|
Network administrators have long been
faced with a difficult problem -- how to prevent outsiders from
connecting at will to inside hosts, while at the same time allowing
insiders to connect at will to outside hosts. In other words, how do
you allow invited traffic in and keep uninvited traffic out?
Many firewalls (including the Cisco IOS) offer a partial solution
to this problem. If the traffic in question uses TCP at Layer 4, the
firewall can filter traffic based on the 6 TCP code bits. The 6 TCP
codes bits are URG (Urgent), ACK (Acknowledgment), PSH (Push), RST
(Reset), SYN (Synchronization), and FIN (Finish). IP hosts use the
TCP codes bits to perform the three-way handshake and other
connection-oriented communications. The three-way handshake uses the
SYN and ACK bits (see the figure).
The first part of the three-way handshake is sent with the SYN
bit set to 1, and the ACK and RST bits set to 0. For the
second part of the handshake, all subsequent TCP headers in that
conversation stream will have either the ACK or the RST bit set to
1. Thus, traffic that is invited into your network will always have
one of these bits set to 1. Such traffic is considered part of an
established connection. Uninvited traffic (the initial packet in a
three-way handshake) will have only the SYN bit set to 1.
Using the Cisco IOS, you can configure an extended list to match
a packet based on whether it is part of an established connection.
The access list will look for an ACK or RST set to 1. If it does not
find one, it will not consider the packet part of an established
connection, and the packet will not match the statement. The established
argument is used with the
tcp
keyword in an extended list, as shown
here:
router(config)#access-list access-list-number
permit tcp source-address source-mask destination-address
destination-mask established
After configuring this statement, you should then configure an
explicit deny or use the implicit deny to filter traffic that is not
established. This example shows a possible established
configuration.
access-list 101 permit tcp any
192.168.1.0 0.0.0.255 established
access-list 101 permit icmp any any
access-list 101 permit udp any any eq 53
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
Application of the
established
argument is limited to TCP traffic,
which means that UDP, ICMP, and all other IP protocols are not
matched by this keyword. In the example above, additional access
list statements permit all ICMP and UDP traffic into the
192.168.1.0/24 network (and any other network). If these protocols were not
permitted, key services such as DNS (UDP 53) could be blocked
because they do not match the
established keyword.
Be aware that the
any
keywords do not present a secure
configuration because many network security breaches occur using UDP,
and many denial-of-service attacks occur using ICMP. Of course, you
could have configured tighter security for protocols other than TCP,
but this would require careful planning and implementation, possibly
involving dozens of complex statements. The Cisco IOS offers a new
feature called reflexive access lists as a way to permit only
invited IP traffic, regardless of whether that traffic uses TCP, UDP,
or another Internet protocol. Reflexive access lists are discussed
in the next section.
|