| The example in the Figure depicts how a flow is
established between Hosts A and B, and how packets in that flow are
being switched by the MLS-SE. If an extended access list is applied
to the router interface, the MLS-SE learns of the change from the
MLS-RP through MLSP and immediately enforces security for the
affected flow. The MLS-SE enforces the output access list by purging
any entries for flows on that interface from the MLS cache.
Subsequent entries are relearned by
being sent first to the Route Processor as candidate packets and
then being cached in the MLS cache when they return from the Route
Processor. If the packet is denied by the access list, it never
makes it back to the switch as an enable packet and is never cached.
The extended access list indicates
that the MLS cache should be maintained with an IP flow mask. This
means that the cache should contain all of the Layer 3 and 4
information. It is important to understand that unless the flow mask
is configured for IP-flow, the access-list will
work only on the first packet, not on all the subsequent packets.
For example, suppose there is an extended access list that permits
Host A to ping Host B, but with all other types of traffic such as
FTP, Telnet, HTTP, and so on being denied. If Host A first tries to
ping Host B, the packet will be permitted and cached in the MLS-SE.
After this flow is cached, if Host A tries to open a Telnet session
to Host B, the connection will be allowed! This is because the
MLS-SE will check the MLS cache only for the destination IP address.
Because the MLS-RP is never involved, it cannot filter the packet.
This example illustrates a potential security hole resulting from
misuse of MLS flow masks and access-lists.
|