On my internet router I expected to see an access list for permitting established connections back into my router, this wasnt the case, it let certain ports in but at the bottom there was a deny any any statement, why would you want a deny all statement to things entering my router from the web ? i thought it would be permtting anything to the net and back on port 80 ?
As you say, the established keyword on inbound acls is useful, unless if you want to be explicit about what your users can access outside your network. You may also want to have a deny any any at the bottom with the log keyword if you want the router to log what has been denied. It appears that the acl you are referring to explicitely allows protocols in, regardless whether the connection was initiated from inside your network. This may have security implecations, but it depends on what you are trying to achieve. Without looking at the acl and understanding the requirements it is difficult to say whether there is a problem or not.
Personally I favour reflexive acls which are of stateful nature. In this scenario you configure an inbound and an outbound acl. The outbound allows traffic out which is reflected to the inbound. The inbound acl keeps a state of the connection and allows the return traffic in. Note that for functions like traceroute (responses),traffic initiated by the router and inbound connection to your network from the outside you have to explicitely allowd them in.
I find reflexive acls to need fewer entries and can achieve your objective more efficiently and provide greater security in this kind of scenarios.
The access list that was setup was automatically done by my router on the web browser config, ive seen some some saying ip inspect etc etc, what is this ? alsocan you give me an example of these reflexive acls ?
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...