Network problems can arise from transport layer problems on the router,
particularly at the edge of the network where security technologies are
examining and modifying the traffic. This section will discuss two of the most
commonly implemented transport layer security technologies. They are access
control lists and Network Address Translation.
The most common issues
with extended access lists will be the result of misconfiguration. There are
eight areas where misconfigurations commonly occur:
- Selection of traffic flow
- Order of access control elements
- Implicit "deny any any"
- Addresses and wildcard masks
- Selection of transport layer protocol
- Source and destination port(s)
- Use of the ‘established’ keyword
- Uncommon protocols
Selection of Traffic Flow
Although these points are not
listed in any particular order, the most common router misconfiguration of
extended access lists is applying the access list to incorrect traffic. Traffic
is defined by both the router interface through which the traffic is traveling
and the direction in which this traffic is traveling. Once defined, an access
list must be applied to the correct interface and the correct traffic direction
must be selected to function properly.
Order of Access Control
Elements
Another common mistake made when configuring ACLs is the order
in which access control elements (ACEs) are configured. Although an access list
may have an element to specifically permit a particular traffic flow, packets
will never match that element if they are being denied by another element
earlier in the list.
Recall that the guideline for configuring an access
control list is specific to general. This means that the most specific elements
are configured at the top of the list and the less specific elements are
configured at the end. The more information defined in an element, the more
specific that element is. For example, the element permit tcp 10.0.0.0
0.255.255.255 any eq 110 established is more specific than the
element permit tcp 10.0.0.0 0.255.255.255 any eq 110
because the first element used the additional keyword
established. The element permit udp host
10.32.96.7 eq 53 any is more specific than both of these because it
matches a more specific (smaller) range of source addresses.
Implicit
"deny any any"
Every extended access list has a deny
any any element implied as the final entry in the list. This does
not normally pose an issue when configuring firewall routers, as the guideline
for configuring highly secure access lists is to deny everything and
specifically permit particular traffic flows. In a situation where high
security is not required on the access list, forgetting about this implicit
access control element may be the cause of an access list misconfiguration.
Addresses and Wildcard Masks
There are a number of things
that make correctly selecting source and destination addresses more complex:
- Running NAT on the router
- Using complex wildcard masks to select patterns of addresses
If the router is running both access lists and NAT, the order in which
each of these technologies is applied to a traffic flow is important. The order
of operations in the switching path is complex, as shown in Figure
. The
important points to remember are:
- Inbound traffic is processed by the inbound access list before being
processed by outside-to-inside NAT.
- Outbound traffic is processed by the outbound access list after being
processed by inside-to-outside NAT.
Wildcard masks are typically used to select ranges of addresses. For
example, the address 198.162.10.0 and wildcard mask 0.0.0.255 could be used to
select all hosts in the Class C network address-space 198.162.10.0. Generally,
these sorts of address and wildcard mask combinations are difficult to get
wrong.
More complex wildcard masks can also be used to select patterns
of addresses. For example, the address 10.0.32.0 and wildcard mask 0.0.32.15
would select the first 15 host addresses in either the 10.0.0.0 network or the
10.0.32.0 network. Complex wildcard masks like this provide significant
improvements in efficiency, especially in large networks with structured and
controlled IP addressing schemes.
Selection of Transport Layer
Protocol
When configuring ACLs, it is important that only the correct
transport layer protocols be specified in the element. Many network engineers,
when unsure if a particular traffic flow uses a TCP port or a UDP port, will
configure both. The first problem with doing this is that it opens a hole
through the firewall, possibly giving intruders an avenue into the network. The
other problem is that it introduces an extra element into the ACL. This means
the ACL takes longer to process, introducing more latency into network
communications.
Source and Destination Port(s)
Correctly
specifying source and destination ports is usually simple, but can be complex.
In one example of a simple traffic flow, the client end of the connection uses
a random high-numbered port to initiate a connection to a specific port at the
server-end. Defining the correct source and destination ports is not complex in
this situation.
A more difficult concept is understanding the flow of
traffic between two hosts and building the ACLs to properly control the
traffic. Simple traffic flows require symmetric access control elements for
inbound and outbound access lists. In other words, address and port information
for traffic generated by a replying host is the mirror image of address and
port information for traffic generated by the initiating host.
Example
Examine these descriptions of a simple e-mail traffic
flow traversing a firewall router to understand the relationship for addresses
and ports between initiating and responding traffic:
- A user wants to check e-mail on a remote ISP mail server.
- The client PC opens the mail client and initiates a connection to a POP3
mail server.
- The request for new mail is generated and sent by the client PC.
- The source address of the request packets is the IP address of the client
PC.
- The source port of the request packets will be randomly chosen from above
1024 (for example, TCP port 2113).
- The destination address of the request packets is the IP address of the
mail server.
- The destination port of the request packets is TCP port 110 (the POP3 mail
server).
- The packets traverse the LAN, get to the firewall router, and are processed
by the access list controlling outbound traffic on the external router port.
- A control element permitting traffic from any port with an internal address
to TCP port 110 on the ISP mail server address is configured near to the top of
the access list.
- The ‘request for mail’ traffic matches this element and is allowed through
the firewall router.
- Having satisfied an element of the outbound access list, the router
forwards the traffic to the next hop on the way to the ISP mail server.
- The ISP mail server has mail waiting for the user. When the ISP mail server
receives the request, the mail server responds with the mail items it has for
the user. Because the traffic is now returning to the client PC, the address
and port information from the request packets have the source details swapped
with the destination details.
- The source address of the reply packets is the IP address of the ISP mail
server.
- Because the reply is coming from the POP3 mail server, the source port of
the reply packets is TCP port 110.
- The destination address of the reply packets is the IP address of the
client PC.
- The client PC needs to know which process to pass the reply packets to when
it receives them. This means the destination port of the reply packets is set
as TCP port 2113.
- The mail server sends the reply packets onto the Internet and they
eventually get back to the firewall router. The traffic must satisfy an element
of the access list controlling inbound traffic on the external router port
before being forwarded to the LAN.
- A control element permitting traffic from TCP port 110 from the IP address
of the ISP mail server to any port on any internal IP address is configured
near to the top of the access list.
- The ‘reply with mail’ traffic matches this element and is allowed through
the firewall router.
- The ‘reply’ traffic reaches the client, where the mail items are displayed
by the e-mail client software.
Use of the Established Keyword
Using the
established keyword means a packet must match the specified
source and destination IP addresses and ports and must also have the ACK bit
set before a complete match is possible.
For example, an access list
watching inbound traffic may have an element to permit traffic from a remote
Telnet server. By adding the ‘established’ keyword to this element, the access
list can be configured to permit traffic from a remote Telnet server, but only
if the Telnet connection was initiated from inside the firewall router.
The established keyword can be used to increase the
security provided by an access list. If this established keyword is applied to
an outbound access list, unexpected results may occur.
Uncommon
Protocols
Extended access lists can be used to control traffic for
IP-encapsulated protocols other than TCP and UDP. Misconfigured access lists
often cause problems for less common protocols. A group of uncommon protocols
that is gaining popularity are VPN and encryption protocols, including Layer 2
Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), Internet Key
Exchange (IKE), Internet Security Association and Key Management Protocol
(ISAKMP), and Encapsulating Security Payload (ESP).