It is important to understand the transport protocols Transmission Control
Protocol (TCP) and User Datagram Protocol (UDP) to understand how the PIX
Security Appliance operates.
A network session is carried out over two
transport layer protocols:
- TCP, which is easy to inspect
- UDP, which is difficult to inspect properly
 |
NOTE:
In the context of this course, the term outbound means
connections from a more trusted side of the PIX Security Appliance to a less
trusted side of the PIX Security Appliance. The term inbound means
connections from a less trusted side of the PIX to a more trusted side of the
PIX.
|
TCP
TCP is a connection-oriented protocol. When a session
from a more secure host inside the PIX Security Appliance is started, the PIX
Security Appliance creates an entry in the session state filter.
The PIX Security Appliance is able to extract network sessions from the
network flow and actively verify their validity in real time. This stateful
filter maintains the state of each network connection and checks subsequent
protocol units against its expectations. When a TCP session is initiated
through the PIX, the PIX records the network flow and looks for an
acknowledgement from the device with which the host is trying to initiate
communications. The PIX then allows traffic to flow between the hosts involved
in the connection based on the three-way handshake. The step-by-step process is
detailed in the demonstration activity.
UDP
UDP is
connectionless. The PIX Security Appliance must take other measures to ensure
its security. Applications using UDP are difficult to secure properly because
there is no handshaking or sequencing. It is difficult to determine the current
state of a UDP transaction. It is also difficult to maintain the state of a
session, as it has no clear beginning, flow state, or end. However, the PIX
creates a UDP connection slot when a UDP packet is sent from a more secure to a
less secure interface
. All subsequent
returned UDP packets matching the connection slot are forwarded to the inside
network.
When the UDP connection slot is idle for more than the
configured idle time, it is deleted from the connection table. The following
are some UDP characteristics:
- UDP is an unreliable but efficient transport protocol.
- UDP has no handshaking or sequencing.
- UDP has no delivery guarantees.
- UDP has no connection setup and termination.
- UDP has no congestion management or avoidance.