Reflexive Access Lists

As you learned in Chapter 3, the TCP Established option could be useful in limiting access to the local networks to those sessions that originated from inside the network. Any packets originating from the outside that are trying to establish a connection would be rebuffed. But what about other protocols like UDP and ICMP that aren’t connection oriented? In fact, a similar problem occurs with TCP applications that send on one port and receive on another. Either way, the established feature doesn’t always work in these cases.

A feature of IP-named extended access lists, called reflexive access lists, provides what is referred to as reflective filtering. Any IP packet going out of a filtered port will create a temporary access list statement inbound, which is a mirror image of the outgoing packet source and destination information. This temporary opening remains active until a TCP FIN packet is received or the idle timer expires. The idle timer timeout feature is critical for protocols that don’t have a session-ending message, such as UDP and ICMP.

If host 192.168.0.10 wants to use TCP port 1045 to establish a telnet session with 192.168.1.2 in another network through its TCP 23 (telnet) port, the access list statement to allow this—if one had to be created—would look like the following:

permit tcp host 195.168.0.10 eq 1045 host 192.168.1.2 eq 23

What gets created is a temporary reflected inbound statement, which looks like the following:

permit tcp host 192.168.1.2 eq 23 host 195.168.0.10 eq 1045 

Reflexive access lists can filter network traffic based on IP upper-layer protocol information by using port numbers. They create temporary ACL statements that permit returning IP traffic for sessions originating from within the network, but prevent other IP traffic from outside. They use reflexive filtering that can only be defined in named extended IP access lists.

Reflexive access lists can be an important part of securing your network against spoofing and certain DoS attacks. They can be a major component in a router firewall defense strategy. Reflexive access lists are relatively simple to use and provide greater control over which packets enter your network than do basic access lists.