Overview of PIX Firewall
The architecture of PIX Firewall is based on the Adaptive Security Algorithm (ASA), which maintains the state information and provides security to your connection. ASA is a set of rules and policies that the packet has to conform to while traversing the firewall. As mentioned before, PIX is a stateful firewall, which means it works based on connections, not on a per-packet basis. It remembers every connection through the firewall.
ASA
ASA has the following characteristics:
-
ASA provides a stateful connection.
-
ASA allows return packets for established connections.
-
ASA tracks source and destination ports and addresses, Transmission Control Protocol (TCP) sequences, and additional TCP flags.
-
TCP sequence numbers are randomized.
-
The inside interface has a security level of 100.
-
The outside interface has a security level of 0.
-
Demilitarized zone (DMZ) interfaces have user-settable security levels from 1 through 99.
-
Starting with PIX OS 5.2, users are allowed to change the default security levels of both the outside and inside interfaces, but it is not recommended.
-
By default, the PIX allows traffic to pass from higher security interfaces to lower security interfaces, and in the case of TCP and User Datagram Protocol (UDP) connections, it allows the return traffic back through. The same does not hold for Internet Control Message Protocol (ICMP).
PIX Packet Processing
Packet flow across the PIX firewall is depicted in Figure 3-1. Work through the following steps to understand the packet flow:
1. | Packets are received on the ingress interface Packets arrive on the ingress interface, which is indicated by input counters of the interface. |
2. | Existing connection checks Packets go through the existing connection check. If the connection exists, the ACL check is bypassed. If there is no existing connection, TCP non-SYN packets will be dropped and logged. If PIX receives a TCP SYN or UDP request packet, packets are passed to ACL checks. |
3. | Interface ACL check The initial packet in the flow of packet is processed through interface ACLs. Packets that are denied by interface ACLs are dropped and logged. |
4. | NAT check The initial packet in the flow must match a translation rule. To perform NAT, it is important to know the egress interface. Hence a quick route lookup is performed. If the translation is turned off, the translation is skipped. If the NAT is configured and the translation rule is matched, the connection is created on the PIX firewall. If an overlapping NAT is configured, the following order of NAT operations is performed:
|
5. | Inspection check Inspections are applied to NAT embedded IPs in the payload. Commands in control channels are inspected for compliance and secondary data channels. Additional security checks are also applied to the packet with inspection. |
6. | Perform NAT Perform IP address or the port translation. |
7. | Packets forwarded to egress interface Packets are forwarded to the egress interface. The egress interface is determined by the translation rules first. If translation rules do not specify the egress interface, the global route lookup is performed to determine the egress interface. |
8. | Interface route lookup Once the packet is on the egress interface, an interface route lookup is performed. Only routes pointing out the egress interface are used to forward the packet. Remember that the translation rule can forward the packet to the egress interface, even though the routing table may point to a different interface. |
9. | Layer 2 address lookup for the next-hop address After the interface route lookup is performed, the next-hop address is identified. At this stage, ARP resolution is performed. Then the packets are put in the wire, and the interface counters are incremented. |