07-25-2020 01:22 PM - edited 08-28-2020 07:07 AM
I recently was discussing network security with some experienced network guys (and I am not a networking guy!).This was in the context of connectivity to cloud systems. I was arguing that port based ACL did not really enforce protocols that could traverse that ACL and that it only literally enforces the dst/src TCP/UDP port. For example, a rule allowing port 443 only is often presented at architecture meetings as allowing TLS/SSl but to my eye it does nothing of the sort. Only protocol inspection/enforcement would do that. They argued the opposite.
Who's correct?!
Solved! Go to Solution.
09-03-2020 04:18 AM
Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.
07-28-2020 10:04 AM
Anyone?
07-28-2020 11:06 AM
The answer really depends on the deployment. But, you are both correct.
The issue here is that TLS/SSL is an encryption that runs ontop of HTTP. The two combined become HTTPS which then runs over port TCP/443. If you block HTTPS in a port based ACL you would effectively also be blocking TLS/SSL traffic.
Now, if you use an inspection policy, yes, you can block all encrypted traffic that uses TLS/SSL based on the protocol. However, the reason for using an inspection policy isn't just to drop all traffic that uses TLS/SSL but to provide inspection for known traffic SSL traffic.
08-28-2020 07:09 AM
Thanks for the reply. So it's fair to say that is I have an ACL that allows TCP port 443 only but with no inspection enabled on it then I can pass any protocol over port 443?
09-03-2020 04:18 AM
Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide