cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2711
Views
10
Helpful
4
Replies
shockocisco
Beginner

Port Based ACLs vs Protocol Enforcement

I recently was discussing network security with some experienced network guys (and I am not a networking guy!).This was in the context of connectivity to cloud systems.  I was arguing that port based ACL did not really enforce protocols that could traverse that ACL and that it only literally enforces the dst/src TCP/UDP port. For example, a rule allowing port 443 only is often presented at architecture meetings as allowing TLS/SSl but to my eye it does nothing of the sort. Only protocol inspection/enforcement would do that. They argued the opposite.

 

Who's correct?!

1 ACCEPTED SOLUTION

Accepted Solutions

Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 REPLIES 4
shockocisco
Beginner

Anyone?

Marius Gunnerud
VIP Advisor

The answer really depends on the deployment. But, you are both correct.

The issue here is that TLS/SSL is an encryption that runs ontop of HTTP.  The two combined become HTTPS which then runs over port TCP/443.  If you block HTTPS in a port based ACL you would effectively also be blocking TLS/SSL traffic.

Now, if you use an inspection policy, yes, you can block all encrypted traffic that uses TLS/SSL based on the protocol.  However, the reason for using an inspection policy isn't just to drop all traffic that uses TLS/SSL but to provide inspection for known traffic SSL traffic.

--
Please remember to select a correct answer and rate helpful posts
shockocisco
Beginner

Thanks for the reply. So it's fair to say that is I have an ACL that allows TCP port 443 only but with no inspection enabled on it then I can pass any protocol over port 443?

Yes, if you only have an ACL that allows TCP/443 then you could, theoretically, tunnel protocols over the connection.

--
Please remember to select a correct answer and rate helpful posts
Create
Recognize Your Peers
Content for Community-Ad