Re: 'established' vs. reflexive acl

From: Jeremy (jeremy19@cox.net)
Date: Wed Mar 02 2005 - 16:48:14 GMT-3

• Next message: ccie Meftahi: "O/T: ADSL aggregator"
• Previous message: Scott Morris: "RE: 'established' vs. reflexive acl"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Next in thread: John Matus: "RE: 'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#38769

With Basic Access Lists
With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session, and therefore, that the packet belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface.

With Reflexive Access Lists
Reflexive access lists, however, provide a truer form of session filtering, which is much harder to spoof because more filter criteria must be matched before a packet is permitted through. (For example, source and destination addresses and port numbers are checked, not just ACK and RST bits.) Also, session filtering uses temporary filters which are removed when a session is over. This limits the hacker's attack opportunity to a smaller time window.

Moreover, the previous method of using the established keyword was available only for the TCP upper-layer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have to either permit all incoming traffic or define all possible permissible source/destination host/port address pairs for each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.)

>
> From: "John Matus" <john_matus@hotmail.com>
> Date: 2005/03/02 Wed PM 02:29:13 EST
> To: ccielab@groupstudy.com
> Subject: 'established' vs. reflexive acl
>
> i'm a bit confused about the difference between the following 2 ACL's.
>
> int e0/0
> ip access-group 101 in
> access-list 101 permit tcp any any eq telnet established
>
> AND
>
> int e0/0
> ip access-group inbound in
> ip access-group outbound out
>
> access-l extended inbound
> permit tcp any any eq telnet
> evaluate myreflect
>
> access-l extended outbound
> permit tcp any any reflect myreflect
>
>
> does the established keyword only allow a session that was initiated
> outbound then return inbound?
>
> _________________________________________________________________
> On the road to retirement? Check out MSN Life Events for advice on how to
> get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie Meftahi: "O/T: ADSL aggregator"
• Previous message: Scott Morris: "RE: 'established' vs. reflexive acl"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Next in thread: John Matus: "RE: 'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3