Wired Intelligent Edge

Is it possible to restrict connections to a device so that it is allowed to initiate communication, but nothing is allowed to initiate connections with it using ACLs on AOS-CX? 

My use case is a storage device for ransomware protection backups. I want to have it reach out to the servers to do backups, but not allow anything to start communications with it. That way if we do have a ransomware issue, we should have backups which are not compromised.

I have been doing testing to see if I can make this work, but have so far been unsuccessful. The documentation I have found so far is unhelpful for this use case, as the examples and directions are all symmetrical (e.g. do not allow a to talk to b at all, or only allow them to talk on certain ports). Perhaps that is because ACLs on the switch are the wrong tool for this use case, but I figured I should check.

Any pointers you can provide would be greatly appreciated.

I don't think it's possible with ACL's.  Typically the way to accomplish this would be with a stateful firewall.  You would allow outbound connections from the storage appliance but inbound would only allow related and established connections.  ACL's are stateless so they wouldn't have any knowledge of related and established connections.

Someone can correct me if I'm wrong (I would love to be wrong about this).
Original Message:
Sent: Aug 05, 2022 11:54 AM
From: Phillip Barton
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

Is it possible to restrict connections to a device so that it is allowed to initiate communication, but nothing is allowed to initiate connections with it using ACLs on AOS-CX? 

My use case is a storage device for ransomware protection backups. I want to have it reach out to the servers to do backups, but not allow anything to start communications with it. That way if we do have a ransomware issue, we should have backups which are not compromised.

I have been doing testing to see if I can make this work, but have so far been unsuccessful. The documentation I have found so far is unhelpful for this use case, as the examples and directions are all symmetrical (e.g. do not allow a to talk to b at all, or only allow them to talk on certain ports). Perhaps that is because ACLs on the switch are the wrong tool for this use case, but I figured I should check.

Any pointers you can provide would be greatly appreciated.

I was thinking that was the case, but a switch "expert" I talked to said he thought it should be doable. I would really love to avoid installing a firewall for this purpose for numerous reasons.

I noted that one of the ACL options for TCP is "Established". I haven't been able to find any information on what that actually does, but I was hoping it would enable this use case. 

I also haven't been able to find good information on what "in" and "out" mean when applying an ACL to an interface. I feel a little dumb, but to my thinking "in" and "out" would each be all traffic on the interface. The interface never needs to communicate with itself. All traffic has to come into the interface and then go back out. (You may have noticed I am not a switch expert. X-D ) If anyone can point me to documentation that would explain these concepts along with any nuances to AOS-CX I would very much appreciate it. The stuff I have found so far operates at such a superficial level that it is pretty useless unless you already know what you are doing and just need the syntax, or you just want to do exactly what is being demonstrated and change the IPs.
Original Message:
Sent: Aug 05, 2022 12:00 PM
From: David King
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

I don't think it's possible with ACL's.  Typically the way to accomplish this would be with a stateful firewall.  You would allow outbound connections from the storage appliance but inbound would only allow related and established connections.  ACL's are stateless so they wouldn't have any knowledge of related and established connections.

Someone can correct me if I'm wrong (I would love to be wrong about this).
Original Message:
Sent: Aug 05, 2022 11:54 AM
From: Phillip Barton
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

Is it possible to restrict connections to a device so that it is allowed to initiate communication, but nothing is allowed to initiate connections with it using ACLs on AOS-CX? 

My use case is a storage device for ransomware protection backups. I want to have it reach out to the servers to do backups, but not allow anything to start communications with it. That way if we do have a ransomware issue, we should have backups which are not compromised.

I have been doing testing to see if I can make this work, but have so far been unsuccessful. The documentation I have found so far is unhelpful for this use case, as the examples and directions are all symmetrical (e.g. do not allow a to talk to b at all, or only allow them to talk on certain ports). Perhaps that is because ACLs on the switch are the wrong tool for this use case, but I figured I should check.

Any pointers you can provide would be greatly appreciated.

Established allows all established sessions, which I think is any (TCP) packet with ACK or RST set. For UDP/ICMP this is really hard to implement.

ACL direction in means that it applies to traffic coming to the port, so if applied on the port/VLAN where the NAS is, it's traffic coming from the NAS. Direction out is for traffic leaving the port, in the example servers sending traffic to the NAS. So if you want to block initiated traffic from the servers, either put a permit any any established 'out' on the port to the NAS. Note that you might need to make numerous exceptions, like for DHCP, NTP, DNS, updates for the NAS firmware. In practice it is much harder or even impossible to implement such a policy with stateless ACLs versus stateful firewalling. Also note that sending traffic from the server to the NAS with ACK/RST flag sent will be sent through, which may be good enough for the purpose, but in general is considered not acceptable because unauthorized and unsolicited data is passed through.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 05, 2022 12:26 PM
From: Phillip Barton
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

I was thinking that was the case, but a switch "expert" I talked to said he thought it should be doable. I would really love to avoid installing a firewall for this purpose for numerous reasons.

I noted that one of the ACL options for TCP is "Established". I haven't been able to find any information on what that actually does, but I was hoping it would enable this use case. 

I also haven't been able to find good information on what "in" and "out" mean when applying an ACL to an interface. I feel a little dumb, but to my thinking "in" and "out" would each be all traffic on the interface. The interface never needs to communicate with itself. All traffic has to come into the interface and then go back out. (You may have noticed I am not a switch expert. X-D ) If anyone can point me to documentation that would explain these concepts along with any nuances to AOS-CX I would very much appreciate it. The stuff I have found so far operates at such a superficial level that it is pretty useless unless you already know what you are doing and just need the syntax, or you just want to do exactly what is being demonstrated and change the IPs.
Original Message:
Sent: Aug 05, 2022 12:00 PM
From: David King
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

I don't think it's possible with ACL's.  Typically the way to accomplish this would be with a stateful firewall.  You would allow outbound connections from the storage appliance but inbound would only allow related and established connections.  ACL's are stateless so they wouldn't have any knowledge of related and established connections.

Someone can correct me if I'm wrong (I would love to be wrong about this).
Original Message:
Sent: Aug 05, 2022 11:54 AM
From: Phillip Barton
Subject: One-Way Connection Initiation on AOS-CX Using ACLs

Is it possible to restrict connections to a device so that it is allowed to initiate communication, but nothing is allowed to initiate connections with it using ACLs on AOS-CX? 

My use case is a storage device for ransomware protection backups. I want to have it reach out to the servers to do backups, but not allow anything to start communications with it. That way if we do have a ransomware issue, we should have backups which are not compromised.

I have been doing testing to see if I can make this work, but have so far been unsuccessful. The documentation I have found so far is unhelpful for this use case, as the examples and directions are all symmetrical (e.g. do not allow a to talk to b at all, or only allow them to talk on certain ports). Perhaps that is because ACLs on the switch are the wrong tool for this use case, but I figured I should check.

Any pointers you can provide would be greatly appreciated.