Configure Advanced Protocol Inspection
Introduction to advanced protocol inspection

Today, corporations that use the Internet for business transactions want to keep their internal networks secure from potential threats. These corporations usually implement firewalls as part of their network defense strategy. Firewalls can help protect their networks, but some firewalls may cause problems as well. For example, applications such as FTP, HTTP, multimedia, and SQL*Net require their communications protocols to dynamically negotiate source or destination ports or IP addresses. Some firewalls cannot participate in these dynamic protocol negotiations, resulting in either the complete blockage of these corporate services or the need to pre-configure static holes in the firewall to allow these services.

A good firewall has to inspect packets above the network layer and do the following as required by the protocol or application :

  • Securely open and close negotiated ports or IP addresses for legitimate client-server connections through the firewall.
  • Use NAT-relevant instances of an IP address inside a packet.
  • Use PAT-relevant instances of ports inside a packet.
  • Inspect packets for signs of malicious application misuse.

The PIX Security Appliance can be configured to inspect the required protocols, or applications, and permit them to traverse the PIX with dynamic, stateful adjustments to the security policy of the PIX. This enables the corporate networks to remain secure while still being able to continue conducting day-to-day business.

The Adaptive Security Algorithm (ASA), used by the PIX Security Appliance for stateful application inspection, ensures the secure use of applications and services. Some applications require special handling by the PIX application inspection function. Applications that require special application inspection functions are those that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.

The application inspection function works with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.

The application inspection function also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session. In the example in Figure , the FTP client is shown in active mode opening a control channel between its port 2008 and the FTP server port 21. When data is to be exchanged, the FTP client alerts the FTP server through the control channel that it expects the data to be delivered back from FTP server port 20 to its port 2010. If FTP inspection is not enabled, the return data from FTP server port 20 to FTP client port 2010 is blocked by the security appliance. With FTP inspection enabled, however, the security appliance inspects the FTP control channel to recognize that the data channel will be established to the new FTP client port 2010 and temporarily creates an opening for the data channel traffic for the life of the session.


Web Links