We are required to have an ACL on our Internet router to permit traffic only to legitimate ports. An "expert" told us that applying the ACL to the outbound traffic on our internal interface is more efficient than applying it to inbound traffic on the external interface. I'm wondering if anybody can confirm or debunk this statement.
Inbound ACL is more efficient than outbound due to the fact that with inbound, any matched "deny" packet is dropped BEFORE the packet gets routed to the destined outbound interface. With outbound, the packets (both deny and permit) gets routed to the outbound interface and then those that are denied will be dropped. In this sense, inbound is more efficient because there is one less step for those denied packets. Hope this help.
Yeah, that's what I thought too. But the expert said that outbound filtering is more efficient because the packet is already in the buffer needed to do the filtering at that point. And the efficiency savings from not routing unwanted packets isn't all that great, because a relatively small percentage of packets are dropped anyway. Any thoughts on that?
I guess it depends on what types of traffic you are seeing and dropping.
I would have to agree that inbound ACL's are preferable. The quicker you can get a deny statement to match that packet the quicker the router can forget about it.
There are two things that are to be considered here.
1. Effectiveness of the list
2. Performance impact of the list on the router.
If you take criteria 1, inbound is better, than outbound, because it will deny or block all unwanted ports, depending on what you have configured. Attacks coming from external world is better blocked with an inbound access-list on the external interface.
If you take criteria 2, inbound access-lists create more router load compared to outbound ACLs. The router has to match all packets coming in on an interface applied with inbound ACL, and remember, ACLs cause the router to do process switching on that interface.
I would recommend using a combination of both types of access-lists on the external interface, and possibly configure Reflexive access-lists on your border router. This would make sure that only those sessions initiated from inside your networks will be permitted.
Thanks for the good answer. I have two more questions and then I think I'm done.
First, you point out that inbound ACLs cause the router to do process switching on the inbound interface. Does this imply that outbound ACLs do NOT cause process switching on the outbound interface?
Second, since I have to do inbound ACLs anyway to protect the router, does it make sense to just put everything in the inbound ACL and eliminate the outbound ACL?
Answer to question 1:
All access-list whether applied inbound or outbound does make the router, do process switching on that interface. But there is a difference.
consider this example E0----R1----E1.
If an access-list has been applied inbound, on E0, every packet entering the interface E0 has to be process switched and compared with the access-list, no matter, whether the packet will be routed to port E1 or E2.
If an access-list was applied outbound on interface E1 (say)...every packet entering the router via E0, is first routed, to the appropriate destination interface (E1 or E2) and then checked to see if there is an access-list (outbound). The router finds that only E1 has an access-list and E2 has not, so only those packets routed out E1, will be compared against the access-list.
So there is less overhead always when configuring outbound access-list.
If you are creating normal ACL's, then you can use just an inbound ACL to protect your network from the outside. Sometimes, this creates problems like, you cannot ping from inside to outside, because you have blocked ICMP packets, coming from outside. Here comes the use of Reflexive ACL;s, where you use a combination of Outbound and Inbound ACL's. Reflexive ACL's allows you to say ping, telnet, ftp etc from inside to outside, but at the same time, block all connections (ping, telnet, ftp) initiated from outside to inside.
Take this example.
ip access-list extended outboundfilter
permit icmp any any reflect ICMPtraffic
ip access-list extended inboundfilter
ip access-group outboundfilter out
ip access-group inboundfilter in
Here ICMPtraffic is the reflexive access-list, which is a dynamic ACL, which is created only when a connection (ping in this case) is initiated from inside to outside. This dynamic entry can be verified using "show access-list". This dynamic entry, will allow the return ICMP echo traffic from outside to inside. At the same time, this access-list will not allow ping traffic initiated by somebody from outside to inside.
Hope that helps.
One factor which has been ignored (because it has nothing to do with ACL efficiency) but is probably very relevant in this context, is that only an inbound ACL will protect the router. Putting the access controls on the internal interface may save CPU cycles protecting the inside network, but does nothing to protect the router itself from attack from the Internet (in which case, I sure hope you have upgraded the IOS to defend against the latest DoS vulnerability).
If you're the cautious type (or have untrusted internal users), you'll want to protect the router from inside attacks as well as Internet attacks, which means inbound filters on every interface plus filters on those few services which are still allowed to run on the router.
Good luck and have fun!
Vincent C Jones
You're absolutely right, and that is what started me thinking about this in the first place. We had put the outbound ACL on the inside interface on the advice of the expert some time ago and had a minimal inbound ACL on the outside interface as well. When I had to add to it to for the latest DoS vulnerability, I got thinking again about which is more efficient.
Given all the good discussion I have heard here, I plan to move everything to the inbound ACL on the outside interface and eliminate the outbound ACL on the inside interface. It is more secure, makes for a more understandable config, and doesn't sound like a big efficiency hit.
Thanks to all who contributed; you've been a big help.
Access lists don't necessarily force a router to resort to process switching. This used to be the case many years ago, but ACL fast-switching has been possible for quite some time and now ACL's can even be CEF switched. This is highly dependant on what hardware and software you're using, however, so check the documentation.
Note, however, that there are some ACL-related features (including use of the "log" keyword in an access-list statement, and sending ICMP unreachables when a packet is blocked) that may still cause a less-desirable switching path to be used even to this day. I haven't looked into this very recently, though, and things are always changing, so the documentation for your particular software version is generally the best place to get such information from.