Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3356
Views
10
Helpful
4
Replies

Port Based ACLs vs Protocol Enforcement

Go to solution
shockocisco
Level 1
Level 1

‎07-25-2020 01:22 PM - edited ‎08-28-2020 07:07 AM

I recently was discussing network security with some experienced network guys (and I am not a networking guy!).This was in the context of connectivity to cloud systems.  I was arguing that port based ACL did not really enforce protocols that could traverse that ACL and that it only literally enforces the dst/src TCP/UDP port. For example, a rule allowing port 443 only is often presented at architecture meetings as allowing TLS/SSl but to my eye it does nothing of the sort. Only protocol inspection/enforcement would do that. They argued the opposite.

 

Who's correct?!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to shockocisco

‎09-03-2020 04:18 AM

Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Go to solution
shockocisco
Level 1
Level 1

‎07-28-2020 10:04 AM

Anyone?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-28-2020 11:06 AM

The answer really depends on the deployment. But, you are both correct.

The issue here is that TLS/SSL is an encryption that runs ontop of HTTP.  The two combined become HTTPS which then runs over port TCP/443.  If you block HTTPS in a port based ACL you would effectively also be blocking TLS/SSL traffic.

Now, if you use an inspection policy, yes, you can block all encrypted traffic that uses TLS/SSL based on the protocol.  However, the reason for using an inspection policy isn't just to drop all traffic that uses TLS/SSL but to provide inspection for known traffic SSL traffic.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
shockocisco
Level 1
Level 1

‎08-28-2020 07:09 AM

Thanks for the reply. So it's fair to say that is I have an ACL that allows TCP port 443 only but with no inspection enabled on it then I can pass any protocol over port 443?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to shockocisco

‎09-03-2020 04:18 AM

Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card