Access Lists

Chapter 2, “Basic Cisco Router Security,” explored standard and extended access lists. This chapter explores more advanced forms of access lists. The act of creating and removing entries in access lists without administrator intervention is the basis for advanced access lists. Security on a network should be as tight as is reasonable at any given time. Advanced access lists, such as dynamic, reflexive, and Context-based Access Control (CBAC), all change the existing access lists to create openings in real time without changing any configurations. These openings are usually created in response to a request made from the inside (trusted side) of the corporate network. The newly created opening is closed after a period of time with no activity or when the session initiating the opening ends. Creating openings only when initiated from inside of the network and closing them when they are not needed limits the time when an outside entity can exploit these openings.