Before continuing with CBAC, it’s important to be clear
about how standard and extended ACLs work. By definition, standard ACLs filter
only on source network addresses and are, therefore, limited to Layer 3
capabilities. Extended ACLs are able to filter on port numbers extending their
reach into Layer 4. In both cases, any ACL allowing traffic to enter a network
is, in fact, a hole in the firewall or perimeter security that can possibly be
exploited by others.
The preceding chapter introduced reflexive ACLs as an
alternative to creating permanent holes through the network security. Temporary
ACL statements can be created for inbound traffic based on outbound traffic
reducing risk of exploitation. Unfortunately, reflexive ACLs are limited to
Layer 4 filters, like any other extended ACL. Furthermore, reflexive ACLs can’t
deal with changes in port designations by the outside host, such as FTP. The
outbound address/port combinations for the source and destination are “mirrored”
to create the inbound openings. Another limitation of reflexive ACLs is that
they’re limited to single channel applications.
Sections
Comments (0 posted)
Syndication
