Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Allow only echo replies

This thread has been viewed 3 times

  • 1.  Allow only echo replies

    Posted Jan 23, 2013 09:52 AM

    I have a set of devices that should not be able to initiate any traffic, but may respond to traffic sent to them.  Their role has one ACL - denyall.  However, I've found that I can't ping these devices until I apply a session ACL with icmp allowed.  Doing this allows the echo-reply and the device to initiate a ping to the network which I do not want.  To try and fix this, I created an extended ACL that only allows echo-replies from these devices, but it appears as though I can't apply it to the user role.

     

    What options do I have to keep these devices from initiating traffic to the inside and only allow responses?



  • 2.  RE: Allow only echo replies

    EMPLOYEE
    Posted Jan 23, 2013 10:01 AM

    How about any user icmp permit?

     



  • 3.  RE: Allow only echo replies

    Posted Jan 23, 2013 10:08 AM

    Maybe I'm misunderstanding how session ACLs work, but wouldn't that allow the devices to initiate ICMP traffic towards the network when I only want return ICMP traffic (echo-replies)?



  • 4.  RE: Allow only echo replies
    Best Answer

    EMPLOYEE
    Posted Jan 23, 2013 10:12 AM
    @thecompnerd wrote:

    Maybe I'm misunderstanding how session ACLs work, but wouldn't that allow the devices to initiate ICMP traffic towards the network when I only want return ICMP traffic (echo-replies)?

    You can try this:

     

    user any icmp drop

    any user icmp permit

     

    I am not sure about the stateful aspect of ICMP, but please try.  It should allow replies to the second statement, but not allow any icmp be initiated based on the first.

     

     



  • 5.  RE: Allow only echo replies

    Posted Jan 23, 2013 10:18 AM

    Thanks, I'll give that a try.

     

    My experience with Cisco firewalls has been that ICMP return traffic is not allowed by default, so you either allow it with an ACL or ICMP inspection.  Naturally, I'm trying to apply the same thinking to Aruba which may not be applicable.



  • 6.  RE: Allow only echo replies

    EMPLOYEE
    Posted Jan 23, 2013 10:19 AM

    It is similar, but different ;)



  • 7.  RE: Allow only echo replies
    Best Answer

    Posted Jan 30, 2013 01:09 PM

    I simplified the session acl to this:

     

    user any any deny

    any user any permit

     

    I did this so that all other devices on the network can initiate communication with the printers, but not vice-versa.  I made sure I received the role with this acl applied and was not able to initiate communication to the inside, but could reply to traffic.  This is what I wanted. I'm fairly confident this is secure.  Would you agree?



  • 8.  RE: Allow only echo replies

    EMPLOYEE
    Posted Jan 30, 2013 01:13 PM

    It it works for you, then it is!  Glad you found a solution...