Comments in line
> -----Original Message-----
> From: Henry Yen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 02, 2001 3:49 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: cisco Reflexive ACL's vs. ESTablished
>
>
> greetings. back in july, 2000, BNagy and CBrenton
> asserted/agreed that
> cisco Reflexive ACL's (in IOS 12.0 and up), worked like this:
>
> 1. A packet leaves an interface with 'reflect' in an ACL
> 2. An entry is written into a dynamic ACL (Call this a STATE
TABLE)
> with the reverse source / destination ports and IP addresses
> 3. Incoming packets are tested against this state table
> for source/dest
> port, source/dest IP and the presence of the ACK or RST
> bit. When
> FIN packet is seen, or after a timeout period, the connection
is
> timed out and removed from the state table.
>
> as is well-known, the ESTablished keyword for cisco access-lists is
> explicitly documented to test for ACK/RST. but i couldn't find
> explicit documentation that Reflexive does the same, as is proposed
> in point (3.), above. i understand that the there is a reverse ACL
> entry dynamically created, but are we sure that it _also_
encompasses
> the ACK/RST checking inherent in ESTablished?
It does for TCP sessions; the _established_ keyword can only be used
w/ tcp sessions (since udp and other protocols mostly are). For the
sessionless protocol, reflexive has to rely on a timeout period, which
ain't perfect obviously.
Describing end-of-session: (from
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113e
d_cr/secur_c/scprt3/screflex.htm#xtocid87134
"Temporary reflexive access list entries are removed at the end of the
session. For TCP sessions, the entry is removed 5 seconds after two
set FIN bits are detected, or immediately after matching a TCP packet
with the RST bit set. (Two set FIN bits in a session indicate that the
session is about to end; the 5-second window allows the session to
close gracefully. A set RST bit indicates an abrupt session close.)
Or, the temporary entry is removed after no packets of the session
have been detected for a configurable length of time (the timeout
period).
For UDP and other protocols, the end of the session is determined
differently than for TCP. Because other protocols are considered to be
connectionless (sessionless) services, there is no session tracking
information embedded in packets. Therefore, the end of a session is
considered to be when no packets of the session have been detected for
a configurable length of time (the timeout period"
> specifically, if it doesn't, then it seems to me that there is an
> improper backchannel created, as it then would allow a remote
> server (obviously compromised) to start a "new" conversation
> as long as you could trick your
protected-behind-reflexive-ACL-router
> into initiating the session. in particular, conversations such
> as UDP 53 and 123 come to mind.
Well, yeah. But, the only way to protect against that is to proxy the
connection with app-aware stuff. _Established_ won't work with UDP,
and reflexive depends on timing out the entry to protect you.
>
> i looked all over and couldn't find _explicit_ documentation stating
> that dynamic reflexive entries also have EST. in fact, a
> "sho ip access"
> does not include that in the reflext/evaluate dynamic ACL list.
> if you can point me to such documentation, or blow up the notion
> of this being a (very slight) exposure, i'd be very grateful.
They do say in the documentation that for tcp sessions, the same
criterion as _established_ are used to define session state. IF you
need better, you'll need to go app-aware.
Henry Sieff
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
