5. How secure are router ACLs

5.1. Introduction

Cisco states in http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html "Devised to prevent unauthorized direct communication to network devices, infrastructure access control lists (iACLs) are one of the most critical security controls that can be implemented in networks." But how effective are those ACLs?

To see how effectiv the ACLs are, we introduce another host, Kali. This is a virtual machine with Kali linux which has an eth1 adapter on vboxnet0. This virtual machine is not provisioned by Vagrant, so we'll need to do some manual configuration:
ifconfig eth1 netmask
route add -net netmask gw

This is more or less the same as for precise1 and precise2. And, because it is on sw1, we can ping precise1:
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.38 ms
64 bytes from icmp_seq=2 ttl=64 time=0.916 ms
64 bytes from icmp_seq=3 ttl=64 time=0.910 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.910/1.069/1.381/0.220 ms

5.2. Ping

But pinging the router from Kali must fail (we did not permit incoming ICMPs):
PING ( 56(84) bytes of data.
From icmp_seq=1 Packet filtered
From icmp_seq=2 Packet filtered
From icmp_seq=3 Packet filtered
--- ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2009ms

What is interesting is that we see that ping actually sees that the router is there (otherwise we would get a "destination host unreachable") The image below shows what happens. First a ping from Kali to (a non-existing address), then a ping to (the router).


The ping to the non-existing address does not pass the arp-phase. However, for the, the router replies to the ARP. Furthermore, the router replies with an ICMP 70 (Destination unreachable).

5.3. What is behind the router?

Ping is nice, but anything behind the router is invissible for the pings. The router effectively hides the network behind the router. The response for precise3 is the same as for (a non-existing host).

Of course, no-one will be discouraged by this. Nmap is always availabe on Kali:
nmap -sA
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-12-30 12:12 EST
Nmap scan report for
Host is up (0.078s latency).
All 1000 scanned ports on are unfiltered
Nmap scan report for
Host is up (0.26s latency).
All 1000 scanned ports on are unfiltered
Nmap scan report for
Host is up (0.15s latency).
All 1000 scanned ports on are unfiltered
Nmap done: 256 IP addresses (3 hosts up) scanned in 95.53 seconds

How is that possible? Wireshark shows the way this works:


We opened-up the return traffic rather wide: all established traffic is let through. You can ofcourse limit this traffic by allowing only specific return traffic. This effictively doubles the size of your access-list. That means that you will make a trade-off between manegeability and security.

It may also be a good idea to get a firm control of any trafic that leaves the router. The recomendation to place extended ACLs close to the source is therefore perhaps not such a good idea.

However, the router is still a stateless inspection device. Each packet is examined individually; no mechanism exists to relate a packet to an existing session. This, in addition to the fact that router ACLs are not really easily managed, introduces the need for a more sophisticated device, the firewall.