Specifications

ManualsBrandsCisco ManualsComputer equipmentContent Delivery Engine 100/200/300/400

131

132

133

134

135

136

137

138

139

140

4-67

Cisco Internet Streamer CDS 2.0-2.3 Software Configuration Guide

OL-13493-04

Chapter 4 Configuring Devices

Configuring the Service Engine

Step 3 Click Submit to save the settings.

Configuring IP ACL

Note This is a Release 2.1 feature.

Access control lists (ACLs) provide a means to filter packets by allowing a user to permit or deny IP

packets from crossing specified interfaces. Packet filtering helps to control packet movement through

the network. Such control can help limit network traffic and restrict network use by certain users or

devices.

You can also apply ACLs to management services such as SNMP, SSH, HTTPS, Telnet, and FTP. ACLs

can be used to control the traffic that these applications provide by restricting the type of traffic that the

applications will handle.

In a managed CDS network environment, administrators need to be able to prevent unauthorized access

to various devices and services. CDS supports standard and extended ACLs that allow administrators to

restrict access to or through a CDS network device, such as the SE. Administrators can use ACLs to

reduce the infiltration of hackers, worms, and viruses that can harm the network.

ACLs provide controls that allow various services to be tied to a particular interface. For example, the

administrator can use IP ACLs to define a public interface on the Service Engine for content serving and

a private interface for management services (for example, Telnet, SSH, SNMP, HTTPS, and software

upgrades). A device attempting to access one of the services must be on a list of trusted devices before

it is allowed access. The implementation of ACLs for incoming traffic on certain ports for a particular

protocol type is similar to the ACL support for the Cisco Global Site Selector and Cisco routers.

To use ACLs, the system administrator must first configure ACLs and then apply them to specific

services. The following are some examples of how IP ACLs can be used in various enterprise

deployments:

• An application layer proxy firewall with a hardened outside interface has no ports exposed.

(Hardened means that the interface carefully restricts which ports are available for access primarily

for security reasons. Because the interface is outside, many types of attacks are possible.) The SE’s

outside address is globally accessible from the Internet, while its inside address is private. The inside

interface has an ACL to limit Telnet, SSH, and CDSM traffic.

• An SE is deployed anywhere within the enterprise. Like routers and switches, the administrator

wants to limit Telnet, SSH, and CDSM access to the IT source subnets.

• An SE is deployed as a reverse proxy in an untrusted environment, and the administrator wishes to

allow only port 80 inbound traffic on the outside interface and outbound connections on the

back-end interface.

Note IP ACLs are defined for individual devices only. IP ACLs cannot be managed through device groups.

When you create an IP ACL, you should note the following constraints:

• IP ACL names must be unique within the device.

• IP ACL names must be limited to 30 characters and contain no spaces or special characters.

• The CDSM can manage up to 50 IP ACLs and a total of 500 conditions per device.