Firstly, most people believe that ACL’s are used purely for denying or allowing traffic, although this is certainly one of the functions of a ACL it certainly not the only function. ACL’s can be used for

1/ Permitting or denying packets moving THROUGH the router.

2/ Permitting or denying packet TO or FROM the router.

3/ QOS (Quality of Service)

4/ DDR (Dial-on Demand Routing)

5/ Route filtering

So let’s break down each of the above to see its use.

1/ When you want to restrict traffic from flowing THROUGH a router, you can attach a ACL to an interface of the router. This can be done on a INBOUND or OUTBOUND direction. The direction of the traffic is vitally important and how the router processes the information differs depending on direction of the ACL. If the ACL is bound to an interface INBOUND the ACL will take effect before any processing is done by the router. If the ACL is bound to an interface in a OUTBOUND direction, the router would have already processed the packet entirely before possibly dropping it. This could increase the processing on the router unnecessarily.

2/ Attaching an ACL to an interface however does NOT stop traffic that is going TO or FROM the router. This means that if I’m trying to telnet to the router, the ACL on the interface will NOT APPLY. In order to restrict traffic TO or FROM the router we need to attach the ACL to the Virtual Interfaces of the router (VTY lines).

3/ QOS uses ACL to define traffic that you wish to prioritise. The ACL are not bound to interfaces but are used in modular QOS

4/ When using dial-up interfaces such as modems or ISDN you don’t want to allow any traffic to cause the interfaces to dial. If all traffic was allowed to cause the lines to dial then every time a broadcast message took place the lines would dial. This would result in the lines constantly been connected and result in a large phone bill. With ACL for DDR we define what traffic is allowed to make the modem or ISDN lines dial and create a connection. It is important to understand that when the line is active ALL traffic is allowed to flow through the line. These ACL do not restrict traffic from flowing, they restrict traffic from causing the lines to dial!

5/ Route filtering is used when we wish to re-distribute routes learnt from one routing protocol into another one. This is most commonly seen when you have an EGP (Exterior Gateway Protocol) like BGP and you wish to insert some of the routes learnt from BGP into your IGP (Interior Gateway Protocol) such as OSPF. You cannot re-distribute the entire BGP routing table into OSPF as OSPF cannot handle a routing table of that size, so we can restrict which entries that will be re-distributed using an ACL.

Now that we understand the different uses of Access Control List we now need to see the 3 different types of ACL’s. STANDARD, EXTENDED and NAMED

Standard ACL only check the source address of the packet and can either permit or deny the entire protocol suite. It will have a number between 1-99 and 1300-1999

Extended ACL can check the source and destination addresses, the source and destination port numbers, and specific protocols. It will have a number between 100-199 and 2000-2699

Named ACL can be either standard or extended ACL, however we can associate a name to the ACL instead of using numbers.

Guidelines:

- One ACL per interface, per protocol, per direction

- The order of ACL statements is important. Once  match has been made no further testing is done.

- The most restrictive statements go at the top of the list

- The last statement in an ACL is ALWAYS an implicit deny any, so every ACL needs at least one permit statement

- ACL must be configured before applying them to interfaces

Related posts:

1. Restricting access to VTY (Virtual Terminal Lines)
2. Mitigating Smurf DoS Attacks
3. Configuring VTY Access

The CIDR value is a value that indicates how many bits does the Subnet mask have turned “on”

 For example, if I have the IP address 10.1.2.3 with a Subnet mask of 255.0.0.0, and we convert the subnet mask into binary we get 11111111.00000000.00000000.00000000 – we can see clearly that there are 8 bits turned ‘on’ in the subnet mask.

 Therefore we could write the short version of our IP address as 10.1.2.3/8

 The ‘/8′ tells us there are 8 bits used in the subnet mask.

So if we had an IP address of 172.16.1.2 with a subnet mask of 255.255.0.0 (In binary 11111111.11111111.00000000.00000000), there are 16 bits turned ‘on’ so the short version would be 172.16.1.2/16

And 192.168.1.10 255.255.255.0 could be written as 192.168.1.10/24

Related posts:

1. What is an IP address
2. Classless IP Addresses
3. Wildcard Mask

If we look at a hashing algorithm such as MD5, which is 128-bits, it’s role and purpose is to take any data you wish, and turn it INTO 128-bits. Now if you imagine I have a manual of 800 pages and I was to run it through the MD5 algorithm, the output would be 128-bits…. that’s 128 1′s and 0′s… how is it possible to turn 128 1′s and 0′s back into a 800 page manual? 128-bits might be big enough to indicate to us what language the book was written in, but what font type? Font size? Where is the page numbering? Are there pictures? Etc…

So if it’s impossible to reverse something that has been hashed, what is it used for? The simple answer is Integrity. Integrity is there for us to prove that the data has not been tampered with, or changed in any way, and to proof it came from the correct person.

As an example, If I was to send you an e-mail that said, “please pay John Doe $100″, and John Doe was to intercept that e-mail and changed it to say “please pay John Doe $1000″ I would not be too happy when my account was debited with the wrong amount. So what if instead of just sending you a clear message, I was to take the original data “please pay John Doe $100″ and then I was to take a secret word that only you and I knew about like “secretpassword” and hashed both values together. This would result in a 128-bit hash value (Result1), that I would then attach to the original message “please pay John Doe $100″

When you receive the e-mail it will have the original message “please pay John Doe $100″ and it will have ‘Result1′. You will take the original message, and take the password that only you and I know about “secretpassword” and hash them together. You would end up with a result (Result2). If ‘Result1′ is equal to ‘Result2′ then the message is correct and has not been tampered with. If the two input fields “please pay John Doe $100″ and “secretpassword” are used on both sides, the result has to be the same…. If the result is not the same, the two inputs used on my side are not the same as the two input fields on your side. Assuming we both have used the same password, then the only that could have changed is the message, proving the message has been tampered with, and we can throw it away.

Hashing is also used extensively in passwords for authentication. When I log onto my computer in the morning, I type my username “user” and I type my password “password”. My computer sends my username to my Domain Controller in clear text (no encryption or hashing), and sends the HASH of my password not the actual password! My Domain Controller knows what my password is supposed to be, so it checks my user account in its database, retrieves what my password should be, then it hashes my password that it retrieved from its database and compares that with what I sent it. If the two results are the same, I typed my password in correctly, if they are different, I got my password wrong. This is really good from a security point of view, as if someone was to ‘listen in’ on my conversation to try receive my password as it’s sent to the Domain Controller, all they would get is the Hash value, and not my password.

Note: When computers hash passwords they also include extra information in the equation such as the session number, which prevents the Hash from been re-played by someone else.

Related posts:

1. How encryption works
2. Decrypting Type 7 Passwords (enable password)
3. Configuring SSH (Secure Shell) on a Cisco device

If you can imagine that you and I have a 10 meter cable, that has 10,000 wires running through it, and I take 2 of the wires and attach them into the ends of a battery, and you choose 2 wires on your end and attach them to a small light bulb. What chance have we got that my battery causes your light to glow?

However, what if I told you that I was using the green wire for the positive and the blue wire for the negative. If you took the same wires and attached them to your light bulb now we would have success.

In the same way, devices on our networks also select ports for different types of connections and different types of applications. The difference with port selection, is that these ports are logical and do not represent a physical wire at all.

If we look at surfing the web for example, when you open up your browser and type in an address of a website like www.aoip.org , your browser tries to make a connection to our website using a protocol called HTTP. HTTP uses port 80 to communicate, and if our server is not listening to port 80, the webpage’s would not open.

If you were to download a file off the internet using the FTP (File Transfer Protocol), you would be using port 20 and 21.

Below are a list of ports that are worthwhile knowing by memory, not to say these are the only ports you need to know, but it’s certainly a good start.

20 – FTP Data

21 – FTP Authentication

23 – Telnet

25 – SMTP (Simple Message Transport Protocol)

53 – DNS (Domain Name Service)

80 – HTTP (Hyper Text Transport Protocol)

110 – POP3 (Post Office Protocol)

443 – SSL / HTTPS (Security Socket Layer)

If you are running a Microsoft Windows computer, you can have a look at file that your computer uses when it boots to learn the port numbers needed for certain protocols and applications. You can find this file in the ‘Windows root folder – System32 – Drivers – etc’ the file is called ‘Services’ You can open this with Notepad or WordPad and have a look at what your machine is learning about during the boot-up phase.

It’s also worth noting, that as a general rule of thumb, any port numbers below 1024 are for International Specifications, and the products are not owned by anyone. Any port numbers from 1024 up to 65,535 are Vendor based, and the owner of the product has registered his product with the IANA for its use. There is of course exceptions to this rule… if you open the services file on your computer, have a look at port 666. It’s owned by the company ID Software, and used by the Game DOOM.

Related posts:

1. How encryption works
2. What is Binary?
3. Useable IP addresses in private networks

Class A

10.0.0.1 – 10.255.255.254

Class B

172.16.0.1 – 172.31.255.254

Class C

192.168.0.1 – 192.168.255.254

The IP addresses above are allowed to be used inside your private networks, whether this for home use or company use, may NOT appear on the internet. Since everyone on the planet uses the above guidelines, you can imagine that more than one person has the IP address 10.0.0.1, and if this was to ‘appear’ on the internet, there would be multiple conflicts.

For example, at my house I am using the IP address range of 10.0.0.1 – 10.0.0.254 for all my computers and networking devices. However in order for me to surf the web from my house, something has to translate my internal IP addresses, to a single Public IP address (that my Internet Service Provider gives me). This process is known as NAT (Network Address Translation) and is usually performed by a Router, in my case it’s my ADSL router that connects to my phone line. The other major advantage of running this system, is that my house only uses one public IP address, even though I may have hundreds or thousands of devices that use internal IP addresses. If you think about this from a company perspective, which might have tens of thousands of devices with internal IP addresses, they only need one IP address for internet access, and hence the ISP’s only have to issue and administer a single IP address for a large organisation.

Related posts:

1. NAT (Network Address Translation)
2. Class-full IP Addresses
3. What is an IP address

Class-full addresses are broken down into 5 different classes, A – E. In order to find out what class an IP address belongs to, all we need to do is look at the first octet and look at the below table.

Class A

Number in the first octet:            1 – 126

Subnet mask:                            255.0.0.0

Class B

Number in the first octet:            128 – 191

Subnet mask:                            255.255.0.0

Class C

Number in the first octet:            192 – 223

Subnet mask:                            255.255.255.0

Class D

Number in the first octet:            224 – 239

Class E

Number in the first octet:            240 – 255

You will notice in the above I have not mentioned the subnet mask values for class D and E. At this point I’m only concerned with the Unicast Traffic (one-to-one) which are Classes A,B and C. Class D is used for Multicast traffic (one-to-many), and class E is used for Broadcast (one-to-all).

You will also notice that I have left out a start IP address of 127, this is deliberate as any IP address that starts with 127 is reserved for local loopback testing. The local loopback exists on every machine in the world, and you will be able to ping the IP address 127.0.0.1 from the machine you are reading this on. The purpose of this loopback, is to test that your network card is working and functional, assuming you cannot ping 127.0.0.1 there is a good chance you have a fault with your network card.

NOTE: Although 127 is not allowed in the first octet… it IS ALLOWED EVERYWHERE ELSE!!!

The next question I have been asked many times while teaching the concept, is “Why the funny numbers, why not something easy to remember?” And the answer goes back to binary…

If we look at the below table, you will notice a distinctive pattern. And if we look closer you will see the first line is for Class A, if we were to change the first bit our number would now be 128, which is what line 2 for Class B is. So based on the below pattern we can see where the ‘funny numbers’ come from. The below table, shows us not only a pattern which was used to create the numbers for each class, but also shows us what the first bits MUST be in order to fall under each class. In other words, Classs A has to have a first bit of ’0′, Class B has to have  ’10′ in its first bits, Class C = ’110′ Class D = ’1110′ and Class E = ’11110′

128         64            32            16              8              4              2              1

0

1              0

1              1              0

1              1              1              0

1              1              1              1              0

So in conclusion, if I had an IP address of 10.2.3.5 I would be able to tell that it’s a Class A address as the first octet is between 1-126, similarly if I had the IP address 172.16.2.3 if would be a class B since its first octet is between 128 – 191, and the IP address 192.168.1.2 would be a class C since its first octet is between 192-223.

Related posts:

1. Classless IP Addresses
2. CIDR – Classless Inter Domain Routing
3. Useable IP addresses in private networks

It is made up of 4 octets (separated by a ‘.’), each of which is 8 bits in size (32 bits in total).

If we look at our binary table for 8 bits, we can see that the very first number that we can create in 8 bits, by turning on all the switches to “off” is ’0′

The maximum value we can have in an 8 bit value, by turning all the switches ‘on’ is ’255′

 Thus, the lowest value that can be in a single octet of an IP address is ’0′, and the highest number that can exist is ’255′ giving us 256 possibilities (Don’t forget ’0′ is a number as well).

An IP address contains 2 pieces of information that we require to be able to route traffic to the correct device. It has a network value, and a host value.

We can identify which portion of the IP address is network and host based on the subnet mask (SnM).

If you can imagine a building that has 20 floors on it, and each floor has 100 people. If I wanted to find a person called Bob, the first thing I would need to find out, is which floor does Bob work on? Once I have found the correct floor, then I can find Bob. Similarly the network portion of the IP address would be the floor of the building, and the host would be Bob.

If we take an IP address such as 10.1.2.3 that has a SnM of 255.0.0.0 what can we discover?

The subnet mask tells us which portions of the IP address is the network, and which is the Host portion. If a bit in the subnet mask has been turned on, it tells us that the equivalent bit in the IP address is part of network portion.

So looking at the table below, we can see that the first 8 bits of the subnet mask have been turned on (set to ’1′). This tells us that the first 8 bits of the IP address is the network portion. Anywhere there is a ’0′ in the SnM represents the host portion.

00001010.00000001.00000010.00000011 (The IP address 10.1.2.3 in Binary)

11111111.00000000.00000000.00000000 (The SnM 255.0.0.0 in Binary)

 Based on the above, ’10′ is the name of our network, since the first 8 bits of the octet have been turned ‘on’ in the subnet mask, and the value of the first 8 bits in the IP address is equal to 10.  ’1.2.3′ is the name of our host since the last 3 octets of the subnet mask are set to ‘off’ which indicated the last 3 octets are the host portion.

As another example, if we look at the IP address 172.16.2.3 with a SnM of 255.255.0.0

10101100. 00010000.00000010.00000011 (172.16.2.3 in Binary)

11111111.11111111.00000000.00000000 (255.255.0.0 in Binary)

 We would be able to see that the network value is now ’172.16′ and the host is ’2.3′

For a third example, let’s look at the IP address 192.168.1.1 with a SnM of 255.255.255.0

11000000.10101000.00000001.00000001 (192.168.1.1 in Binary)

11111111.11111111.11111111.00000000 (255.255.255.0 in Binary)

 ’192.168.1′ is now our network, and ’1′ is the host

What you will also notice between each of the above, is that in the first example we had a total of 24 bits (3 octets of 8 bits each) that belong to the host portion of the IP address. This means that we could have a total of 16,777,216 (2 to the power of 24) hosts in our network called ’10′.

In the second example we have 16 bits that belong to the host portion of the IP address which gives us 65,536 (2 to the power of 16) hosts in our network called ’172.16′

The third example has 8 bits belonging to the host portion which gives us 256 (2 to the power of 8 ) hosts in our network called ’192.168.1′

There is a rule that you must remember however… The very FIRST and LAST values in the host portion, are not allowed to be given to a computer device to use as their address.

In our first example we had a network of ’10′ and the total IP range could have been 10.0.0.0 – 10.255.255.255 (16.7 Million values). This means the first value 10.0.0.0 is not allowed, and the last value 10.255.255.255 is not allowed. So the values that can be used and can be allocated to devices are 10.0.0.1 – 10.255.255.254.

 The reason for this is… the very first address (10.0.0.0) is the name of our network. This would be the equivalent of talking about floor 10 of a building, we are not talking about anyone on floor 10, we are talking ABOUT the whole floor. The very last address (10.255.255.255) is our broadcast address. This would be the same as having a PA system on floor 10 and sending a message to everyone on floor 10, we are talking TO the whole floor. It’s impossible for someone to be a floor, and it’s impossible for someone to be everyone, the same applies to IP address, it’s not possible for a computer device to be a network, and it’s impossible for a device to be everything.

 The biggest mistake I’ve seen people making regarding the rule, is that somewhere, someone told them that ’0′ and ’255′ are not allowed in the last octet. This is completely false!!!

In our first example, we CAN have an IP address of 10.0.1.0 as this is not the very FIRST IP address,10.0.0.0 is. Similarly, we CAN have an IP address of 10.0.0.255 as this is not the first or the last, 10.255.255.255 is the last.

Related posts:

1. CIDR – Classless Inter Domain Routing
2. Wildcard Mask
3. Class-full IP Addresses

Hex is used in many things in IT, most commonly seen in Mac addresses (A unique identity number on every Network Card).

It is also seen in certain features such as HSRP (Hot Standby Routing Protocol) group numbers.

This section is here to help understand how to convert Hex into Binary, and Binary into Decimal and of course the reverse.

Let’s begin with the easy one, the reverse… If I have the number 47 and wanted to convert that into Hexadecimal, the easiest way is to first put it into Binary.

Using our binary table (as described in the post “How to count in Binary” ) we see the binary value is 00101111

128         64            32           16           8              4              2              1

0              0              1            0            1              1              1              1

Hex is not that much harder to get to from here, but what we need to do is break up the byte (8 bits) into 2 halves of 4 bits each. And draw a new table above each of the 4 bits (as seen below)

8              4              2              1                                   8              4              2              1

0              0              1              0                                   1              1              1              1

You will notice that the above Binary is the same as it was in the first table, however I’ve split the 8 bits in half and created 2 new groups of 4 bits each.

If we look at the first group we see that only the 2 has been turned on which results in the value been equal to ’2′

In the second group, the 8 and 4 and 2 and 1 have all been turned on which results in the value been equal to ’15′ (8+4+2+1)

So we currently have 2 (from the first group) and 15 (from the second group). 2 is a valid number in Hex so it remains exactly the same however 15 is represented in Hex as ‘F’

Therefore 47 in Decimal is equal to 2F in Hexadecimal.

So what if we had the Hex value and wanted to get it back to Decimal, let’s look at the value 4C.

We know that ’4′ is a valid Hex value, and we now know that ‘C’ is a representation of ’12′ in Hex.

Working backwards we need to create 2 tables of 4 bits each, and fill ’4′ into the first table, and ’12′ into the second

8              4              2              1                                8              4              2              1

0              1              0              0                                1              1              0              0

After we have done this, we now need to re-join the 2 halves back into a single 8 bit structure

128         64            32           16           8              4              2              1

0              1              0            0            1              1              0              0

And if we add up all our “On” bits, we have (64+8+4=76)

Therefore 4C in Hexadecimal is equal to 76 in decimal

Related posts:

1. What is Binary?
2. What is an IP address
3. How to count in Binary

When I moved into my house, my bathroom door didn’t have a key. The previous owners of the house didn’t know what key was needed for that door as they never had one either.

I went down to my local hardware store and spoke to them about my problem, and after paying a deposit for a whole set of keys, I was on my way back home.

The key set they gave me was for the Y-standard (each key starts with Y, i.e. Y1, Y2, Y3 etc), and there were just over a hundred of these keys. So there I was, in my bathroom trying every key in the bunch starting at Y1 all the way through to the end. Now if it had been my lucky day, I would have tried Y1 and had success. Worst case scenario it would have been the very last key, which I think was Y115. Now with only about 115 keys to try, it really isn’t the end of the world, and I did manage to find the right one after some time.

The point to my scenario, is that no-one had to explain to me how to use a key, or how to unlock a door. That’s not a big secret to anyone. The big secret is, which key opens the door.

Similarly with encryption, the algorithm that is used to encrypt and decrypt data is freely available on the internet, if you were to do a couple searches you will find the equation used in particular formula – much like different doors have different types of locks.

The big difference between my bathroom door, and computer encryption, is the amount of keys in the bunch.

If we were to assume that there was such a thing as 3-bit encryption, then the possible keys would be

000

001

010

011

100

101

110

111

Giving us 8 possible keys to try (2 to the power of 3). Needless to say, with only 8 keys this would take no time at all to find the right one to “open our door”

Encryption technologies therefore use a much larger structure, and hence have a lot more keys that one would have to try to break into an encrypted document.

40-bit encryption (2 to the power of 40) gives us a total of 1,099,511,627,776 – That’s over a TRILLION possibilities, and it’s a good thing that my bathroom door didn’t have that many keys I had to try! But just how good is that? Considering that in human terms a trillion of anything is amazing. Computers however are able to do millions and billions of things per second. My computer for example, is able to test just over 10 million keys per second, which makes a trillion not that far out of reach. Based on that, it would take my machine 1.2 Days to crack a 40-bit encryption standard.

So how good is 56-bit encryption then?

56-bit will give us a total of 72,057,594,037,927,936 (72 Quadrillion keys!!!) I can’t even comprehend that amount of anything. But yet again, just how good is that really. Well based on my computer been able to do just over 10 million keys per second, it would take my computer 228 YEARS!!!! The beautiful thing about binary, is that for every bit larger the encryption key is, the amount of keys DOUBLES in size. So 57-bit would take me 456 Years, 58-bit would take me 912 Years etc.

The good news is, that encryption standards today usually work on

56-bit                             72,057,594,037,927,936         (228 years for my computer to decrypt)

64-bit                    18,446,744,073,709,551,616         (58,494 Years)

128-bit                  ???

1024-bit                ???

2048-bit                ???

Related posts:

1. Hashing, What is it and how does it work?
2. Configuring SSH (Secure Shell) on a Cisco device
3. Decrypting Type 7 Passwords (enable password)

So what is binary?
Binary is a number system based on a Base 2 system. If you remember your school days when you were taught how to count, more than likely your teacher explained how the Base 10 number systems worked. The 10 base number system allows numbers 0 – 9 to be placed under the correct column to be able to represent any possible number. In the table below, we can see the base 10 up to the power of 3 (1000).

So if we wanted to represent the number ‘3062’ we would have to place each number under the correct column

In the above diagram, we had to represent the number ‘3062’ or more precisely, 3 x 1000’s, 0 x 100’s, 6 x 10’s, 2 X 1’s (3000+0+60+2 = 3062)

Binary on the other hand, is not based on a base 10 number system, it’s based on a base 2. This means 2 things to us. Firstly, the ‘numbers’ we can place under each column can only be 0 or 1 (also known as “Off” and “On”). Secondly, our columns look much different.

So let’s say we wanted to represent the number ‘56’ in binary.

Since we can only place a ’0′ or ’1′ into our column, it really becomes a question of, do I need one of these values to make my number?

If I select yes ’1′ under column 128, the number would obviously be larger than 56. This means, I don’t need a ’128′ and also don’t need a ’64′ so I place a ’0′ under each of those columns. I do however need a ’32′ so I place a ’1′ under that column. I also need a ’16′ and a ’8′ and I don’t need any of the other numbers. IMPORTANT NOTE : You MUST place zero’s under the last columns as they are place holders!.

What I now have is a yes ’1′ under the columns 32, 16, 8 (1x 32, 1×16, 1×8,0×4,0×2,0×1 = 32+16+8+0+0+0 = 56)

The first zero’s in our column can be removed, so 56 can also be written in binary as 111000

Related posts:

1. How to convert Hexadecimal into Decimal
2. What is Binary?
3. What is an IP address