The Established option is a TCP-only feature that can use
the connection-oriented attributes of the TCP to limit traffic coming into a
network or network segment to those sessions that originated from within that
network. The established condition is only true if the ACK (acknowledge) or RST
(reset) bits are set to one in the TCP header, indicating an already established
connection. A packet with no ACK or RST bit set, but a SYN (synchronize) bit set
to one, is used to establish a new connection and can then be denied. Figure 2-6
demonstrates the three-step “handshake” that TCP uses to establish a
connection.
The following output demonstrates allowing any host to respond to
web and Telnet requests that originated within the 192.168.1.0 network, but
blocks all other TCP packets.
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 any eq telnet
access-list 101 deny tcp any any
access-list 101 permit ip any any
The Established option can help reduce the risk of a common type
of hacker attack that buries a host in SYN requests, preventing it from handling
normal business. Because a sophisticated hacker can manipulate the TCP header
bits, this tool needs support from other tools to protect against that
threat.
Look over the following ACL statement using the Established
option. This is a common first effort when trying to limit web activity to those
sessions originating within the network. So what’s wrong with the statement?
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 eq www established
Remember, www is an “alias” for port 80. A web session originating
inside would use port 80 as the destination, but would designate a port above
1024, such as 1065, as the source port. This means the returning packet would
have port 80 as the source and port 1065 as the destination. The ACL is looking
for port 80 as the destination. The following output might work better:
access-list 101 permit tcp any eq www 192.168.1.0 0.0.0.255 established
When working with the Established feature, it’s important to make
sure you understand what the mnemonic and any port numbers stand for, if you use
the port numbers. Another approach is represented in the following code lines,
which allow any established sessions, but block all other TCP traffic.
access-list 101 permit tcp any 192.168.1.0 0.0.0.255 established
access-list 101 deny tcp any any
|
Note |
Source-port filtering, the process of
filtering data on the source port of a packet, isn’t secure because a skilled
hacker could easily change a source port on a packet, which could then pass
through the filter. |
Sections
Comments (0 posted)
Syndication
