Session filtering using reflexive access lists

Reflexive access lists are available on IOS Versions 11.3 and up.

Reflexive access lists can be used to exercise a tight level of control over individual client and server sessions. Let's look at the network in Figure 3.11 to show how they can be used.

Figure 3.11. A proxy server with Internet access

This network diagram shows a proxy server with Internet access. A proxy server is a system that makes connections and service requests on behalf of other hosts and forwards the results back to the requesting hosts. Let's say that this proxy server requires full access on all TCP ports to the Internet. The following access lists and interface statements implement this policy:

! access list out to the proxy server from the Internet ip access-list extended out-to-server

permit tcp any host 192.168.35.1 gt 1023

! access list out to the Internet from the proxy server ip access-list extended out-to-Internet

permit tcp host 192.168.35.1 any ! interface statements

interface Ethernet 0

ip access-group out-to-server out interface serial 1

ip access-group out-to-Internet out

While these access lists implement our policy, it leaves the proxy server vulnerable to probes of ports greater than 1023. A cracker could check these ports for services that can be exploited. Since a number of proxy services default to ports greater than 1023, an open proxy port could be used by an intruder to access hosts on the other side of the proxy server or to attack other systems on the Internet.

Using the established qualifier can help with this problem:

! access list out to the proxy server from the Internet ip access-list extended out-to-server

permit tcp any host 192.168.35.1 established

! access list out to the Internet from the proxy server ip access-list extended out-to-Internet

permit tcp host 192.168.35.1 any ! interface statements

interface Ethernet 0

ip access-group out-to-server out interface serial 1

ip access-group out-to-Internet out

Changing the access list out-to-server eliminates the direct probes, but crackers can still pump in traffic to the proxy server as long as they set the ACK bit on packets.

Reflexive access lists take care of this problem by automatically creating an access list entry for each TCP connection that is established. We would configure the access list in the following way:

! access-list out to the Internet ip access-list extended out-to-server permit tcp any host 192.168.35.1 evaluate tcp-connections

ip access-list in-from-Internet

permit tcp any any reflect tcp-connections ! interface statements

interface serial 1

ip access-group out-to-Internet out ip access-group in-from-Internet in

The evaluate access list entry in the access list out-to-server says that when a TCP connection is created, the router creates a reflexive access list entry in the reflexive access list tcp-connections that specifically allows only traffic for that particular connection. The reflect entry in the access list in-from-Internet makes the access list compare the packet against the reflexive access list entries in tcp-connections that are created. As an example, let's say that the proxy server sets up a TCP connection from source port 3456 to port 80 on

host 172.30.45.1. In response to this connection, the router would set up the following access list entry on the reflexive access list:

permit tcp host 172.30.45.1 eq www host 192.168.35.1 eq 3456 The show ip access-list command would yield:

Extended IP access list Out-to-server permit tcp host 192.168.35.1 any evaluate tcp-connections

Extended IP access-list in-from-Internet permit tcp any any reflect tcp-connections Reflexive IP access list tcp-connections

permit tcp host 172.30.45.1 eq www host 192.168.31.1 eq 3456 (6 matches) (time left 119 seconds)

The only way to get packets into the proxy server is to use these specific source and destination ports and source and destination IP addresses. This access list entry disappears when the TCP connection is shut down. The router looks for the FIN packets requesting that a TCP connection be shut down and then removes the entry. If a TCP connection is shut down before FIN packets can be sent, then the entries disappear after a timeout interval. The default timeout period is 300 seconds (five minutes), but it can be set with the global configuration command ipreflexive-listtimeout.

Reflexive access lists are created in the opposite direction of the extended access list that activates it. In our example, the reflexive list was created as an inbound access list of the serial interface connecting to the Internet. Let's implement the policy with inbound access lists:

! access-list in from the server

ip access-list extended in-from-server permit tcp any host 192.168.35.1 any evaluate tcp-connections

ip access-list extended out-to-server

permit tcp any any reflect tcp-connections ! interface statements

interface Ethernet 0

ip access-group out-to-server out ip access-group in-from-server in

The reflexive access list entries created would be outbound access lists going to the proxy server. For our previous example, the reflexive access list entry created would have been the same, only evaluated on an outgoing access list.

UDP client/server sessions can also be filtered with reflexive access lists. Figure 3.12 shows a server that makes DNS requests and ICMP echo requests to name servers in the Internet.

Figure 3.12. A server that makes DNS queries

We can limit access to the server with the following access lists: ! access list out to the server from the Internet ip access-list extended out-to-server

permit udp any eq 53 host 192.168.35.1 eq 53 permit udp any eq 53 host 192.168.35.1 gt 1023 permit icmp any host 192.168.35.1 echo-reply permit tcp any any reflect tcp-connections ! access list out to the Internet from the server ip access-list extended out-to-Internet

permit udp host 192.168.35.1 gt 1023 any eq 53 permit udp host 192.168.35.1 eq 53 any eq 53 permit icmp host 192.168.35.1 any echo

permit tcp host 192.168.35.1 any eq 53 evaluate tcp-connections

! interface statements interface Ethernet 0

ip access-group out-to-server out interface serial 1

ip access-group out-to-Internet out

While this does limit access to the server, an intruder can still probe for UDP ports over 1023 by using a source port of 53. Since UDP is a connectionless protocol, there is no equivalent to established for filtering session startup packets. Reflexive access lists can fix this problem: ! access list out to the server from the Internet

ip access-list extended out-to-server

permit icmp any host 192.168.35.1 echo-reply permit tcp any any reflect tcp-connections permit udp any any reflect udp-sessions

! access list out to the Internet from the server ip access-list extended in-from-Internet

permit udp host 192.168.35.1 gt 1023 any eq 53 permit udp host 192.168.35.1 eq 53 any eq 53 permit icmp host 192.168.35.1 any echo

permit tcp host 192.168.35.1 any eq 53 evaluate tcp-connections

evaluate udp-sessions ! interface statements interface Ethernet 0

ip access-group out-to-server out ip access-group in-from-server in

Since UDP is connectionless and doesn't have the equivalent of a FIN packet marking the end of a session, the router maintains the access list entry as long as it sees traffic within the reflexive access list timeout interval. A query from the name server that uses source port 1234 to host 172.30.45.60 then creates the entry:

permit udp host 172.30.45.60 eq 53 host 192.168.35.1 eq 1234

Reflexive access lists have a number of limitations. You cannot use them on protocols that do not have source ports, such as ICMP. In the previous entry, we needed to put in specific entries to allow ICMP echo replies to the server. You cannot use reflexive access lists with protocols that change ports during a session or that have sessions set up in two directions. A good example is active mode FTP. A control connection is set up from client to server with a source port greater than 1023. When a file needs to be copied or a directory listing is needed, a data connection is set up from the server to the client. If a reflexive access list is used, the entry created for the control connection prevents the data connection from being set up. Passive mode FTP would work, however, since data connections are set up in the same direction. Reflexive access lists also require named access lists. If you are using an older version of the Cisco IOS that does not support named access lists, then you can't use reflexive access lists.