permit ip any any ! Permit anything else
!


Using Cisco's timed access-list (Part1)

Timed access-list are somehow "nice" but I haven't still used in a production network.

The initial reaction of people is "lets do some timed access-list" but then, when the reality comes, they get scare. The truth is that many times people want to have some features and capabilities and they get them. But then, when they find out is going to cost them some more administrative overhead they go away.

Well, the concept is quite simple. You have a network element which you want to control based on day/time/month, etc. Well, Cisco's timed access-list let you do that.

Using Cisco's reflexive access-lists

Reflexive access-lists are Cisco's answer to some security guys about their access-lists and the "established" option.

For example, lets say we have the following scenario:

[LAN: 2.2.2.0/24]---(R1)----{INTERNET}

Lets say I have "Serial 0/0" as my T1 to the Internet and I want to block the access to my LAN except for WWW to my web server 2.2.2.2. (The access-list can be applied to the LAN interface or the WAN interface. In this case I'm using the WAN)

Using Cisco's reflexive access-lists

Reflexive access-lists are Cisco's answer to some security guys about their access-lists and the "established" option.

For example, lets say we have the following scenario:

[LAN: 2.2.2.0/24]---(R1)----{INTERNET}

Lets say I have "Serial 0/0" as my T1 to the Internet and I want to block the access to my LAN except for WWW to my web server 2.2.2.2. (The access-list can be applied to the LAN interface or the WAN interface. In this case I'm using the WAN)