|
This section compares session filtering
with basic access lists to session filtering with reflexive access
lists. With basic standard and static extended access lists, you can
approximate session filtering by using the established
keyword with the
permit
command. The established
keyword filters TCP packets based on whether the ACK or RST bits are
set. (Set ACK or RST bits indicate that the packet is not the first
in the session, and therefore, that the packet belongs to an
established session.) This filter criterion would be part of an
access list applied permanently to an interface.
Reflexive access lists, however, provide a truer form of session
filtering, which is much harder to spoof because more filter
criteria must be matched before a packet is permitted through. (For
example, source and destination addresses and port numbers are
checked, not just ACK and RST bits.) Also, session filtering uses
temporary filters that are removed when a session is over. This
limits the hacker's attack opportunity to a smaller time window.
Moreover, the previous method of using the established
keyword was available only for the TCP upper-layer protocol. So, for
the other upper-layer protocols (such as User Datagram Protocol [UDP],
ICMP, and so forth), you would have to either permit all incoming
traffic or define all possible permissible source/destination
host/port address pairs for each protocol. (Besides being an
unmanageable task, this could exhaust nonvolatile RAM [NVRAM]
space.)
Where to Configure Reflexive Access Lists
Configure reflexive access lists on border routers --- routers that
pass traffic between an internal and external network. Often, these
are firewall routers.
Note: In this chapter, the words "within your
network" and "internal network" refer to a network
that is controlled (secured), such as your organization's intranet,
or to a part of your organization's internal network that has higher
security requirements than another part. "Outside your
network" and "external network" refer to a network
that is uncontrolled (unsecured) such as the Internet or to a part
of your organization's network that is not as highly secured.
How Reflexive Access Lists Work
A reflexive access list is triggered when a new IP upper-layer
session (such as TCP or UDP) is initiated from inside your network,
with a packet traveling to the external network. When triggered, the
reflexive access list generates a new, temporary entry. This entry
will permit traffic to enter your network if the traffic is part of
the session, but will not permit traffic to enter your network if
the traffic is not part of the session. For example, if an outbound
TCP packet is forwarded to outside of your network, and this packet
is the first packet of a TCP session, then a new, temporary
reflexive access list entry will be created. This entry is added to
the reflexive access list, which applies to inbound traffic. The
temporary entry has characteristics as described next.
Temporary Access-List Entry Characteristics:
-
The entry is always a
permit
entry.
-
The entry specifies the same protocol (TCP) as the original
outbound TCP packet.
-
The entry specifies the same source and destination addresses
as the original outbound TCP packet, except the addresses are
swapped.
-
The entry specifies the same source and destination port
numbers as the original outbound TCP packet, except the port
numbers are swapped.
(This entry characteristic applies only for TCP and UDP
packets. Other protocols, such as ICMP and Internet Group
Management Protocol [IGMP], do not have port numbers, and other
criteria are specified. For example, for ICMP, type numbers are
used instead.)
-
Inbound TCP traffic will be evaluated against the entry, until
the entry expires. If an inbound TCP packet matches the entry,
the inbound packet will be forwarded into your network.
-
The entry will expire (be removed) after the last packet of
the session passes through the interface.
-
If no packets belonging to the session are detected for a
configurable length of time (the timeout period), the entry will
expire.
Temporary reflexive-access-list entries are removed at the end of
the session. For TCP sessions, the entry is removed 5 seconds
after two set FIN bits are detected, or immediately after matching a
TCP packet with the RST bit set. (Two set FIN bits in a session
indicate that the session is about to end; the 5-second window
allows the session to close gracefully. A set RST bit indicates an
abrupt session close.) Or, the temporary entry is removed after no
packets of the session have been detected for a configurable length
of time (the timeout period).
For UDP and other protocols, the end of the session is determined
differently than for TCP. Because other protocols are considered to
be connectionless (sessionless) services, there is no session
tracking information embedded in packets. Therefore, the end of a
session is considered to be when no packets of the session have been
detected for a configurable length of time (the timeout period).
Restrictions on Using Reflexive Access Lists
Reflexive access lists do not work with some applications that
use port numbers that change during a session. For example, if the
port numbers for a return packet are different from the originating
packet, the return packet will be denied, even if the packet is
actually part of the same session. The TCP application of the File
Transfer Protocol (FTP) is an example of an application with
changing port numbers. With reflexive access lists, if you start a
FTP request from within your network, the request will not complete.
Instead, you must use Passive FTP when originating requests from
within your network.
Prework: Before You Configure Reflexive Access Lists
Before you configure reflexive access lists, you must decide
whether to configure reflexive access lists on an internal or
external interface. You should also be sure that you have a basic
understanding of the IP protocol and of access lists; specifically,
you should know how to configure extended named IP access lists. To
learn about configuring IP extended access lists, refer to the
"Configuring IP Services" chapter of the Network
Protocols Configuration Guide, Part 1.
Choose an Interface: Internal or External
Reflexive access lists are most commonly used with one of two
basic network topologies. Determining which of these topologies is
most like your own can help you decide whether to use reflexive
access lists with an internal interface or with an external
interface (the interface connecting to an internal network, or the
interface connecting to an external network).
The first topology is shown in Figure .
In this simple topology, reflexive access lists are configured for
the external interface Serial 1. This prevents IP traffic
from entering the router and the internal network, unless the
traffic is part of a session already established from within the
internal network.
The second topology is shown in Figure .
In this topology, reflexive access lists are configured for the internal
interface Ethernet 0, allowing external traffic to access the
services in the Demilitarized Zone (DMZ), such as DNS services, but
preventing IP traffic from entering your internal network --- unless
the traffic is part of a session already established from within the
internal network.
Use these two example topologies to help you decide whether to
configure reflexive access lists for an internal or external
interface.
|