Handling Advanced Protocols

Handling Advanced Protocols

One of the best important appearance of all firewalls is their adeptness to intelligently

handle abounding altered protocols and applications. If all our needs were annoyed by

devices that artlessly allow, say, approachable access to anchorage 80 (HTTP) and deny

incoming access to anchorage 139 (NetBIOS), the activity of a aegis engineer

would be abundant simpler. Unfortunately, abounding applications, some of which were

developed alike afore the abstraction of a firewall emerged, act in a abundant added complicated

manner than Telnet or HTTP. One of ancient examples is File Transfer

Protocol, or FTP (which we altercate in detail in the abutting section).The general

problem these applications affectation is that they use added than one affiliation to

operate and alone one of these access occurs on a acclaimed port, while

the others use dynamically assigned anchorage numbers, which are adjourned in the

process of communication. Figure 4.1 shows an archetype of what happens when

this bearings occurs and no adapted measures are in place. (This is a simplified

example of SQL*net affair negotiation.)

www.syngress.com

www.syngress.com

Thus, any firewall that wants to handle these negotiations able-bodied needs the

ability to adviser them, accept them, and acclimatize its rules accordingly.This

situation becomes alike added complicated back NAT or PAT are involved; the

firewall ability charge to change the abstracts allocation of a packet that carries embedded

address advice in adjustment for the packet to be accurately candy by a client

or server on the added ancillary of PIX.There are abounding implementations of this feature

for assorted firewalls—for example, Stateful Analysis in the Check Point

product ancestors or the Adaptive Aegis Algorithm (ASA) of Cisco PIX devices.

The ASA uses several sources of advice during its operation:

 Access ascendancy lists (ACLs), which acquiesce or abjure cartage based on hosts,

networks, and the TCP or UDP ports involved.

 Centralized adaptation (xlate) and affiliation (xlate) tables, which store

information about the accompaniment of the accustomed access and are used

for fast processing of the cartage that belongs to these connections.

 Anchored rules for appliance inspection, which acquiesce automated processing

of best of the complicated cases mentioned. Although some of

these rules are configurable, others are fixed.

Advanced PIX Configurations • Chapter 4 137

Figure 4.1 Applicant Redirection Without Appliance Inspection

192.168.2.2 1.2.3.4

"connect to 192.168.2.5:1026"

src addr dst addr

data

1.2.1.10 1.2.3.4

"connect to 192.168.2.5:1026"

src addr dst addr

data

1.2.3.4 192.168.2.5

XXXX

src addr dst addr

data

192.168.2.1

1.2.1.1

A server on the central interface

of the PIX tells a applicant on the

outside interface to affix to

another host.

The PIX translates the source

and destination address, but not

the abode anchored central the

payload of the packet.

The applicant attempts a affiliation as

told, but the destination abode is

not absolute and the packet is lost.

192.168.2.0/24

"inside network"

138 Chapter 4 • Advanced PIX Configurations

A abundant description of ASA was provided in Chapter 3. Here we attending at

the processing of a TCP packet by ASA, including application-level intelligence

(not because abode translation):

1. If the packet is not the aboriginal one in a affiliation (with the SYN bit set),

it is arrested adjoin centralized tables to adjudge if it is a acknowledgment to an established

connection. If it is not, the packet is denied.

2. If it is a SYN packet, it is arrested adjoin centralized tables to adjudge if it is

a allotment of addition accustomed connection. If it is, the packet is permitted

and centralized tables are adapted in adjustment to admittance acknowledgment cartage for this

connection.

3. If this SYN packet is not a allotment of any accustomed communication, it is

checked adjoin ACLs.

4. If the SYN packet is permitted, the PIX creates a new access in internal

tables (the XLAT and/or CONN table).

5. The firewall checks to see whether the packet needs added processing

by application-level analysis algorithms. During this phase, the

firewall can actualize added entries in centralized tables. For example, it

can accessible a acting aqueduct for an admission FTP affiliation based

on the PORT command that it sees in the packet.“Temporary” means

that this aqueduct will abide alone until the FTP affair terminates and

will be deleted afterwards the affair is closed.

6. The inspected packet is forwarded to the destination.

The bearings for UDP is similar, although simpler because there are no distinct

initial packets in the UDP protocol, so the analysis artlessly goes through

internal tables and ACLs and again through appliance analysis for anniversary packet

received. Figure 4.2 illustrates how the aforementioned archetype from Figure 4.1 would

work with appliance analysis angry on.

The PIX uses source/destination anchorage numbers to adjudge if application

inspection is bare for a accurate packet. Some of these ports are configurable

and others are not.Table 4.1 summarizes the appliance analysis functions

provided by PIX firewall software adaptation 6.2.

www.syngress.com

Advanced PIX Configurations • Chapter 4 139

Table 4.1 Appliance Analysis Appearance of Cisco PIX Firewall Adaptation 6.2

Application PAT NAT 1-1 Config- Default Related

Support Support urable? Anchorage Standards

H.323 Yes Yes Yes TCP/1720 H.323, H.245,

No UDP/1718 H.225.0,

Q.931, Q.932

H.323 RAS Yes Yes Yes UDP/1719 N/A

SIP Yes Yes Yes TCP/5060 RFC 2543

No UDP/5060

FTP Yes Yes Yes TCP/21 RFC 1123

LDAP (ILS) Yes No alfresco Yes TCP/389 N/A

NAT

SMTP Yes Yes Yes TCP/25 RFC 821,

1123

SQL*Net v.1, Yes Yes Yes TCP/1521 (v.1) N/A

v.2

www.syngress.com

Figure 4.2 Appliance Analysis in Action

192.168.2.2 1.2.3.4

"connect to 192.168.2.5:1026"

src addr dst addr

data

1.2.1.10 1.2.3.4

"connect to 1.2.1.15:2345"

src addr dst addr

data

1.2.3.4 1.2.1.15

XXXX

src addr dst addr

data

192.168.2.1

1.2.1.1

A server on the central interface

of the PIX tells a applicant on the

outside interface to affix to

another host.

The PIX translates the antecedent and

destination address, as able-bodied as the address

embedded central the burden of the packet.

It additionally opens a acting aqueduct for

incoming access to 1.2.1.15:2345.

The applicant attempts a connection

as told and succeeds.

1.2.3.4 192.168.2.5

XXXX

src addr dst addr

data

The PIX permits the connection

and performs NAT as appropriate.

Continued

140 Chapter 4 • Advanced PIX Configurations

Application PAT NAT 1-1 Config- Default Related

Support Support urable? Anchorage Standards

HTTP Yes Yes Yes TCP/80 RFC 2616

RSH Yes Yes Yes TCP/514 Berkeley UNIX

SCCP No Yes Yes TCP/2000 N/A

DNS Yes Yes No UDP/53 RFC 1123

NetBIOS See next

over IP two entries

NBNS/UDP No No No UDP/137 N/A

NBDS/UDP Yes Yes No UDP/138 N/A

Sun RPC No No No UDP/111 N/A

TCP/111

XDCMP No No No UDP/117 N/A

RTSP No No Yes TCP/554 RFC 2326,

2327, 1889

CU-SeeMe No No No UDP/7648 N/A

ICMP Yes Yes No N/A N/A

VDO Live No Yes No TCP/7000 N/A

Windows No Yes No TCP/1755 N/A

Media

(NetShow)

The capital command that is acclimated to configure the casework declared as “configurable”

in Table 4.1 (FTP, H.323, HTTP, ILS, RSH, RTSP, SIP, SSCP, SMTP, and

SQL*Net) is the fixup command. Its basal syntax is:

[no] fixup agreement [protocol] [port]

The afterward sections call how this command is acclimated for anniversary protocol.

Depending on the agreement it is acclimated with, appliance analysis (fixup) provides

the afterward functionality for circuitous protocols:

 Securely and dynamically accessible and abutting acting conduits for

legitimate traffic

 Network Abode Translation

 Anchorage Abode Translation

 Inspect cartage for awful behavior