Book Review

Cisco Access Lists Field Guide

Gil Held and Kent Hundley
McGraw-Hill, 2000, 263 pages



A ccess control lists or ACLs are a feature of Cisco IOS that allows network administrators to create firewalls to block out unwanted traffic. This is a very appealing approach for small organizations that have straightforward requirements and don't need to defend against large-scale denial-of-service attacks. For a beginner, however, ACLs are intimidating, because it's often difficult to know everything that should be blocked -- and you have to get it right the first time, or risk disrupting the connection of your network to the outside world.

The book starts with a review of routers and router configuration, and then discusses the various types of ACLs including dynamic, time-based, and reflexive ACLs. It then moves on to content-based access control, NAT and IPSec. The book begins to explain ACLs adequately, but stumbles when it gets to the examples. Some of the examples are just plain crazy. For example, one firewall blocks all traffic except HTTP and DNS connections originating on a Web server. Of course, port 80 HTTP connections don't originate on the Web server, but on the remote user's browser. So the ACL example would not block anything except your customers who wanted to visit your site.

Although some passages in the book are clearly written, others appear designed to confuse the reader. For example, the chapter on reflexive access lists contains the following paragraph:

... a better solution would be to apply the extended access list named outfilter to the ethernet0 interface as an inbound filter, which better follows the rule of thumb of attempting to apply an access list to the closest source of packets to be filtered. However, if we did this, we would need to leave the inbound filter on the serial interface to ensure that the dynamic openings were created on the correct interface. Note that we could place both filters on the Ethernet interface, but this would allow all inbound packets into the serial interface, which would leave the router itself vulnerable to attack, even though the inside Ethernet interface would be protected.
If you think that this paragraph makes more sense after reading the chapter, or after studying the examples, you'd be wrong. Although the diagrams are clear, the confused language used throughout the book makes the simple topic of ACLs appear to be hopelessly complex.

Although the book's cover says there are "more than 100 practical examples of access lists", in fact most of these examples are incomplete snippets of code, and many of these snippets contain typographical errors. It would have been helpful if the authors had included a complete, functional ACL firewall incorporating all the features described in the book, so that readers could see how everything fits together.

Despite these problems, this is one of the better books on configuring Cisco routers available. Most are far worse than this one.


January 29, 2003