In yesterday's post about shunning in the ASA, I said something about how I added an IP address to the ACL to block an IP address from getting through to a server. I also mentioned that because the connection was already active, that adding his IP into the ACL did not stop him from coming through at that point. So, why?
There is this concept in the ASA called "slow path" and "fast path". When a connection is initiated, the ASA will use the "slow path", which means it checks the packet against the incoming ACL that is in place, to verify if its allowed or not. If allowed through, then the packets from then on take the "fast path" for that particular connection. Taking the "fast path" means that the packets are no longer checked against the ACL to verify if its allowed or not, allowing for better performance. However, I personally am not a fan of this method. My stance would be to add performance to the gear, instead of skimping on security for the sake of performance.
This is the retired Shane Killen personal blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.
Friday, January 20, 2017
Cisco ASA: Why Adding To Your ACL Does Not Block The Connection You Want To Block
Subscribe to: Post Comments (Atom)
Thanks. Wasn't aware of this.ReplyDelete