Today, corporations that use the Internet for business transactions want to
keep their internal networks secure from potential threats. These corporations
usually implement firewalls as part of their network defense strategy.
Firewalls can help protect their networks, but some firewalls may cause
problems as well. For example, applications such as FTP, HTTP, multimedia, and
SQL*Net require their communications protocols to dynamically negotiate source
or destination ports or IP addresses. Some firewalls cannot participate in
these dynamic protocol negotiations, resulting in either the complete blockage
of these corporate services or the need to pre-configure static holes in the
firewall to allow these services.
A good firewall has to inspect packets
above the network layer and do the following as required by the protocol or
application
:
- Securely open and close negotiated ports or IP addresses for legitimate
client-server connections through the firewall.
- Use NAT-relevant instances of an IP address inside a packet.
- Use PAT-relevant instances of ports inside a packet.
- Inspect packets for signs of malicious application misuse.
The PIX Security Appliance can be configured to inspect the required
protocols, or applications, and permit them to traverse the PIX with dynamic,
stateful adjustments to the security policy of the PIX. This enables the
corporate networks to remain secure while still being able to continue
conducting day-to-day business.
The Adaptive Security Algorithm (ASA),
used by the PIX Security Appliance for stateful application inspection, ensures
the secure use of applications and services. Some applications require special
handling by the PIX application inspection function. Applications that require
special application inspection functions are those that embed IP addressing
information in the user data packet or that open secondary channels on
dynamically assigned ports.
The application inspection function works
with NAT to help identify the location of embedded addressing information. This
allows NAT to translate these embedded addresses and to update any checksum or
other fields that are affected by the translation.
The application
inspection function also monitors sessions to determine the port numbers for
secondary channels. Many protocols open secondary TCP or UDP ports. The initial
session on a well-known port is used to negotiate dynamically assigned port
numbers. The application inspection function monitors these sessions,
identifies the dynamic port assignments, and permits data exchange on these
ports for the duration of the specific session. In the example in Figure
, the FTP
client is shown in active mode opening a control channel between its port 2008
and the FTP server port 21. When data is to be exchanged, the FTP client alerts
the FTP server through the control channel that it expects the data to be
delivered back from FTP server port 20 to its port 2010. If FTP inspection is
not enabled, the return data from FTP server port 20 to FTP client port 2010 is
blocked by the security appliance. With FTP inspection enabled, however, the
security appliance inspects the FTP control channel to recognize that the data
channel will be established to the new FTP client port 2010 and temporarily
creates an opening for the data channel traffic for the life of the
session.