Network Security p7 ACL with Established Option.pptx
1.
2. One of the challenges that you face using ACLs is that they do not maintain state
information. Stateless devices such as routers do not track the state of TCP connections,
Cisco IOS extended ACLs provide the established keyword to approximate stateful
behavior. The established keyword requires that either the ACK bit or the RST bit to be set
in the TCP flags of a packet.
Challenges with ACLs
3. It's important to understand if the traffic is originating from a trusted network
and going to an untrusted network or vice versa. One of the tools that can be
used to help determine if the traffic is originating externally or if it's return
traffic that was originated internally is the establishment bit. before sending
and receiving any data TCP three-way handshake should take place normally
SYN, SYN-ACK, and ACK. When looking at packets coming into a trusted
network means that the connection was initiated from the inside to the
outside
The reply packet from the Server will have
the TCP SYN and ACK bits set. It meets the
established keyword criteria and is allowed.
During this TCP connection, all packets from
the Server will have the ACK bit set, so the
TCP connection is allowed.
5. Allow
FTP passive mode
Connection is
established inside
FTP Standard mode
(Active ) Connection is
established outside
FTP passive & Active mode
FTP passive mode connection
starts from inside “ it is fine”
6. This case illustrates the need for a firewall which would track the state of the
connection and allow both FTP standard mode and passive mode to work.
Allow
FTP passive mode
Connection is
established inside
FTP Active mode (standard) has an Issue
because connection starts from outside
FTP server
7. limitation of relying on packet filters that reference the TCP flags in the TCP
header of packets. Imagine the attacker in the topology wants to find out the
IP addresses of hosts on the trusted side of the packet filter. Note that the ACL
will not permit ping via ICMP echo requests. however the attacker can make
clever use of an “ACK scan.” Instead of sending an ICMP echo request, the
attacker can send a TCP packet with the ACK bit set to a destination address.
Since the ACK bit is set, these packets will match the established keyword
reference in the ACL and will be permitted. If there is a host present, that host
will respond with a TCP reset (a TCP packet with the RST bit set) in response.
The attacker can perform the same sort of exploration as it could with ICMP
ping. If a reset response is received, the IP address is active. If not, the IP
address is not active. The method is called Packet crafting
Limitation of ACL with Established Option