Difference between Firewall and Access Control List

Unanswered Question
Sep 11th, 2007

Just a quick question really...

What is the difference between an ACL and a firewall?

As far as i can see they both can deny/permit traffic based on source or destination IP/network as well as by protocol and port.

Are they essentially the same thing or am I overlooking something blindingly obvious?

Many thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Loading.
Jon Marshall Tue, 09/11/2007 - 06:19

Hi

An access-list is not stateful whereas a firewall is ie.

when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.

So if i initiate a connection to a server using telnet my intial packet has

Source IP address: 192.168.5.1 (my client)

source port: 23467 ( random generated port)

destination IP address: 172.16.10.1 (telnet server)

destination port: 23 ( telnet port )

TCP Flag: SYN

The firewall will enter this into it's state table.

Now when the server responds

source IP address: 172.16.10.1

source port: 23

destination IP address: 192.168.5.1

destination port: 23467

TCP Flags SYN/ACK

The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.

So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.

An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness.

HTH

Jon

srue Tue, 09/11/2007 - 06:25

"An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness. "

i just want to elaborate on this last line. Using the established keyword with an ACL entry (ACE) allows *all* packets that match the ACE regardless of whether the packet in question is in response to an outbound packet. What this means is if you can code a packet to set one of the tcp flags that the 'established' key word checks for, it will pass the ACL check, even though it was not sent in response to any other packet from the protected network - ie it allows ALL packets w/ the ack/rst bit set.

For this reason, reflexive acl's are a better choice than this method.

(and to be complete, IOS firewall is better than reflexive acl's).

And of course PIX is better than IOS firewall in this respect.

Jon Marshall Tue, 09/11/2007 - 06:32

Hi Steven

Agreed, and perhaps using the words "pseudo type of statefulness" was a bit misleading.

Thanks for expanding on this.

Jon

Actions

This Discussion