This permits traf?¬?c for
a particular period; idle and absolute timeouts are possible. Figure 6-6 shows an example of
dynamic access lists.
Figure 6-6 Dynamic ACL
1) Use Telnet to connect to
router and authenticate.
2) Use FTP, HTTP, and so
on to connect to server.
Access Control List Operation 215
Some common reasons to use dynamic ACLs are as follows:
?– Use dynamic ACLs when you want a speci?¬?c remote user or group of remote users to access
a host within your network, connecting from their remote hosts via the Internet. Lock-andkey
authenticates the user and permits limited access through your ?¬?rewall router for a host
or subnet for a ?¬?nite period.
?– Use dynamic ACLs when you want a subset of hosts on a local network to access a host on a
remote network that is protected by a ?¬?rewall. With lock-and-key, you can enable access to
the remote host only for the desired set of local hosts. Lock-and-key requires the users to
authenticate through a TACACS+ server, or other security server, before it allows their hosts
to access the remote hosts.
Dynamic ACLs have the following security bene?¬?ts over standard and static extended ACLs:
?– Use of a challenge mechanism to authenticate individual users
?– Simpler management in large internetworks
?– In many cases, reduction of the amount of router processing that is required for ACLs
?– Reduction of the opportunity for network break-ins by network hackers
?– Creation of dynamic user access through a ?¬?rewall, without compromising other con?¬?gured
security restrictions
Although the entire con?¬?guration for a dynamic ACL is outside the scope of this course, the
following example shows the steps that are required to con?¬?gure a dynamic ACL.
Pages:
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328