Filtering Packets with Access Control Lists

You can use access control lists (ACL) to permit or deny requests to services that are available within your network. You can apply ACLs to packets entering or leaving a firewall interface. Two forms of filters exist: stateless and stateful session ACLs. Firewalls that you enable with stateless ACLs treat each packet as an individual entity. Because stateless ACLs do not track transport connection information, routers apply the ACL to every packet regardless of the transport flow the packet is part of. Conversely, stateful session ACLs track flows to ensure that packets belong to a valid flow before filtering takes place.

Note

Firewalls can track TCP flows by inspecting the TCP flags and sequence numbers in the TCP segment header. Although UDP is connectionless, firewalls approximate UDP "connections" by examining the IP addresses and ports in the UDP segment and matching packets with the same UDP packet information. The firewall or router considers packets to be part of the same UDP connection if it receives UDP packets with the same IP addresses and UDP ports within the same approximate timeframe.

Stateful session ACLs are useful for filtering that is based on TCP/IP when you need to know the direction that the connection originates from. For example, your internal users may require access to an FTP site on the Internet, but you should block incoming FTP access to your internal network from the Internet. You cannot achieve this type of access control using stateless ACLs. Instead, you can use basic ACLs, reflexive ACLs, context-based access control (CBAC), or Cisco PIX firewalls, because these protocols use stateful inspection.

With stateful inspection, when your workstation sends an outgoing TCP SYN segment to an external resource, the firewall creates a temporary incoming ACL entry for your return traffic. The entry contains the same IP addresses and TCP port numbers as your outgoing request but with the source and destination values swapped. Figure 4-1 illustrates how firewalls implement stateful ACLs. In this example, the firewall is performing static source Network Address Translation (NAT), translating your client private IP 10.1.1.5 to the registered IP 209.165.200.225. When the server responds to your TCP SYN segment, it uses the registered IP in its TCP SYN-ACK response. This example configures the firewall to block all incoming traffic on interface Ethernet 0. However, the outgoing connection in this example creates a temporary incoming rule to permit return traffic to the inside user.

Figure 4-1. Stateful ACL Operation

Note

Temporary ACLs approximate stateful inspection using a temporary incoming ACL entry. To perform true stateful inspection, Cisco devices maintain entries for individual flows in state tables. You will learn about state maintenance with session filtering later in this section.

Cisco supports three types of stateful ACLs:

• Basic Access Lists Basic ACLs do not automatically create temporary incoming entries for your return traffic. You must manually configure basic ACLs on your Cisco IOS firewall to approximate stateful session filtering by using the established keyword within permit ACL entries. The established keyword permits incoming TCP segments with their ACK or RST flag setsegments with these flags set indicate that they are not the first packet in the session. For example, the extended ACL entry access-list 101 permit 10.1.1.0 0.0.0.255 any established, when applied to incoming packets on the outside interface of the firewall in Figure 4-1, permits return packets of established TCP connections to your inside network in the subnet 10.1.1.0/24

• IP Session Filtering (Reflexive ACLs) IP session filters create temporary ACL entries for incoming TCP traffic. Example 4-1 illustrates how you can configure IP session filters. The outgoing named ACL outsession defines the entry to trigger the temporary incoming rule. You must give a name to your reflexive ACL entry; this example calls it tcpreflect. The incoming rule insession defines the ACL that denies all incoming traffic in this example. You can add specific entries to this rule if you would like to permit other types of traffic into your network (for example, you may want to allow incoming FTP access to your network). Use the evaluate statement to permit return traffic from established connections into your network. Use the command ip reflexive-list timeout to set the amount of time during which temporary entries will remain active without any traffic activity from the TCP session.

  Example 4-1. Configuring IP Session Filters

  interface FastEthernet 0/1 ip access-group insession in ip access-group outsession out ! ip reflexive-list timeout 120 ! ip access-list extended outsession permit tcp any any reflect tcpreflect ! ip access-list extended insession deny ip any any evaluate tcpreflect

  Temporary ACL entries store 5-Tuples (that is, protocol, source port, source IP address, destination port, and destination IP address) in RAM but do not store TCP connection state information including TCP flags and sequence numbers in RAM. Use the Cisco IOS Context Based Access Control (CBAC) firewall feature or PIX Firewall ACLs if you need your sessions stored in RAM.

• Cisco IOS Context Based Access Control (CBAC) firewall feature and PIX Firewall ACLs You can use CBAC or PIX firewalls to perform true stateful session filtering. When your users initiate new connections from the inside, the firewall first creates a session entry in its state table. The router then creates a temporary entry for return traffic. The benefit of maintaining the connection state in RAM is that the firewall is able to look further into the content within the connection using application layer inspection. The drawback is that your firewalls require much more memory to store the state table.

Note

Firewall load balancing is available to you as a content networking security service. See Chapter 11, "Switching Secured Content," for more information on firewall load balancing.