31 hours 29 minutes

Video Description

Access Control List This lesson covers the access control list (ACL) which is an important part of network access security. The ACL is a list of allowed users, media access control (MAC) addresses and IP addresses. It allows us to dictate who and who is not allowed to talk on a network and whose allowed to send packets over to certain parts of our network; which provides protection against unauthorized users who can transmit data. The ACL list allows for:

  • Media access control (MAC) filtering
  • IP filtering
  • Port filtering

Video Transcription

Hi and welcome to Cyber. My name's Anthony and I'm your local subject matter expert for Network Plus. And today we're gonna be talking about and discussing some of the different methods for network access security. So the first part in our network access control that we want to take a look at our hour access control lists, also known as R A C. L's. Now our access control lists are essentially just
a list of allowed users. Mac addresses I. P's
on our network connected to our devices connected through to our routers, connected to our switches on and allowed to transmit data over our network.
Now, these access control list give us a bit more greater security extensive bility than
not having them essentially because he's access control lists. Let us let us a dictate who is allowed to talk on network on the network and who is allowed to send packets over to certain parts of our network so it allows us to provide some segmentation and allows us to percent provide some protection against
unauthorized users on our authorized computers
connecting to our network in transmitting data.
Now, so are access control list again. List of allowed users. Mac addresses i PS. It's our list of people that we allow to the party our list of people that we allow in the door connected to our network so they can transmit data.
So we have a couple different types of access control lists, a different couple, different concepts with access control. Lis, and our first concept is Mac filtering Now. We talked a little bit about about Mac filtering. We talked about our wireless access point security and Mac filtering is a layer to filter Leia two Header filtering
where we wear our devices. Analyze
the packets the layer two header on our packets and check the Mac address Now are Mac. Address is our media access control address, and it is a globally unique address that's assigned to a network interface card. Our network interface cards, not only on our port based network interface cards
but also our actual
wireless network. Interface cards have Mac addresses as well,
so our different our routers are switches are wireless access points. If we set up an access control list that's based on Mac address, filtering is going to fill through these packets on their layer to level they're going to check the Layer two header on our packets.
They're going to see what Mac address is. Sending these packets or receiving these packets, depending on
which direction were filtering, is going to say OK, this packet is allowed to go through with this packet is denied and I'm going to drop this packet. So
with Mac filtering, it's important to remember, and it's important important to realize that Mac addresses can be spooked.
There are a lot of different software's. There's a lot of different capabilities that are even built into certain a less is which allow us to simply go in and
change what what Mac address were sending with our packets. We're sending our Layer two header
so they can be spooked. So this Mac filtering access control list isn't going to be our 100% failsafe method of setting up protection on our network. Because these Mac addresses can easily be spooked once someone else finds out and determines some some allowed Mac addresses on our network.
There are additional expense abilities, such as only allowing certain Mac addresses during certain times of the day
Onley, allowing a Mac address tohave. One instance of connectivity so our devices will send set an alarm are sending alarm to our security team If they say, Hey, this Mac addresses already connected And now I had a different device come in and say it had the same Mac address and try to connect. So that's an issue. But
just our underlying point is these Mac addresses can be smoothed.
But when we're setting up our Mac filtering, we'll need to manually record and set our rules for which Mac addresses are allowed over our network, which Mac addresses are allowed to connect four different devices on our network.
So next up, we have our I p filtering. Now R I p filtering is going to be at layer three r i p. Layer and is going to filter by our I p address. Now I pee filtering is going to be a little bit also a little bit easier to spoof than our Mac address
it, because if someone can obtain an I P or someone can stack plea set
an I p that they know is allowed, then they can very easily spoof. They can very easily fake their I p address. So it's something that we need to watch out for. But again, it's going to be similar to our Mac. It's Mac filtering and that we're going to set static reservation or we're gonna statically set
I P addresses on certain computers or going to set I p reservations for certain computers
and then set up these access control lists with these max built with these act with these I p address filtering rules rather than Mac filtering rules.
And then, lastly, we have our port filtering. Now port filtering is going to utilize Mac address filtering or I p filtering and is going to So it's going to run at layer to or layer three.
Now when we're talking about our port, our port filtering were essentially saying that we're actually putting an access control list, and we're applying it to a certain port on a switch or a router or ah, hub device. So
we're taking an access control list. We're taking an access control this filter, which is our Mac filtering or I p filtering, and we're applying it to the inbound, the ingress or the outbound egress traffic in or out of a particular port. So
if we have a port on one of our switches. Say we have our
multi port switch here, and then we have several different ports on our switch, and then we're going to apply some access control lists. We're gonna apply some port filtering to our port number six here. So we're gonna log into our switch management. We're gonna connect into our switch management,
and we're going to say, OK, I'm going to set up some port filtering on this particular port,
so I'm gonna first set up my ingress filtering. So I'm going to start filtering the traffic that is going into this port the traffic that is coming from an outside location into this port.
So I'm gonna say Okay, so this port is connected to this particular certain of this particular server, So I should Oh, I am only allowing
traffic that is coming from the Mac address of this server that I've dictated. So we want to keep people from unplugging this, unplugging this, the server from that port, maybe plugging in their computer and we're going to say, OK,
Onley. This particular Mac address
of my server A
is allowed in my ingress rules, so I'm only allowing server aid to talk to this port.
And that's okay, because server is the only computer that are the only computer that's plugged into this port.
Then we're gonna set our egress rules, and we're going to say, OK, I only want to allow these 10 computers to talk
through this port to server eight. So I'm going to dictate what Mac addresses are allowed to actually communicate
through this port. An outbound egress out of this port to server A. So then I'm going to specify
my 10 computers
in my egress rules
or my outbound rules.
So Server A is the only computer that's allowed to talk into this port. And then these 10 computers are the only 10 computers that are allowed to talk out of this port to server A. So even if someone else maybe went to one of those 10 computers, unplug that computer and plugged in their computer and then tried to connect to this server,
then they're not going to get traffic through because they're not
specified as an allowed Mac address. But then, of course, unless they spoof their Mac address, then we're talking about a different scenario.
So this port filtering so we can see how this port filtering is going to use this. Either Mac filtering or I P based filtering when it's deciding who is allowed to talk into or out of a certain port. So we can set an access, an inbound access control list and an outbound access control list on each port,
dictating who was allowed to connect into it and who was allowed to transmit traffic through that port.
Now we want to make sure that we're also disabling any unused ports. If we have any ports in particular that are not being used on our network, maybe we'll say Ports one and two are not currently in use. They goto wall drops that Aaron empty offices. We want to eliminate those, as in a potential attack vector into our network
by just going into our management console in disabling those ports and saying no traffic is allowed on those ports at all.
That way, if maybe someone comes in after hours or something, someone comes in the work during the workday, social engineers their way into our building and then says, Oh, there's an empty office office. Let me hide in there and plug in my computer to that port. They're not going to get anything. They're not gonna get any traffic to that port,
not because it's not connected. It's not wired up. It is wired up.
It's wired directly to one of these two ports, but because our our management are we actually have a team that goes through and make sure our network team goes through and says, Okay, Offices 101 and one or two are currently not in use that currently unoccupied
supports one imports to are going to be disabled because those were the
reports that correspond with the wall. Drops in offices one a one in one or two.
So we want to disable those unused ports. We want to enable access control lists on the ports that go to certain drop ports and offices. And that way, even though it requires a little bit more management because it's someone we move a different computer into that office. We need to change the access control lists. It's going to provide us with a greater degree of security.
Then if we just leave all of these ports open to any sort of traffic at all
and don't put any access control lists on them,

Up Next

CompTIA Network+

This CompTIA Network+ certification training provides you with the knowledge to begin a career in network administration. This online course teaches the skills needed to create, configure, manage, and troubleshoot wireless and wired networks.

Instructed By

Instructor Profile Image
Anthony Harris
Senior Systems Engineer at ZenPoint Solutions