The network access lists are usually the first line of defense against outside intrusions and attacks. Generally speaking, routers and switches process packets at a much faster rate than servers, because they utilize hardware such as Ternary Content-Addressable Memory (TCAM). They do not need to see the application layer information, rather they just examine the layer 3 and layer 4 information, and decide whether the packets can be forwarded on or not. Therefore, we generally utilize network device access lists as the first step in safeguarding our network resources.

As a rule of thumb, we want to place access lists as close to the source (client) as possible. Inherently, we also trust the inside host and distrust the clients outside of our network boundary. The access list is therefore usually placed on the inbound direction on the external facing network interface(s). In our lab scenario, this means we will place an inbound access list at Ethernet2/2 that is directly connected to the client host.

If you are unsure of the direction and placement of the access list, a few points might help here:

• Think of the access list from the perspective of the network device
• Simplify the packets in terms of just source and destination IP and use one host as an example:
  • In our lab, traffic from our server will have a source IP of 10.0.0.14 with the destination IP of 10.0.0.10
  • The traffic from the client will have a source IP of 10.10.10.10 and the destination IP of 10.0.0.14

Obviously, every network is different and how the access list should be constructed depends on the services provided by your server. But as an inbound border access list, you should do the following:

• Deny RFC 3030 special-use address sources, such as 127.0.0.0/8
• Deny RFC 1918 space, such as 10.0.0.0/8
• Deny our own space as the source IP; in this case, 10.0.0.12/30
• Permit inbound TCP port 22 (SSH) and 80 (HTTP) to host 10.0.0.14
• Deny everything else