PIX Security Appliance Translations and Connections
Transport protocols

It is important to understand the transport protocols Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to understand how the PIX Security Appliance operates.

A network session is carried out over two transport layer protocols:

  • TCP, which is easy to inspect
  • UDP, which is difficult to inspect properly
NOTE:

In the context of this course, the term outbound means connections from a more trusted side of the PIX Security Appliance to a less trusted side of the PIX Security Appliance. The term inbound means connections from a less trusted side of the PIX to a more trusted side of the PIX.

TCP
TCP is a connection-oriented protocol. When a session from a more secure host inside the PIX Security Appliance is started, the PIX Security Appliance creates an entry in the session state filter.

The PIX Security Appliance is able to extract network sessions from the network flow and actively verify their validity in real time. This stateful filter maintains the state of each network connection and checks subsequent protocol units against its expectations. When a TCP session is initiated through the PIX, the PIX records the network flow and looks for an acknowledgement from the device with which the host is trying to initiate communications. The PIX then allows traffic to flow between the hosts involved in the connection based on the three-way handshake. The step-by-step process is detailed in the demonstration activity.

UDP
UDP is connectionless. The PIX Security Appliance must take other measures to ensure its security. Applications using UDP are difficult to secure properly because there is no handshaking or sequencing. It is difficult to determine the current state of a UDP transaction. It is also difficult to maintain the state of a session, as it has no clear beginning, flow state, or end. However, the PIX creates a UDP connection slot when a UDP packet is sent from a more secure to a less secure interface . All subsequent returned UDP packets matching the connection slot are forwarded to the inside network.

When the UDP connection slot is idle for more than the configured idle time, it is deleted from the connection table. The following are some UDP characteristics:

  • UDP is an unreliable but efficient transport protocol.
  • UDP has no handshaking or sequencing.
  • UDP has no delivery guarantees.
  • UDP has no connection setup and termination.
  • UDP has no congestion management or avoidance.

Interactive Media Activity

Demonstration Activity: TCP Initialization Inside to Outside

In this activity, students will examine the PIX Security Appliance TCP initialization process in more detail.

Interactive Media Activity

Demonstration Activity: UDP Initialization Inside to Outside

In this activity, students will examine the PIX Security Appliance UDP initialization process in more detail.