stateful packet filtering functionality that is
available in Cisco IOS Firewall. Cisco IOS Firewall TCP
Handling
When the first packet from a TCP flow is
received by the router (TCP SYN), the inbound ACL on the inside
secured interface is checked. If the packet is permitted, a
dynamic session entry is created. The session is described by
endpoint addresses, port numbers, sequence numbers, and flags.
All subsequent packets belonging to this session will be
checked against the current state and discarded if the packets
are invalid. Figure illustrates the three-way handshake that
TCP uses. The first packet contains a random sequence number
and sets the TCP SYN flag. The second packet contains a random
sequence number that the responding host generates, an
acknowledgment sequence number that is the received sequence
number incremented by one, and the TCP SYN and ACK flags set.
The third packet acknowledges the received packet by
incrementing the packet sequence number in the acknowledgment
sequence, raising the sequence number by the appropriate number
of transmitted octets, and setting the ACK flag. All subsequent
segments increment their sequence numbers by the number of
transmitted octets and acknowledge the last received segment by
an increment of 1, according to the TCP state machine. After
the three-way handshake, all packets will have the ACK flag set
until the session is terminated. Note
Apart from
stateful filtering, the router can perform other options, such
as address translation (NAT or PAT) or packet authentication
(authentication proxy). Cisco IOS Firewall UDP
Handling
Figure shows how a similar process is invoked
when a UDP connection is established through a Cisco IOS
Firewall router. The only difference from the TCP example is
that UDP is not stateful; therefore, the router cannot track
the sequence numbers and flags. There is no three-way handshake
and no teardown process. If the first packet from a UDP flow is
permitted through the router, a UDP entry is created in the
connection table. The endpoint addresses and port numbers
describe the UDP connection entry. When no data is exchanged
within the connection for a configurable UDP timeout, the
connection description is deleted from the connection table.
Content 6.1 Introducing the Cisco IOS
Firewall 6.1.7 Cisco IOS Firewall Process
With the Cisco IOS Firewall, the protocols to inspect are
specified, as well as the interface and interface direction (in
or out) where the inspection applies. The firewall engine
inspects only the specified protocol packets if they first pass
the inbound ACL that is applied to the inside interface. If a
packet is denied by the ACL, the packet is dropped and not
inspected by the firewall. Figure describes the data flow
through a Cisco IOS Firewall and shows the router configuration
of the Cisco IOS Firewall that supports this data flow. ACL
entries on the inbound ACL applied to the outside interface are
dynamically created and deleted. Cisco IOS Firewall dynamically
creates and deletes ACL entries at the firewall outside
interfaces based on the information that is maintained in the
state tables. These ACL entries are applied to the outside
interface in the inbound direction to examine traffic flowing
back into the internal network. These entries create temporary
openings in the firewall to permit only traffic that is part of
a permissible session that initiates from the inside. The
temporary ACL entries are never saved to NVRAM. These steps
occur when a packet arrives at the Cisco IOS Firewall: Step
1 A packet traveling through the inside interface triggers
an inspection rule and an entry that is logged in the
connection state table. Step 2 The Cisco IOS Firewall
opens a dynamic ACL entry that permits the return traffic
through the outside interface inbound ACL. Step 3 The
Cisco IOS Firewall filter engine keeps inspecting the incoming
traffic from the outside to permit the proper return traffic
and blocks application attacks or misuses. Step
4 When the session terminates, the Cisco IOS Firewall
filter engine removes the dynamic information from the
connection state table and removes the dynamic ACL entry. Cisco
IOS Firewall inspects and monitors only the control channels of
connections; the firewall does not inspect the data channels.
For example, during FTP sessions, both the control and data
channels (that are created when a data file is transferred) are
monitored for state changes, but only the control channel is
inspected (that is, the firewall engine software parses the FTP
commands and responses). Cisco IOS Firewall inspection
recognizes application-specific commands in the control channel
and detects and prevents certain application-level attacks. The
firewall engine recognizes application-specific commands (such
as illegal Simple Mail Transfer Protocol [SMTP] commands) in
the control channel and detects and prevents certain
application-level attacks. When the Cisco IOS Firewall suspects
an attack, the firewall can take several actions:
- Generate alert messages
- Protect system resources
that could impede performance
- Block packets from
suspected attackers
The Timeout and Threshold Values
table lists values that Cisco IOS Firewall uses to manage
connection state information, as seen in Figure . These values
help to determine when to drop connections that do not become
fully established or that time out. Cisco IOS Firewall provides
three thresholds against TCP-based DoS attacks: - The
total number of half-opened TCP sessions
- The number of
half-opened sessions in a time interval
- The number of
half-opened TCP sessions per host
If a threshold for
the number of half-opened TCP sessions is exceeded, the
firewall engine has two options: - The engine can send a
reset message to the endpoints of the oldest half-opened
session, making resources available to service newly arriving
SYN packets.
- The engine blocks all SYN packets
temporarily for the duration that the threshold value
configures. When the router blocks a SYN packet, the TCP
three-way handshake is never initiated, which prevents the
router from using memory and processing resources that valid
connections need.
Content 6.1
Introducing the Cisco IOS Firewall 6.1.8
Stateful Inspection Enhancements When the firewall filters
a protocol, that protocol traffic is inspected, state
information is maintained, and packets are allowed back through
the firewall only if they belong to a permissible session. You
can configure the Cisco IOS Firewall to inspect these types of
sessions: - All TCP sessions, regardless of the
application layer protocol (sometimes called single-channel or
generic TCP inspection)
- All UDP connections,
regardless of the application layer protocol (sometimes called
single-channel or generic UDP inspection)
Cisco IOS
Firewall supports a wide range of protocols. Some protocol
inspection, such as inspection for HTTP, SMTP, ESMTP, and Sun
RPC, offers additional, deeper scrutiny into application
activity to ensure that malicious or unauthorized activity is
not occurring. Figure summarizes these points. Cisco IOS
Firewall granular application inspection can define specific
named protocols. Granular inspection associates user-defined
application labels to traffic on specific ports to protect the
private network from unwanted access from the public network.
As an example of the power of granular application inspection,
consider a situation in which you need to block peer-to-peer
(P2P) connections. Many instant messaging and P2P applications
have developed mechanisms to disguise their traffic within TCP
Port 80 (HTTP) traffic, thus offering their application an
additional mechanism to work around restrictive firewalls.
Granular application inspection scans traffic for specific
known applications that disguise their undesired traffic as
legitimate HTTP traffic. For example, HTTP inspection can