topic Re: Difference between Firewall and Access Control List in Network Security

Difference between Firewall and Access Control List

d.bigerstaff — Mon, 11 Mar 2019 11:09:33 GMT

Just a quick question really...

What is the difference between an ACL and a firewall?

As far as i can see they both can deny/permit traffic based on source or destination IP/network as well as by protocol and port.

Are they essentially the same thing or am I overlooking something blindingly obvious?

Many thanks

Re: Difference between Firewall and Access Control List

Jon Marshall — Tue, 11 Sep 2007 13:19:10 GMT

An access-list is not stateful whereas a firewall is ie.

when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.

So if i initiate a connection to a server using telnet my intial packet has

Source IP address: 192.168.5.1 (my client)

source port: 23467 ( random generated port)

destination IP address: 172.16.10.1 (telnet server)

destination port: 23 ( telnet port )

TCP Flag: SYN

The firewall will enter this into it's state table.

Now when the server responds

source IP address: 172.16.10.1

source port: 23

destination IP address: 192.168.5.1

destination port: 23467

TCP Flags SYN/ACK

The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.

So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.

An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness.

HTH

Jon

Re: Difference between Firewall and Access Control List

srue — Tue, 11 Sep 2007 13:25:02 GMT

"An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness. "

i just want to elaborate on this last line. Using the established keyword with an ACL entry (ACE) allows *all* packets that match the ACE regardless of whether the packet in question is in response to an outbound packet. What this means is if you can code a packet to set one of the tcp flags that the 'established' key word checks for, it will pass the ACL check, even though it was not sent in response to any other packet from the protected network - ie it allows ALL packets w/ the ack/rst bit set.

For this reason, reflexive acl's are a better choice than this method.

(and to be complete, IOS firewall is better than reflexive acl's).

And of course PIX is better than IOS firewall in this respect.

Re: Difference between Firewall and Access Control List

Jon Marshall — Tue, 11 Sep 2007 13:32:57 GMT

Hi Steven

Agreed, and perhaps using the words "pseudo type of statefulness" was a bit misleading.

Thanks for expanding on this.

Jon

Re: Difference between Firewall and Access Control List

d.bigerstaff — Tue, 11 Sep 2007 14:55:32 GMT

Thank's for your explaination guys, it's much appreciated.