Benefits of Reflexive Access Lists


Reflexive access lists can be included in a firewall defense. They should not be confused with a true firewall, but they will provide departments with another tool to protect their networks.  They provide a level of security against spoofing and certain denial-of-service attacks.  Reflexive access lists can enable departments to have much more control over the kinds of traffic that enters their network.


What is a Reflexive Access List?


Reflexive access lists are setup access rules configured at a router and are used to permit IP traffic for sessions originating within your network but to deny IP traffic for sessions originating outside your network.  If an inside user requests a connection to starts a session with a remote address, the reflexive access list will remember that remote address and allow it to send traffic back to the inside network during the session. But an An outside address that has not received a connection request from inside will be blocked. 



Technical Details:




How Do Reflexive Access Lists Work?


Reflexive access lists are similar in many ways to other access lists.  They contain condition statements (entries) that define criteria for permitting IP packets.  Reflexive access lists contain only temporary entries; these entries are automatically created when a new IP session begins (for example, with an outbound packet), and the entries are removed when the session ends.


Reflexive access lists, however, provide a truer form of session filtering, which is much harder to spoof because more filter criteria must be matched before a packet is permitted through. (For example, source and destination addresses and port numbers are checked, not just ACK and RST bits.) Also, session Session filtering uses temporary filters, which are removed when a session is over. This limits the hacker's attack opportunity to a smaller time window.


A reflexive access list is triggered when a new IP session (such as TCP or UDP) is initiated from inside your network, with a packet destined to a point outside your network. This triggers the reflexive access list and it generates a new, temporary entry. This entry tracks the session and will permit traffic to enter your network if the traffic is part of a remembered session.


If there is traffic attempting to enter your network that is not part of the session it will not be permitted.


For example:

If you request a web page ( using your browser over port 80, the web page information and images will be displayed because you requested them.  The reflexive access list had added that request to its list and waited for the response to that request to allow the return of the web page information.


A temporary reflexive access list entry has the following inbound and outbound characteristics:


q      The entry is always an entry that permits inbound access. 

q      The entry specifies the same protocol as the original outbound packet. 

q      The entry specifies the same source and destination addresses as the original outbound packet, except the addresses are swapped. 

q      The entry also specifies the same source and destination port numbers as the original outbound packet, except the port numbers are swapped**.

q      Inbound traffic is evaluated against the entry, until the entry expires.

q      If an inbound packet matches the entry, the inbound packet will be forwarded into your network. 

q      An entry will expire (and be removed) after the last packet of a particular session passes through the interface.

q      If no packets belonging to the session are detected for a configurable length of time (the timeout period), the entry will expire.


** (This entry characteristic applies only for TCP and UDP packets. Other protocols, such as ICMP and IGMP, do not have port numbers, and other criteria are specified. For example, for ICMP, uses type numbers are used instead.)


What is Session information?


By session information, we are talking about packet source and destination port information, addresses, and types (echo, echo reply, traceroute, etc.).  For example, web traffic is usually destined for TCP port 80, telnet is destined for TCP port 23, etc.  A session, or a flow, is made up of is defined by the following:


 Destination IP address

 Source IP address

 Protocol Type (TCP/UDP/ICMP)

 Destination Port

 Source Port

 ICMP Type (applies only to ICMP)



When does the Session End?


Temporary reflexive access list entries are removed at the end of the session. For TCP sessions, the entry is removed 5 seconds after two set FIN (final) bits are detected, or immediately after matching a TCP packet with the RST (reset) bit set. (Two set FIN bits in a session indicate that the session is about to end; the 5-second window allows the session to close gracefully. A set RST bit indicates an abrupt session close.) Or, the The temporary entry is also removed after no packets of the session have been detected for a configurable length of time (the timeout period).


For UDP and other protocols, the end of the session is determined differently than for TCP. Because other protocols are considered to be connectionless, (sessionless) services, there is no session tracking information embedded in the packets. Therefore, the end of a session is considered to beover when no packets of the session have been detected for a configurable length of time (the timeout period).


Restrictions using Reflexive Access Lists


Reflexive access lists do not work with some applications that change port numbers during a session. For example, if the port numbers for a return packet are different from the originating packet, the return packet will be denied, even if the packet is actually part of the same session. 


The TCP application of FTP is an example of an application with changing port numbers. With reflexive access lists, if you start an FTP request from within your network, the request will not complete. Instead, you You must configure your application to use passive FTP when originating requests from within your networkworking through reflexive access lists.