Table of Contents
Advertisement
Command Reference Guide
AOS includes several security features to provide controlled access to your network. The following
features are available when security is enabled (using the ip firewall command):
1. Stateful Inspection Firewall
AOS (and your unit) act as an ALG and employ a stateful inspection firewall that protects an organization's
network from common cyber attacks, including Transmission Control Protocol (TCP) syn-flooding, IP
spoofing, Internet Control Message Protocol (ICMP) redirect, land attacks, ping-of-death, and IP
reassembly problems. In addition, further security is added with use of NAT and port address translation
(PAT) capability.
2. IPv4 Access Policies
AOS IPv4 ACPs are used to allow, discard, or manipulate (using NAT) data for each physical interface.
Each ACP consists of an action (allow, discard, nat) and a selector (access control list (ACL)). In a sense,
the ACPs answer the question, "What should I do?" while the ACLs answer the question, "On which
packets?"
When packets are received on an interface with an ACP applied, the ACP is used to determine whether
the data is processed or discarded. Both ACLs and ACPs are order dependent. When a packet is
evaluated, the matching engine begins with the first entry in the list and progresses through the entries
until it finds a match. The first entry that matches is executed. The ACP has an implicit discard at the end
of the list. Typically, the most specific entries should be at the top and the most general at the bottom.
3. IPv4 Access Lists
IPv4 ACLs are used as packet selectors by ACPs. They must be assigned to an ACP in order to be active.
ACLs are composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny)
and a packet pattern. A permit action is used to allow packets (meeting the specified pattern) to enter the
router system. A deny action is used to disregard packets (that do not match the pattern) and proceed to
the next entry on the ACP. The ACL has an implicit deny at the end of the list.
The AOS provides two types of ACLs: standard and extended. A standard ACL allows source IP address
packet patterns only. An extended ACL may specify patterns using most fields in the IP header and the
TCP or User Datagram Protocol (UDP) header.
Usage Examples
The following example enables the AOS IPv4 security features:
(config)#ip firewall
Technology Review
Concepts: IPv4 access control using the AOS firewall has two fundamental parts: ACLs and ACPs. ACLs
are used as packet selectors by other AOS systems; by themselves they do nothing. ACPs consist of a
selector (ACL) and an action (allow, discard, nat). ACPs integrate both allow and discard policies with
NAT. ACPs have no effect until they are assigned to a network interface.
Both ACLs and ACPs are order dependent. When a packet is evaluated, the matching engine begins with
the first entry in the list and progresses through the entries until it finds a match. The first entry that
matches is executed.
60000CRG0-35E
Copyright © 2012 ADTRAN, Inc.
Global Configuration Mode Command Set
1000
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
