----------------------------------
Reflexive access lists can be included in a firewall defense. They should not be confused
with a true firewall, but they will provide departments with another tool to protect their
networks. They provide a level of security
against spoofing and certain denial-of-service attacks.
Reflexive access lists can enable departments to have much more control over the
kinds of traffic that enters their network.
What is a Reflexive
Access List?
--------------------------------
Reflexive access lists are setup access rules configured at a router and are
used to permit IP traffic for sessions originating within your network but to deny
IP traffic for sessions originating outside your network.
If an inside user requests a connection to starts a
session with a remote address, the reflexive access list will remember that remote address
and allow it to send traffic back to the inside network during the session. But an An outside address that has not received a connection request
from inside will be blocked.
Technical Details:
--------------------------------
How Do Reflexive
Access Lists Work?
Reflexive access lists are
similar in many ways to other access lists. They
contain condition statements (entries) that define criteria for permitting IP packets. Reflexive access lists contain only temporary
entries; these entries are automatically created when a new IP session begins (for
example, with an outbound packet), and the entries are removed when the session ends.
Reflexive access lists, however, provide a truer form of session filtering, which is much harder to spoof because more filter criteria must be
matched before a packet is permitted through. (For example,
source and destination addresses and port numbers are checked, not just ACK and RST bits.) Also, session Session filtering uses
temporary filters, which are removed when a session is over.
This limits the hacker's attack opportunity to a smaller time window.
A reflexive access list is
triggered when a new IP session (such as TCP or UDP) is initiated from inside your
network, with a packet destined to a point outside your network. This triggers the
reflexive access list and it generates a new, temporary entry. This entry tracks the
session and will permit traffic to enter your network if the traffic is part of a
remembered session.
If there is traffic
attempting to enter your network that is not part of the session it will not be permitted.
For example:
If you request a web page (http://www.arizona.edu) using your browser over port
80, the web page information and images will be displayed because you requested them. The reflexive access list had added that request
to its list and waited for the response to that request to allow the return of the web
page information.
A temporary reflexive access
list entry has the following inbound and outbound characteristics:
q The entry is always an entry
that permits inbound access.
q The entry specifies the same
protocol as the original outbound packet.
q The entry specifies the same
source and destination addresses as the original outbound packet, except the addresses are
swapped.
q The entry also specifies the
same source and destination port numbers as the original outbound packet, except the port
numbers are swapped**.
q Inbound traffic is evaluated
against the entry, until the entry expires.
q If an inbound packet matches
the entry, the inbound packet will be forwarded into your network.
q An entry will expire (and be removed) after the last packet
of a particular session passes through the interface.
q If no packets belonging to
the session are detected for a configurable length of time (the timeout period), the entry
will expire.
** (This entry characteristic
applies only for TCP and UDP packets. Other protocols, such as ICMP and IGMP, do not have
port numbers, and other criteria are specified. For example, for ICMP, uses type numbers are used instead.)
By session information, we
are talking about packet source and destination port information, addresses, and types
(echo, echo reply, traceroute, etc.). For
example, web traffic is usually destined for TCP port 80, telnet is destined for TCP port
23, etc. A session, or a
flow, is made up of is defined by the following:
Destination IP address
Source IP address
Protocol Type (TCP/UDP/ICMP)
Destination Port
Source Port
ICMP Type (applies only to ICMP)
When does the
Session End?
Temporary reflexive access
list entries are removed at the end of the session. For TCP sessions, the entry is removed
5 seconds after two set FIN (final) bits are detected, or immediately after matching a TCP
packet with the RST (reset) bit set. (Two set FIN bits in a session indicate that the
session is about to end; the 5-second window allows the session to close gracefully. A set
RST bit indicates an abrupt session close.) Or, the The temporary
entry is also removed after no packets of the session have been detected for a
configurable length of time (the timeout period).
For UDP and other protocols,
the end of the session is determined differently than for TCP. Because other protocols are
considered to be connectionless, (sessionless)
services, there is no session tracking information embedded in the packets.
Therefore, the end of a session is considered to beover when no packets of the session have been detected for a
configurable length of time (the timeout period).
Restrictions using
Reflexive Access Lists
Reflexive access lists do not
work with some applications that change port numbers during a session. For example, if the
port numbers for a return packet are different from the originating packet, the return
packet will be denied, even if the packet is actually part of the same session.
The TCP application of FTP is an example of an application with changing port numbers.
With reflexive access lists, if you start an FTP request from within your network, the
request will not complete. Instead, you You must configure
your application to use passive FTP when originating requests from
within your networkworking through reflexive access lists.