10.7 Configuring IP Session Filtering (Reflexive Access Lists)
10.7.2 How reflexive access lists implement session filtering
This section compares session filtering with basic access lists to session filtering with reflexive access lists. With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface.

Reflexive access lists, however, provide a truer form of session filtering, which is much harder to spoof because more filter criteria must be matched before a packet is permitted through. (For example, source and destination addresses and port numbers are checked, not just ACK and RST bits.) Also, session filtering uses temporary filters that are removed when a session is over. This limits the hacker's attack opportunity to a smaller time window.

Moreover, the previous method of using the established keyword was available only for the TCP upper-layer protocol. So, for the other upper-layer protocols (such as User Datagram Protocol [UDP], ICMP, and so forth), you would have to either permit all incoming traffic or define all possible permissible source/destination host/port address pairs for each protocol. (Besides being an unmanageable task, this could exhaust nonvolatile RAM [NVRAM] space.)

Where to Configure Reflexive Access Lists

Configure reflexive access lists on border routers --- routers that pass traffic between an internal and external network. Often, these are firewall routers.

Note: In this chapter, the words "within your network" and "internal network" refer to a network that is controlled (secured), such as your organization's intranet, or to a part of your organization's internal network that has higher security requirements than another part. "Outside your network" and "external network" refer to a network that is uncontrolled (unsecured) such as the Internet or to a part of your organization's network that is not as highly secured.

How Reflexive Access Lists Work

A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside your network, with a packet traveling to the external network. When triggered, the reflexive access list generates a new, temporary entry. This entry will permit traffic to enter your network if the traffic is part of the session, but will not permit traffic to enter your network if the traffic is not part of the session. For example, if an outbound TCP packet is forwarded to outside of your network, and this packet is the first packet of a TCP session, then a new, temporary reflexive access list entry will be created. This entry is added to the reflexive access list, which applies to inbound traffic. The temporary entry has characteristics as described next.

Temporary Access-List Entry Characteristics:

  • The entry is always a permit entry.
  • The entry specifies the same protocol (TCP) as the original outbound TCP packet.
  • The entry specifies the same source and destination addresses as the original outbound TCP packet, except the addresses are swapped.
  • The entry specifies the same source and destination port numbers as the original outbound TCP packet, except the port numbers are swapped.

(This entry characteristic applies only for TCP and UDP packets. Other protocols, such as ICMP and Internet Group Management Protocol [IGMP], do not have port numbers, and other criteria are specified. For example, for ICMP, type numbers are used instead.)

  • Inbound TCP traffic will be evaluated against the entry, until the entry expires. If an inbound TCP packet matches the entry, the inbound packet will be forwarded into your network.
  • The entry will expire (be removed) after the last packet of the session passes through the interface.
  • If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire.

Temporary reflexive-access-list entries are removed at the end of the session. For TCP sessions, the entry is removed 5 seconds after two set FIN bits are detected, or immediately after matching a TCP packet with the RST bit set. (Two set FIN bits in a session indicate that the session is about to end; the 5-second window allows the session to close gracefully. A set RST bit indicates an abrupt session close.) Or, the temporary entry is removed after no packets of the session have been detected for a configurable length of time (the timeout period).

For UDP and other protocols, the end of the session is determined differently than for TCP. Because other protocols are considered to be connectionless (sessionless) services, there is no session tracking information embedded in packets. Therefore, the end of a session is considered to be when no packets of the session have been detected for a configurable length of time (the timeout period).

Restrictions on Using Reflexive Access Lists

Reflexive access lists do not work with some applications that use port numbers that change during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session. The TCP application of the File Transfer Protocol (FTP) is an example of an application with changing port numbers. With reflexive access lists, if you start a FTP request from within your network, the request will not complete. Instead, you must use Passive FTP when originating requests from within your network.

Prework: Before You Configure Reflexive Access Lists

Before you configure reflexive access lists, you must decide whether to configure reflexive access lists on an internal or external interface. You should also be sure that you have a basic understanding of the IP protocol and of access lists; specifically, you should know how to configure extended named IP access lists. To learn about configuring IP extended access lists, refer to the "Configuring IP Services" chapter of the Network Protocols Configuration Guide, Part 1.

Choose an Interface: Internal or External

Reflexive access lists are most commonly used with one of two basic network topologies. Determining which of these topologies is most like your own can help you decide whether to use reflexive access lists with an internal interface or with an external interface (the interface connecting to an internal network, or the interface connecting to an external network).

The first topology is shown in Figure . In this simple topology, reflexive access lists are configured for the external interface Serial 1. This prevents IP traffic from entering the router and the internal network, unless the traffic is part of a session already established from within the internal network.

The second topology is shown in Figure . In this topology, reflexive access lists are configured for the internal interface Ethernet 0, allowing external traffic to access the services in the Demilitarized Zone (DMZ), such as DNS services, but preventing IP traffic from entering your internal network --- unless the traffic is part of a session already established from within the internal network.

Use these two example topologies to help you decide whether to configure reflexive access lists for an internal or external interface.