Reflexive access list are not difficult to implement though such access list are depreciated due to other various advance security mechanism are available like CBAC and ZBF. Still its a good idea to learning reflexive access list to learn advance security. In real world there an important thing to know about them goes like this
An edge router is acting as a firewall and has two interfaces inside and outside. Why is it not advisable to configure Reflexive access list
on INSIDE interface like this ?
INBOUND ACL containing "reflect" statements
OUTBOUND ACL containing
"evaluate" statement
By doing this way, there can be a security rick associated with your firewall itself. The return traffic and other traffic first arrived on outside interface next it will process by the router only then it will reach to the inside OUTBOUND for EVALUATE where it decides to drop other traffic and pass the return traffic. If that other or return traffic contain malicious packets, they can cause DoS attack on the router itself so you must stop them before entering into your router. It will also save the cpu process cycles from processing unnecessary traffic.
1 comment:
excuse me. any tools mentioned beside the reflexive ACLs like CBAC, ZBF will load CPU :O)
So what tool U propose to avoide CPU heat? :O)
Post a Comment