What is the difference between using a reflexive access list and using a firewall
Comments
-
tunerX Member Posts: 447 ■■■□□□□□□□Depends on the type of firewall. At its most basic they are functionally equivalent as they can maintain some form of state full tables.
It's when you get to complex protocols like H323 or SIP, where dynamic ports are assigned. The control ports being used will be different than signalling/session ports and will also require end/end RTP. A smart firewall ALG (Application Layer Gateway) can account for complex protocols.
If You allow H323 inspection in a firewall, the firewall will read the negotiation, gather the necessary session ports, and "pinhole" the required ports for call setup/teardown, session maintenance... the firewall will also read the RTP ports that will be negotiated for the endpoints and "pinhole" those too.
With an ACL you will need to have statefull reflection of outgoing ports, and also allow a large range of UDP ~16K ports and TCP ports inbound just to establish a call. There will be giant holes in your ACL because ACL does not account for dynamic port assignment.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-16/sec-data-zbf-xe-16-book/sec-fw-h323-alg.html
Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
Recognize application-specific commands and offer granular security control over them.
Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
Translate the network-layer address information that is available in the application payload.