- slide 1 of 5
Access to a network has been a problem for IT administrators for a long time. Not only do they have to monitor who is properly on the network, they also have to monitor what programs and data appear on the network. Then there is the additional problem that comes from having an open network; hackers can wreak havoc. Malware can infect the system.
Some of the traditional controls are network authentication; a person has to have an account on the network with a password. Another method is to have a firewall which limits access to certain types of software or location; porn, viruses, or gambling sites are typical examples.
- slide 2 of 5
What are Access Control Systems?
The examples mentioned before are called access control systems. Their purpose is to limit access into a network or into a computer. Computer authentication is the most easily controlled operation. If you do not have a password, you do not get on. Network authentication is next; if you don't have an account on the network, you do not get on.
But that still leaves your network or computer exposed to hackers or malware. The question is, how do you prevent those outsiders from accessing or entering the system? Beyond that, how do you keep your own employees from accessing areas of the network where you don't want them? For example, you may not want anyone other than finance to access the finance server. Then you may also want to prevent employees from accessing areas of the Internet, or even the entire Internet.
- slide 3 of 5
What are IP-Based Access Control Systems?
One method that can control access is using an IP address. Networks and the Internet communicate with an IP address. Think of it as a phone number, with an area code. The area code identifies the network, and the phone number identifies the host on the network, like a PC, or server, or printer.
An IP-based access control system can control an entire network or range of networks from accessing the network. An IP-based system uses an IP address, like 126.96.36.199 plus a subnet mask, like 255.255.0.0. The combination of the two can be used as a filter to control the traffic on the network. It can control access into and exit out of the network.
Besides IP addresses, you can control access via a port, like port 80, for the Internet. Or you can control traffic based on protocols, like IP or udp. You can also control traffic based on certain computer operations, like file transfer or logging on remotely via telnet.
Programs exist that can help control access based on the IP address. The image shows how to set it up and what can be controlled with it.
Image - Download Source Internet Access Controller
(A discussion of IP#'s and subnet masks can be found at the links in the summary below.)
- slide 4 of 5
Examples of Cisco's Router-Based Access Control
Cisco System, the maker of network appliances like routers and switches, has a full technology devoted to IP-based access control. Cisco calls it an access list. Here are some examples.
access list 10 permit 192.168.17.0 0.0.0.255
This access list will allow traffic into the network from all IP addresses in the range 192.168.17.0 to 192.168.17.255
access list 12 deny 192.168.27.0 0.0.0.255
This access list will deny traffic into the network from all IP addresses in the range 192.168.27.0 to 192.168.27.255
Both of these examples are called standard access lists; Cisco also has a more complex form called an extended access list that can be more specific in the controls such as port numbers, protocols, or network operations.
- slide 5 of 5
Access controls are an important part of security. There is authentication control which can be used to regulate access to a computer or a network. But the open conditions of the Internet make it more important to have controls that are part of the Internet. That is what IP-based access control systems can provide. Traffic from remote sites can be regulated or controlled. Specific sites can be allowed in. Traffic going out can also be controlled, for example, to a specific location only. IP-based access control gives a network administrator a lot of flexibility.
Additional Source: Cisco Access Control List