Friday, January 20, 2017

Cisco ASA: Why Adding To Your ACL Does Not Block The Connection You Want To Block

In yesterday's post about shunning in the ASA, I said something about how I added an IP address to the ACL to block an IP address from getting through to a server.  I also mentioned that because the connection was already active, that adding his IP into the ACL did not stop him from coming through at that point.  So, why?
There is this concept in the ASA called "slow path" and "fast path".  When a connection is initiated, the ASA will use the "slow path", which means it checks the packet against the incoming ACL that is in place, to verify if its allowed or not.  If allowed through, then the packets from then on take the "fast path" for that particular connection.  Taking the "fast path" means that the packets are no longer checked against the ACL to verify if its allowed or not, allowing for better performance.  However, I personally am not a fan of this method.  My stance would be to add performance to the gear, instead of skimping on security for the sake of performance.

1 comment:

Your comment will be reviewed for approval. Thank you for submitting your comments.