Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2154
Views
11
Helpful
4
Replies

Difference between Firewall and Access Control List

d.bigerstaff
Level 1
Level 1

‎09-11-2007 06:04 AM - edited ‎03-11-2019 04:09 AM

Just a quick question really...

What is the difference between an ACL and a firewall?

As far as i can see they both can deny/permit traffic based on source or destination IP/network as well as by protocol and port.

Are they essentially the same thing or am I overlooking something blindingly obvious?

Many thanks

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎09-11-2007 06:19 AM

Hi

An access-list is not stateful whereas a firewall is ie.

when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.

So if i initiate a connection to a server using telnet my intial packet has

Source IP address: 192.168.5.1 (my client)

source port: 23467 ( random generated port)

destination IP address: 172.16.10.1 (telnet server)

destination port: 23 ( telnet port )

TCP Flag: SYN

The firewall will enter this into it's state table.

Now when the server responds

source IP address: 172.16.10.1

source port: 23

destination IP address: 192.168.5.1

destination port: 23467

TCP Flags SYN/ACK

The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.

So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.

An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness.

HTH

Jon

srue
Level 7
Level 7
In response to Jon Marshall

‎09-11-2007 06:25 AM

"An access-list has no real concept of state as such although the "established" keyword is a pseudo type of statefulness. "

i just want to elaborate on this last line. Using the established keyword with an ACL entry (ACE) allows *all* packets that match the ACE regardless of whether the packet in question is in response to an outbound packet. What this means is if you can code a packet to set one of the tcp flags that the 'established' key word checks for, it will pass the ACL check, even though it was not sent in response to any other packet from the protected network - ie it allows ALL packets w/ the ack/rst bit set.

For this reason, reflexive acl's are a better choice than this method.

(and to be complete, IOS firewall is better than reflexive acl's).

And of course PIX is better than IOS firewall in this respect.

Jon Marshall
Hall of Fame
Hall of Fame
In response to srue

‎09-11-2007 06:32 AM

Hi Steven

Agreed, and perhaps using the words "pseudo type of statefulness" was a bit misleading.

Thanks for expanding on this.

Jon

d.bigerstaff
Level 1
Level 1
In response to Jon Marshall

‎09-11-2007 07:55 AM

Thank's for your explaination guys, it's much appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card