Overview
From fiber to phone lines, from huge corporate networks to a single home user, security dominates the discussion of today's computer networks. Securing an IP-based network can be a difficult task, largely because the Internet is based on open standards. Because nonproprietary technologies such as TCP/IP are so well known, their bugs and their limitations are well publicized -- and often easily exploited.

Fortunately, the rush to connect businesses, schools, and homes to the Internet has given way to a more cautious, security-savvy approach to building networks. Even as residential broadband brings "always-on" Internet connectivity to homes, average home users have taken to installing firewalls and other security measures. Meanwhile, the growth of e-commerce has prompted corporations to spend more resources on fortifying network security.

Virtually all computer networks have some portion that is IP-based, so it is imperative that you learn how to restrict and control TCP/IP access. The key to access control is the access list, or access control list (ACL). These lists are the building blocks of IP firewalls, and firewalls stand on the frontlines of Internet security. A firewall is hardware and/or software that works to protect a network from unauthorized access.

After providing a quick review of access list syntax, this chapter examines advanced IP security configurations, including restricting router access, dynamic access lists (lock-and-key), null0 routes, and the established argument. Finally, this chapter examines the next generation of IP traffic management: reflexive access lists and context-based access control.