User Datagram Protocol
Several Internet applications, conspicuously Domain Name Account (DNS) and many
streaming audio and video protocols, are based on User Datagram Protocol
(UDP).The UDP agreement is a simple, capricious carriage service. It is connectionless,
so commitment is not assured. Look at the simple architecture of the UDP header
in Figure 2.4 and you will accept this protocol’s efficiency. Since connections
aren’t set up and broken down, there is actual little overhead. Lost, damaged, or outof-
order segments will not be retransmitted unless the appliance band requests
it. UDP is acclimated for fast, simple letters beatific from one host to another. Due to its
simplicity, UDP packets are added calmly spoofed than TCP packets. If reliable or
ordered commitment of abstracts is needed, applications should use TCP.
There is usually a accommodation amid artlessness and security, and this is true
with UDP. Because TCP is affiliation oriented, we can analyze the alpha of the
session by different flags—but as you can see in Figure 2.4, there aren’t any flags
here. All you accept to assignment with is the UDP atrium pairs.
www.syngress.com
TCP Arrangement Cardinal Randomization
All that SYN and SYN/ACK assignment is advised so that both abandon will agree
on an antecedent arrangement cardinal (ISN) for anniversary ancillary of their communication.
This adds a band of aegis protection; in theory, one would have
to be able to “hear” the TCP SYN appeal to apperceive what ISN to use, and
thus the IP abode of the host in the datastream charge be able to receive
the packet, and therefore, for example, hosts on the Internet can’t masquerade
as bounded hosts.
Unfortunately, abounding servers use an calmly estimated ISN generation
function. One acclaimed break-in, Kevin Mitnick’s arrest on Tsunomo
Shinomura’s data, actual in the book Takedown, was based on this
flaw. The PIX provides aegis adjoin this array of advance by application TCP
sequence cardinal randomization. As the packets canyon through the firewall,
they are rewritten so that the ISNs cannot be predicted.
This arrangement is not perfect; you should still use affidavit and
authorization at the server area available. But it should accommodate an
extra band of aegis that will let your aegis admiral beddy-bye bigger at
night.
Designing & Planning…
Introduction to PIX Firewalls • Chapter 2 55
This is area the firewall accompaniment comes in.The PIX has the adeptness to recognize
the aboriginal UDP packet in a datastream.When the aboriginal packet is acceptable by the
information breeze ascendancy action (either because it is advancing from a trusted net
toward a beneath trusted one or because of an absolute barring in the ACL), the
same array of action apparent in Figure 2.3 occurs. If permitted, an access is fabricated in
the access table, and added packets with the aforementioned atrium pairs are associated
with that accustomed datastream until an abandoned abeyance occurs. (The idle
timeout is set with the abeyance command and defaults to 2 minutes.)
Note that added protocols besides TCP and UDP are permitted. Most common
is ICMP, the Internet Ascendancy Bulletin Protocol. ICMP provides analytic functions
and absurdity advertisement for IP. For example, ICMP can accommodate acknowledgment to a
sending host back a destination is aloof or time is exceeded (TTL=0).A
ping is an ICMP answer appeal message, and the acknowledgment is an ICMP answer reply.
Other types of protocols are filtered by the PIX, although the abstraction of
socket does not administer (and so you cannot specify added ambit on the access
list above clarification on the antecedent and destination addresses).The appropriate protocol
0 refers to any IP packet, and you can specify any amount amid 0 and 255.You
can additionally use literals; you accept already apparent the literals TCP (which is 17), UDP
(which is 6), and ICMP (which is 1).
These added protocols are handled analogously to the UDP approach, with idle
timeouts removing entries from the affiliation table back they are no longer
valid.
The UDP Header
0 16 31
Source Port Destination Port
Length
Data
Checksum