05-07-2012 07:20 PM - edited 03-07-2019 06:34 AM
In the ICND2 book, it mentions the use of Reflexive ACLs to permit each TCP / UDP session on an individual basis. The example given lists a similar scenario:
Workstation (a.a.a.a:5000) > Router > Internet > Web Server (b.b.b.b:80)
Attacker (c.c.c.c:80)
The Reflexive ACLs logic is to control the individual session between the Workstation and the Web Server by restricting sent / received traffic between a.a.a.a:5000 and b.b.b.b:80, as to prevent c.c.c.c:80 from passing traffic through the Router.
My question is why did the book phrase this example as "Classic Case in which traditional ACLs create a security hole...", when a PAT session would restrict the protocol, inside global, inside local, outside local, and outside global IP header information? Traffic sent from the Attacker should never get beyond Routers outside interface with PAT. As I upload this post, an outside host should not be able to source his port to 80, and flood my network.
Is the book assuming the Router is not using PAT, is there a reason for the over-redundancy, or am I missing something?
Thanks for your input
Solved! Go to Solution.
05-08-2012 02:07 AM
Hello Daniel,
clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.
Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.
a.a.a.a:5000 -> b.b.b.b:80 with TCP flag SYN outbound
b.b.b.b:80->a.a.a.a:5000 with TCP flag SYN, ACK inbound
a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK outbound
If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.
A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.
After the TCP session is closed the router will remove the specific permit for inbound return traffic.
This provides better security.
Edit:
for further reading
Hope to help
Giuseppe
05-08-2012 02:07 AM
Hello Daniel,
clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.
Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.
a.a.a.a:5000 -> b.b.b.b:80 with TCP flag SYN outbound
b.b.b.b:80->a.a.a.a:5000 with TCP flag SYN, ACK inbound
a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK outbound
If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.
A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.
After the TCP session is closed the router will remove the specific permit for inbound return traffic.
This provides better security.
Edit:
for further reading
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: