Re: CBAC : Firewall ACL bypass from Piotr Matusiak on 2010-01-19 (Ccielab archives 01/2010)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Tue, 19 Jan 2010 18:04:40 +0100
In case of NAT there is following order of packet processing:
Incoming traffic from Trusted to Untrusted
ACL-IN --> NAT --> Routing ---> ACL-OUT --> CBAC
Returning traffic with CBAC Bypass feature
no-ACL-IN --> NAT --> Routing --> no-ACL-OUT --> CBAC
The above example is for CBAC inspected traffic. The situation differs when
we initiates a connection from the Untrusted network towards Trusted
network. It seems that in this case an inbound ACL is checked first. I don't
know however, how IOS checks the packet - I suppose it assumes that SYN
packet must be checked by inbound ACL but other packets must be checked
against CBAC state table first.
This is my observation. I haven't find any confirmation for that on Cisco
site yet...
Everyday is a school day!
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/1/19 ALL From_NJ <all.from.nj_at_gmail.com>
> I agree with your logic!  I do!
>
> me = not sure.
>
> A couple of links on the order of operations ... maybe this is not related
> to FW access but when NAT is in play only.  I am not sure ...
>
>
>
https://supportforums.cisco.com/docs/DOC-1570;jsessionid=9744E170C73CD19A3B70
> 8F4404A8607D.node0
>
> Furthermore the config guide mentions that if you have a inbound access
> list
> that this list must be an extended access list and must have deny
> statements
> for those protocols / traffic being inspected.  If the state table comes
> first, then why do you need the deny statements when using an inbound list?
>
>
> Again ... it is no worry to me.  I like CBAC and have used it much in the
> past when I was on the road a lot ... (several years ago I must say  ...)
> ;-)
>
> Appreciate you and your efforts Piotr!
>
> Andrew
>
>
> .
> On Tue, Jan 19, 2010 at 10:50 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
> > ALL,
> >
> > Let's assume for a moment that an inbound ACL on outside interface is
> > checked first and if it fails then CBAC's state table is checked. If this
> is
> > true, what's the value of ACL bypass? The main reason Cisco implemented
> ACL
> > bypass feature was to avoid double ACL checking and performance
> improvement.
> >
> > When ACL bypass is used, CBAC's state table is checked first and if there
> > is a match it simply allows returning packets in. Hence, there are no
> > dynamic ACEs showed anymore in "sh ip access-list" command.
> >
> > For traffic originated from the outside, CBAC's state table has no entry
> so
> > this packet must be checked against inbound ACL to be passed or denied.
> >
> >
> > I hope we're on the same page here - not talking about different things
> :)
> >
> > Cheers,
> >
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security)
> > Technical Instructor
> > website: www.MicronicsTraining.com
> >
> >  If you can't explain it simply, you don't understand it well enough  -
> > Albert Einstein
> >
> >
> > 2010/1/19 ALL From_NJ <all.from.nj_at_gmail.com>
> >
> >> Interesting ...
> >>
> >>
> >> Now I have to check some links.  ;-)
> >>
> >> Piotr, not sure the state table is consulted first ... maybe this is
> newer
> >> behavior.
> >>
> >> The way i remembered this was that if it was permitted via an inbound
> >> access
> >> list, it was not checked via CBAC ... it was simply allowed in since the
> >> inbound access list said so.  This was needed for internal mail and web
> >> servers.
> >>
> >> If it was denied via an inbound access list, it would then have a second
> >> check via CBAC to see if it was permitted via CBAC.  In this way the
> >> access
> >> list came first.
> >>
> >> Now you no longer need the access list, this is good.  However ... I
> >> believe
> >> the order of operations are still the same.
> >>
> >> Humm ... not that it matters too much to me (as long as it works) ...
> but
> >> now I am more curious.
> >>
> >> When searching for order of operations, there are many links that still
> >> show
> >> an inbound ACL comes before NAT and then of course before CBAC.
> >>
> >> Any thoughts?  Appreciate your teaching me!
> >>
> >> Andrew
> >>
> >>
> >> On Tue, Jan 19, 2010 at 9:56 AM, Divin Mathew John <divinjohn_at_gmail.com
> >> >wrote:
> >>
> >> > ACL Bypass normally occurs in the direction opposite to the INSPECT.!
> >> >
> >> >
> >> > On Tue, Jan 19, 2010 at 8:21 PM, Piotr Matusiak <piotr_at_ccie1.com>
> >> wrote:
> >> >
> >> >> Actually, the state table is checked before an ACL:
> >> >>
> >> >> ACL bypassing subjects the packet to one search the inspection
> session
> >> >> search during its processing path through the router. When a packet
> is
> >> >> subjected to a single inspection session search before the ACL
> checks,
> >> the
> >> >> packet is matched against the list of session identifiers that
> already
> >> >> exist
> >> >> on the interface. (Session identifiers keep track of the source and
> >> >> destination IP addresses and ports of the packets and on which
> >> interface
> >> >> the
> >> >> packet arrived.)
> >> >>
> >> >>
> >> >>
> >>
>
>
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html#
> >> >> wp1046054<
> >>
>
>
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_aclby.html#
>
wp1046054<http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_a
clby.html#%0Awp1046054>
> >> >
> >>
> >> >>
> >> >> HTH,
> >> >> --
> >> >> Piotr Matusiak
> >> >> CCIE #19860 (R&S, Security)
> >> >> Technical Instructor
> >> >> website: www.MicronicsTraining.com
> >> >>
> >> >>  If you can't explain it simply, you don't understand it well enough
>  -
> >> >> Albert Einstein
> >> >>
> >> >>
> >> >> 2010/1/19 ALL From_NJ <all.from.nj_at_gmail.com>
> >> >>
> >> >> > Just to add a little here ...
> >> >> >
> >> >> > As I recall, an inbound ACL will be checked before the state table
> >> and
> >> >> thus
> >> >> > no existing connection is required.  This is why you would add an
> ACL
> >> >> when
> >> >> > a
> >> >> > FW is configured on the router.
> >> >> >
> >> >> > The order of operations in important for incoming packets ... ACLs
> >> can
> >> >> get
> >> >> > you out of ... and into trouble.
> >> >> >
> >> >> > Andrew Lee Lissitz
> >> >> >
> >> >> >
> >> >> > On Tue, Jan 19, 2010 at 8:24 AM, Piotr Matusiak <piotr_at_ccie1.com>
> >> >> wrote:
> >> >> >
> >> >> > > Hi,
> >> >> > >
> >> >> > > Old version of CBAC (prior 12.3(4)T) automatically added ACEs to
> >> the
> >> >> > > inbound
> >> >> > > ACL to permit returning traffic. Now it was changes to only check
> >> CBAC
> >> >> > > state
> >> >> > > table in order to allow that traffic back.
> >> >> > >
> >> >> > > If you have Web server in inside (trusted) network and you try to
> >> get
> >> >> > there
> >> >> > > from the outside (untrusted), you'll need an ACL on untrusted
> >> >> interface
> >> >> > (in
> >> >> > > inbound direction) as the traffic is originated from the outside.
> >> This
> >> >> is
> >> >> > > normal behavior and has nothing to CBAC deployment.
> >> >> > >
> >> >> > > HTH,
> >> >> > > --
> >> >> > > Piotr Matusiak
> >> >> > > CCIE #19860 (R&S, Security)
> >> >> > > Technical Instructor
> >> >> > > website: www.MicronicsTraining.com
> >> >> > >
> >> >> > >  If you can't explain it simply, you don't understand it well
> >> enough
> >> >>  -
> >> >> > > Albert Einstein
> >> >> > >
> >> >> > >
> >> >> > > 2010/1/19 Ajay mehra <ajaymehra01_at_gmail.com>
> >> >> > >
> >> >> > > > Hi Guys,
> >> >> > > >
> >> >> > > > I could not understand why do we bypass the ACLs when CBAC is
> >> >> enabled.
> >> >> > If
> >> >> > > > we
> >> >> > > > have a http server inside trusted network  that has client on
> >> >> outside
> >> >> > in
> >> >> > > > that case we permit http connection explicitly in ACL on
> outside
> >> >> > > interface,
> >> >> > > > inspection can be enabled inbound on trusted or outbound on
> >> >> untrusted
> >> >> > > > interface. If firewall acl bypass feature is enabled (default )
> >> then
> >> >> > > these
> >> >> > > > ACLs will not be checked.  From the configs and testing point
> of
> >> >> view I
> >> >> > > > know
> >> >> > > > these ACLs are checked.
> >> >> > > >
> >> >> > > > Are these ACLs which are dynamically created when CBAC
> inspection
> >> is
> >> >> > > > enabled
> >> >> > > > and different from manually defined acls ?
> >> >> > > >
> >> >> > > > Thanks,
> >> >> > > > Ajay
> >> >> > > >
> >> >> > > >
> >> >> > > > Blogs and organic groups at http://www.ccie.net
> >> >> > > >
> >> >> > > >
> >> >>
> _______________________________________________________________________
> >> >> > > > Subscription information may be found at:
> >> >> > > > http://www.groupstudy.com/list/CCIELab.html
> >> >> > >
> >> >> > >
> >> >> > > Blogs and organic groups at http://www.ccie.net
> >> >> > >
> >> >> > >
> >> >>
> _______________________________________________________________________
> >> >> > > Subscription information may be found at:
> >> >> > > http://www.groupstudy.com/list/CCIELab.html
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> > >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > Andrew Lee Lissitz
> >> >> > all.from.nj_at_gmail.com
> >> >> >
> >> >> >
> >> >> > Blogs and organic groups at http://www.ccie.net
> >> >> >
> >> >> >
> >> _______________________________________________________________________
> >> >> > Subscription information may be found at:
> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >> Blogs and organic groups at http://www.ccie.net
> >> >>
> >> >>
> _______________________________________________________________________
> >> >> Subscription information may be found at:
> >> >> http://www.groupstudy.com/list/CCIELab.html
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >
> >> >
> >> > --
> >> >
> >> > Sent from Bangalore, KA, India
> >> >
> >>
> >>
> >>
> >> --
> >> Andrew Lee Lissitz
> >> all.from.nj_at_gmail.com
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 19 2010 - 18:04:40 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART