topic Re: Port Based ACLs vs Protocol Enforcement in Network Security

Port Based ACLs vs Protocol Enforcement

shockocisco — Fri, 28 Aug 2020 14:07:54 GMT

I recently was discussing network security with some experienced network guys (and I am not a networking guy!).This was in the context of connectivity to cloud systems. I was arguing that port based ACL did not really enforce protocols that could traverse that ACL and that it only literally enforces the dst/src TCP/UDP port. For example, a rule allowing port 443 only is often presented at architecture meetings as allowing TLS/SSl but to my eye it does nothing of the sort. Only protocol inspection/enforcement would do that. They argued the opposite.

Who's correct?! 🙂

Re: Port Based ACLs vs Protocol Enforcement

shockocisco — Tue, 28 Jul 2020 17:04:47 GMT

Anyone?

Re: Port Based ACLs vs Protocol Enforcement

Marius Gunnerud — Tue, 28 Jul 2020 18:06:15 GMT

The answer really depends on the deployment. But, you are both correct.

The issue here is that TLS/SSL is an encryption that runs ontop of HTTP. The two combined become HTTPS which then runs over port TCP/443. If you block HTTPS in a port based ACL you would effectively also be blocking TLS/SSL traffic.

Now, if you use an inspection policy, yes, you can block all encrypted traffic that uses TLS/SSL based on the protocol. However, the reason for using an inspection policy isn't just to drop all traffic that uses TLS/SSL but to provide inspection for known traffic SSL traffic.

Re: Port Based ACLs vs Protocol Enforcement

shockocisco — Fri, 28 Aug 2020 14:09:51 GMT

Thanks for the reply. So it's fair to say that is I have an ACL that allows TCP port 443 only but with no inspection enabled on it then I can pass any protocol over port 443?

Re: Port Based ACLs vs Protocol Enforcement

Marius Gunnerud — Thu, 03 Sep 2020 11:18:43 GMT

Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.