10.4 Session Filtering
10.4.1
Using extended access lists with the established argument
Network administrators have long been faced with a difficult problem -- how to prevent outsiders from connecting at will to inside hosts, while at the same time allowing insiders to connect at will to outside hosts. In other words, how do you allow invited traffic in and keep uninvited traffic out?

Many firewalls (including the Cisco IOS) offer a partial solution to this problem. If the traffic in question uses TCP at Layer 4, the firewall can filter traffic based on the 6 TCP code bits. The 6 TCP codes bits are URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronization), and FIN (Finish). IP hosts use the TCP codes bits to perform the three-way handshake and other connection-oriented communications. The three-way handshake uses the SYN and ACK bits (see the figure).

The first part of the three-way handshake is sent with the SYN bit set to 1, and the ACK and RST bits set to 0. For the second part of the handshake, all subsequent TCP headers in that conversation stream will have either the ACK or the RST bit set to 1. Thus, traffic that is invited into your network will always have one of these bits set to 1. Such traffic is considered part of an established connection. Uninvited traffic (the initial packet in a three-way handshake) will have only the SYN bit set to 1.

Using the Cisco IOS, you can configure an extended list to match a packet based on whether it is part of an established connection. The access list will look for an ACK or RST set to 1. If it does not find one, it will not consider the packet part of an established connection, and the packet will not match the statement. The established argument is used with the tcp keyword in an extended list, as shown here:

router(config)#access-list access-list-number permit tcp source-address source-mask destination-address destination-mask established

After configuring this statement, you should then configure an explicit deny or use the implicit deny to filter traffic that is not established. This example shows a possible established configuration.

access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 permit icmp any any
access-list 101 permit udp any any eq 53
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any

Application of the established argument is limited to TCP traffic, which means that UDP, ICMP, and all other IP protocols are not matched by this keyword. In the example above, additional access list statements permit all ICMP and UDP traffic into the 192.168.1.0/24 network (and any other network). If these protocols were not permitted, key services such as DNS (UDP 53) could be blocked because they do not match the established keyword. Be aware that the any keywords do not present a secure configuration because many network security breaches occur using UDP, and many denial-of-service attacks occur using ICMP. Of course, you could have configured tighter security for protocols other than TCP, but this would require careful planning and implementation, possibly involving dozens of complex statements. The Cisco IOS offers a new feature called reflexive access lists as a way to permit only invited IP traffic, regardless of whether that traffic uses TCP, UDP, or another Internet protocol. Reflexive access lists are discussed in the next section.