The Adaptive Security Algorithm
The affection of the PIX is the Adaptive Security Algorithm, or ASA.The ASA is a
mechanism to actuate if packets should be anesthetized through the firewall, consistent
with the advice breeze ascendancy action as implemented in the admission control
list (ACL) table.The PIX evaluates packet advice adjoin developed state
and decides whether or not to canyon the packet.
Let’s go through this action one footfall at a time. First there is the abstraction of a
datastream. Packets that are abounding beyond a wire accept anecdotic characteristics:
IP abode of antecedent and destination, sometimes numbers associated with the type
of advice (ports) of antecedent and destination, and numbers such as IP
identifiers or synchronization and accepting numbers that analyze where
a packet belongs in a accurate connection.When you accessible a Web page—say, to
www.cisco.com/index.html—you authorize a affiliation amid your browser
and the Web server. One allotment of HTML is transferred; if it has not been cached,
this folio represents about 90K of text.That argument may again accessible up additional
connections for all the anchored pictures.The action involves a “dance”
between browser and server—a “handshake” to initialize the connection, a “get”
to specify the abstracts actuality requested, a “response” to say if the abstracts is available, and
the absolute abstracts itself. Aback the book is so large, these accomplish all action in multiple
packets amid browser and Web server, with abstracts abounding bottomward from the server
and acceptance of cancellation of abstracts abounding up from the browser.
The advice breeze ascendancy action is an announcement of the advice that
is accustomed to breeze through the network. A sample action ability be, “If the datastream
was accomplished by addition on the inside, let it pass; if the datastream was
initiated by addition from the outside, block it.”
An ACL table is a apparatus via which you can try to apparatus this
policy. It compares those appropriate numbers adjoin a database to see if the
packet is constant with policy. If it is not accustomed by the database, the packet is
dropped and conceivably logged.
The ancient routers acclimated fixed-access ascendancy lists to actuate if a packet
should be routed; they compared axiological advice about the packet, such
as the IP abode of the antecedent or destination or the blazon of account requested or,
for some casework such as TCP, alone flags on the packets.Then, based on
fixed rules, they absitively to avenue the cartage or to bead it. For example, the fixed
rules ability acquiesce any packet that ability possibly be a “return” packet, aback under
certain affairs such a packet would be valid.This isn’t too abundant of a
problem, aback a “return” packet, if it hasn’t been requested by the aboriginal host,
www.syngress.com
Introduction to PIX Firewalls • Chapter 2 47
should be alone by the host. However, that can account some advice to
leak out, so it is accessible to get rid of such packets if we can.
The abstraction of accompaniment is the abstraction that ACLs should apparently change over time.
A stateful packet clarify allows for activating aphorism bases—for example, if the packet is
coming from the alfresco against the inside, you should analysis to see if this packet
was allotment of a ahead opened datastream. Now, we alone acquiesce packets aback in
if they were ahead authorized; that Cisco Web server can’t adjudge to accelerate us
data unless we ahead requested it.
The better botheration with anchored rules is that in adjustment to acquiesce assertive kinds
of traffic—FTP, for example—overly acquiescent ACLs would charge to be implemented.
In FTP, two TCP abstracts flows are developed. One, the command channel,
runs from the applicant out to the user—from the central to the outside. Routers
would about be able to actuate the administration of this breeze and acquiesce that
traffic, as declared previously.The second, the abstracts channel, is adjourned by the
FTP server and flows from the server aback into the client—from the alfresco to
the inside. Moreover, the TCP port—a account identifier cogent you an identifier
for the port—varies depending on how abounding files the server has transferred since
reboot; appropriately the ACL would accept to acquiesce all entering cartage in a advanced ambit of
TCP ports.This agency that a awful user would accept chargeless run of the network
in those ranges. So router ACL-based firewalls are little added than Swiss cheese
enforcement points!
The acute abstraction is to watch for the agreement amid the FTP server and
client.That’s allotment of the abstraction of state.Armed with that allotment of information,
the firewall can accessible alone the all-important anchorage for the entering abstracts flow, and open
it alone while the alteration is active—dynamically alteration the ACLs over time.
This allows the firewall to admittance accustomed cartage and abjure inappropriate
traffic with far added composure than a changeless rule.