Friday, November 30, 2007

Using Cisco's reflexive access-lists

Reflexive access-lists are Cisco's answer to some security guys about their access-lists and the "established" option.

For example, lets say we have the following scenario:

[LAN: 2.2.2.0/24]---(R1)----{INTERNET}

Lets say I have "Serial 0/0" as my T1 to the Internet and I want to block the access to my LAN except for WWW to my web server 2.2.2.2. (The access-list can be applied to the LAN interface or the WAN interface. In this case I'm using the WAN)



!
interface Serial 0/0
ip address 100.1.2.2 255.255.255.252
ip access-group Only2WWW in
!

Now, the old way of dealing with this was:

!
ip access-list extended Only2WWW
10 permit tcp any host 2.2.2.2 eq http
20 permit tcp any 2.2.2.0 0.0.0.255 established
!

Why the established? Well, at the end there is an implicit "deny ip any any" which will automatically block everything else from coming in.

The problem with the "established" statement is that it relies in TCP packets based on whether the ACK or RST bits were set.

This can be use to trick the routers to let certain packets get into your network without being filtered.

The reflexive access-list came to fix this problem. They generate an entry for each TCP session going out that match your criteria. So if we go back to our example:

!
interface Serial 0/0
ip address 100.1.2.2 255.255.255.252
ip access-group Only2WWW in
ip access-group Anyone out
!

!
ip access-list extended Only2WWW
10 permit tcp any host 2.2.2.2 eq http
20 evaluate TCPTraffic
!




!
ip access-list extended Anyone

10 permit tcp any any reflect TCPTraffic
20 permit ip any any
!

Now, every time, anyone goes to the Internet over a TCP session, the router will create an entry to allow this session in the incoming direction. This entry will be dynamically created and removed from the "TCPTraffic" access-list (which you don't have to define).

For more information on reflexive access-lists please go the following Cisco URL

No comments:

Post a Comment