Re: ACL - tcp any established creates hole

Bas van Delft · ‎10-17-2012

Hi all,

I have a subinterface configured for a secured VLAN. To secure the VLAN I implemented ACLs in both directions. To allow return traffic from TCP sessions I ended both ACLs with 'permit tcp any any established'.

However, by having tcp established on both IN and OUT direction it seems that this creates a security hole in that now quite a lot (RDP, VNC) traffic passes the ACL without it being specified as permitted/allowed!

Is this behaviour well-known or has someone experienced this before?

I could not find any documentation on this behaviour, but I might have missed it...

KR,

Bas

nickbonifacio · ‎10-17-2012

Hi Bas,

I would permit tcp any any established in the outbound direction only. I would then create specific entries for the inbound traffic on the other ACL- i.e. permit tcp any host x.x.x.x eq 443.

Is there a lot of traffic coming inbound?

Thanks!

Nick

Nick Bonifacio CCIE #38473

Bas van Delft · ‎10-18-2012

Hi Nick,

It's more like this VLAN used to be completely seperated and production-only and I opened it up a little bit with these ACLs for NTP and some access for the systemadministrators. That's why I have to cover both IN and OUT bound. A few months later it seems the entire thing is wide open for example RDP traffic. This surprised me a lot I must say, therefore am very curious if this method of having ACLs both inbound and outbound contain the tcp any any established would open up security instead of containing traffic.

As this is production I don't know how much traffic in the mean time has been flowing, nor can I interrupt it currently with chance of interferring traffic. That's why I need to be careful about this and explain the behaviour I'm seeing without actually changing too much. If some of you knew of this problem, it would give me clear direction in to where to look for this problem.

I'll try to mimic the situation with a dummy VLAN and see where I end up with.

KR,

Bas