Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

(CCNA Question) Reflexive ACLs

In the ICND2 book, it mentions the use of Reflexive ACLs to permit each TCP / UDP session on an individual basis.  The example given lists a similar scenario:

Workstation (a.a.a.a:5000) > Router > Internet > Web Server (b.b.b.b:80)      

                                                                       Attacker (c.c.c.c:80)

The Reflexive ACLs logic is to control the individual session between the Workstation and the Web Server by restricting sent / received traffic between a.a.a.a:5000 and b.b.b.b:80, as to prevent c.c.c.c:80 from passing traffic through the Router. 

My question is why did the book phrase this example as "Classic Case in which traditional ACLs create a security hole...", when a PAT session would restrict the protocol, inside global, inside local, outside local, and outside global IP header information?  Traffic sent from the Attacker should never get beyond Routers outside interface with PAT.  As I upload this post, an outside host should not be able to source his port to 80, and flood my network.

Is the book assuming the Router is not using PAT, is there a reason for the over-redundancy, or am I missing something?

Thanks for your input

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: (CCNA Question) Reflexive ACLs

Hello Daniel,

clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.

Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.

a.a.a.a:5000 -> b.b.b.b:80  with TCP flag SYN                      outbound

b.b.b.b:80->a.a.a.a:5000  with TCP flag SYN, ACK               inbound

a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK                             outbound

If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.

A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.

After the TCP session is closed the router will remove the specific permit for inbound return traffic.

This provides better security.

Edit:

for further reading

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1mt/Configuring_IP_Session_Filtering_-_Reflexive_Access_Lists.html

Hope to help

Giuseppe

1 REPLY
Hall of Fame Super Silver

Re: (CCNA Question) Reflexive ACLs

Hello Daniel,

clearly the book introducing the concept of reflexive ACLs compare them to traditional ACLs and use of any other possible feature like PAT is not considered.

Reflexive ACLs make the router behave similarly to a stateful firewall: the router builds a specific permit for return traffic from legitimate server b.b.b.b.80 to a.a.a.a.5000 because it has seen the TCP handshake between the two endpoints started from the internal client.

a.a.a.a:5000 -> b.b.b.b:80  with TCP flag SYN                      outbound

b.b.b.b:80->a.a.a.a:5000  with TCP flag SYN, ACK               inbound

a.a.a.a:5000 -> b.b.b.b:80 with TCP ACK                             outbound

If the attacker attempts to send traffic over non existing session (c.c.c.c:80, a.a.a.a:5000) this traffic can be blocked by router as a TCP session does not exist for these two endpoints.

A traditional ACL is not dynamic in nature so it cannot think of TCP sessions: it can allow traffic to internal host on TCP port 5000 but it is stateless.

After the TCP session is closed the router will remove the specific permit for inbound return traffic.

This provides better security.

Edit:

for further reading

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-1mt/Configuring_IP_Session_Filtering_-_Reflexive_Access_Lists.html

Hope to help

Giuseppe

514
Views
0
Helpful
1
Replies
CreatePlease login to create content