Reflexive Dynamic and Time Based Access Lists

Reflexive ACLs, also called IP session filtering, provide a way to prevent a class of security attacks by permitting each allowed TCP or UDP session on an individual basis.  The router reacts when seeing the first packet in a new session between two hosts.  It reacts to the packet to add a permit statement to the ACL, allowing the session’s traffic based on the source and destination IP address and TCP/UDP port.

Reflexive ACLs still allow legitimate users to send and receive packets through the router, while discarding the packets from other hosts, like packets from the attacker.  With reflexive ACLs, when the Enterprise user first creates a new session, the router notices the new session and records the source and destination IP addresses and ports used for that session.  The reflexive ACL on R2 (From example 6-9 page 262) would not allow all port 80 traffic in.  Instead, it would allow only packets whose addresses and ports matched the original packet.

Dynamic ACLs

Dynamic ACLs solve a different problem that also cannot be easily solved using traditional ACLs.  Imagine a set of servers that need to be accessed by a small set of users.  With ACLs, you can match the IP addresses of the hosts used by the users.  However, if the user borrows another PC, or leases a new address using DHCP, or takes her laptop home, and so on, the legitimate user now has a different IP address.  So a traditional ACL would have to be edited to support each new IP address.  Painful administration and security holes existed because of this.

Dynamic ACLs, also called Lock-and-Key Security, solve this problem by tying the ACL to a user authentication process.  Instead of starting by trying to connect to the server, the users must be told to first telnet to a router.  The router asks for a username/password combination.  If it is authentic, the router dynamically changes its ACL, permitting traffic from the IP address of the host that just sent the authentication packets.  After a period of inactivity, the router removes the dynamic entry in the ACL, closing the potential security hole.

Step 1: The user connects to the router using Telnet.

Step 2: The user supplies a username/password, which the router compares to a list, authenticating the user.

Step 3: After authentication, the router dynamically adds an entry to the beginning of the ACL, permitting traffic sourced by the authenticated host.

Step 4: Packets sent by the permitted host go through the router to the server.

Time-Based ACLs

The term time-based ACL refers to a feature of normal IP ACLs in which a time constraint can be added to the configuration commands.  In some cases, it may be useful to match packets in an ACL, but only at certain times in the day, or even on particular days of the week.  Time-based ACLs allow the addition of time constraints, with IOS keeping or removing the statements from the ACL during the appropriate times of the day.