Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Questions on Reflexive Access Lists

Hi Sir,

I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).

The config on the core router is as follows:

!

int Vlan10

description *** Server Farm ***

ip address 172.16.10.1 255.255.255.0

ip access-group inboundfilters in

ip access-group outboundfilters out

!

int Vlan20

description *** Marketing Department ***

ip address 172.16.20.1 255.255.255.0

!

int Vlan30

description *** Engineering Department ***

ip address 172.16.30.1 255.255.255.0

!

!

ip access-list extended outboundfilters

permit tcp any any eq telnet

permit tcp any any eq smtp

evaluate iptraffic

!

ip access-list extended inboundfilters

permit ip any any reflect iptraffic

!

My questions:

(1) I yet to test the above config on an actual router. However, is it correct theoretically?

(2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?

(3) If you have other better feature options that meet my requirements, please do recommend.

Please advise.

Thank you.

B.Rgds,

Lim TS

5 REPLIES

Re: Questions on Reflexive Access Lists

(1) I yet to test the above config on an actual router. However, is it correct theoretically?

A: The config looks fine,as you already have inbound & outbound filters associasted to the permitted incoming tcp services and allowing outbound/returned traffic matching the outbound filter.

You can use the default global timeout of 300 sec, or set it to lower value, if you need to timed-out any idle session quickly due to security reason "ip reflexive-list timeout 150"

Ref/Example:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#wp1001270

(2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?

A: Yes, you need to add port(s) manually/statically. From router security point of view, this probably more secure as you strictly dictate what can pass through (incoming), and subsequently, correspond to the permitted/allowed outbound returned traffic.

(3) If you have other better feature options that meet my requirements, please do recommend.

A: You can also look at other options like Lock-and-Key or Context-based Access Control (CBAC). Without firewall blade, I think (ask TG as well) reflexice ACL is good enough for the setup (features in router IOS) as Lock-and-Key and CBAC has few additional requirements (i.e ACS Server) and limitations.

New Member

Re: Questions on Reflexive Access Lists

Hi Amrih,

Long time no see. Thanks for your reply.

In my scenario, I want to allow restricted access for outside hosts to communicate with the servers. I'll be manually adding more "permit" statements in the "outboundfilters" ACL. These static extended access control entries (in the "outboundfilters" ACL) do not provide session filtering capability. Is this vulnerable to spoofing or DoS attacks? Probably it can be overcome by TCP Intercept or CBAC.

What's your thought?

Thank you.

B.Rgds,

Lim TS

Re: Questions on Reflexive Access Lists

Hi Lim,

CBAC is good as well, considering the following features:

1. Traffic Filtering:

- filters TCP and UDP packets based on application-layer protocol session information.

- permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.

2. Traffic Inspection

- discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.

- Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.

3. Alerts and Audit Trails

- can send real-time alerts and audit trails to syslog server (or buffer log)

4. Intrusion Detection

- Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.

Limitations:

1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.

2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.

3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures

For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.

Cheers!

New Member

Re: Questions on Reflexive Access Lists

Hi Amrih,

Thanks for the guideline.

For my simple scenario, I guess implementing reflexive access lists will suffice.

My scenario actually has two core routers. I will need to implement the same reflexive ACL on both core routers' server farm interfaces. Care must be taken to ensure symmetric routing, i.e. traffic from the server farm exiting one core router must return on the same router, because the dynamic opening is opened on that particular router.

In dynamic routing environment, most likely the distribution routers will load-balance across the two core routers into the server farm. Some manipulation of routes may need to be done at the expense of network scalability.

Personally, I'd still prefer to implement a firewall (be it PIX/ASA or FWSM if Cat6500) to do the job. But customer's budget always limits the choices.

What's your thoughts?

Thank you.

B.Rgds,

Lim TS

Re: Questions on Reflexive Access Lists

Hi Lim,

You're right on the symmetric routing as you need to ensure outbound/returned-traffic follow the same incoming path.

In this case, both reflexive ACL & CBAC can actually marked the connection/session and allow returned traffic to use the same link again. The only difference are the additional security features between them.

You would probably need to run a test to verify the most suitable method with your scenario.

Cheers!

248
Views
0
Helpful
5
Replies
CreatePlease to create content