Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
1
Replies

(CCNA Question) Reflexive ACLs

Go to solution
Daniel Boling
Level 1
Level 1

‎05-07-2012 07:20 PM - edited ‎03-07-2019 06:34 AM

In the ICND2 book, it mentions the use of Reflexive ACLs to permit each TCP / UDP session on an individual basis.  The example given lists a similar scenario:

Workstation (a.a.a.a:5000) > Router > Internet > Web Server (b.b.b.b:80)      

                                                                       Attacker (c.c.c.c:80)

The Reflexive ACLs logic is to control the individual session between the Workstation and the Web Server by restricting sent / received traffic between a.a.a.a:5000 and b.b.b.b:80, as to prevent c.c.c.c:80 from passing traffic through the Router. 

My question is why did the book phrase this example as "Classic Case in which traditional ACLs create a security hole...", when a PAT session would restrict the protocol, inside global, inside local, outside local, and outside global IP header information?  Traffic sent from the Attacker should never get beyond Routers outside interface with PAT.  As I upload this post, an outside host should not be able to source his port to 80, and flood my network.

Is the book assuming the Router is not using PAT, is there a reason for the over-redundancy, or am I missing something?

Thanks for your input

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-08-2012 02:07 AM

Hello Daniel,

clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.

Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.

a.a.a.a:5000 -> b.b.b.b:80  with TCP flag SYN                      outbound

b.b.b.b:80->a.a.a.a:5000  with TCP flag SYN, ACK               inbound

a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK                             outbound

If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.

A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.

After the TCP session is closed the router will remove the specific permit for inbound return traffic.

This provides better security.

Edit:

for further reading

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1mt/Configuring_IP_Session_Filtering_-_Reflexive_Access_Lists.html

Hope to help

Giuseppe

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-08-2012 02:07 AM

Hello Daniel,

clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.

Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.

a.a.a.a:5000 -> b.b.b.b:80  with TCP flag SYN                      outbound

b.b.b.b:80->a.a.a.a:5000  with TCP flag SYN, ACK               inbound

a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK                             outbound

If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.

A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.

After the TCP session is closed the router will remove the specific permit for inbound return traffic.

This provides better security.

Edit:

for further reading

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1mt/Configuring_IP_Session_Filtering_-_Reflexive_Access_Lists.html

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card