Hi every body!
I was reading about the pix 501 and its features. One of the features, is firewall by nat. Without upgrate, pix 501 can perform nat for only 10 devices. i understand that this is end-of -sale device. But before that, why would an engineer choose to use pix 501 instead of routers ?
For example, pix e0--------------------e0Re1--------------internet
In above case, i have to use three public ip address, one on e0 of pix,one on e0R, one on e1 on R, then not more than 10 devices behind pix(501) can access the internet at the same time.
The above topology can be designed in cost-effective manner by not using the pix at all
The benefits are:
1) only one public ip address is needed.
2) more than 10 devices can access the internet
3) require one maintenance license compared to two in first case, one for pix, one for router.
So during its life-time, why would an engineer prefer pix 501 over routers to implement firewall?
Thanks a lot!
"Here the tcp flags, resetbit and ack bit are checked as well. The only difference is in stateful inspection the SYN bit is also inspected. Am i correct? "
No, because a TCP packet could be forged. A stateful connection would only allow traffic from 188.8.131.52 if it "knew" there was an active TCP conversation between 184.108.40.206 and 220.127.116.11 (and likely started from 18.104.22.168). This example ACL is "stateless" (although not of much risk since 22.214.171.124 should drop unexpected packets from 126.96.36.199).
Jon, hope you don't mind my jumping on a question directed to you, but saw it just a I finished my post.
"I want to know about stateful inspection of traffic. What do we mean by stateful inspection? how does it differ from the inspection the old routers perform? "
In short, stateful inspection tracks what it sees as a conversation's "state". Generally when a conservation is started from the "inside", it's recorded as being active, i.e. the FW keeps track so that "outside" traffic is allowed through the FW as part of the same conversation. If the FW considers the conversation closed (inactive) it blocks outside traffic. (Usually outside traffic not part of any inside started conversation would also be blocked.) In Jon's post, a TCP FIN (or RST) would be one method of closing an active TCP conversation.
A non-stateful rule would usually just look at addresses and/or ports and allow or disallow traffic transit without trying to keep track of the conversation's state. For instance, any traffic from the outside directed to an internal FTP server that was TCP on FTP ports might be permitted.
A stateful rule would might allow TCP on FTP ports to any internal host provided the conversation was started on the internal host.
BTW: Although FW usually targets traffic from the "outside", stateful, on some devices, can also be used from outside to inside.
Stateful inpsection is primarily concerned with TCP connections. When a TCP connection is setup there are certain TCP flags set in the packets. I suspect you already know this but just in case.
Client A talks to server B on TCP port 80.
1) A sends first packet with TCP flag SYN set.
2) B responds with TCP SYN and TCP ACK set.
3) A responds with TCP ACK set.
Once the above has been done the client and server communicate using ACK flags for the packets.
So a stateful firewall checks these flags eg.
client A -> firewall -> Server B
client A sends packet with SYN set. Firewall records this packet.
Server B sends a response with SYN/ACK set. Firewall has record of A sending packet with SYN set and knows that the response from B should be SYN/ACK so it allows return traffic.
So firewall has allowed the return traffic based on the "state" of the connection.
Lets say server B sends SYN/ACK without client A sending SYN packet fisrt. Firewall checks it's state table and cannot find a corresponding SYN packet from client so drops packet.
Stateful firewalling really only applies to TCP. For UDP/ICMP the firewall simply uses a timer - ie. it sees a UDP connection going out so it expects to see the reply within a certain time limit. If it does the return packet is allowed in. If not it is dropped.
Finally stateful firewalls are not the same as proxy firewalls. Stateful firewalls check TCP flags as described. Proxy firewall actually "understand" the specific protocol in use eg. FTP/SMTP etc.. and can recognise valid and invalid commands.
The Pix/ASA firewalls are primarily stateful firewalls with elements of proxy firewalling. The proxy firewalling elemenets on a pix are the "fixup" commands. On the ASA they are the "inspect" commands.
There are several reasons why an engineer might have chosen a PIX over a router:
- the PIX is a purpose built firewall and some would believe that it does that function better than a router.
- the PIX does stateful inspection of traffic passing through. Until fairly recently the router did not do stateful inspection.
- you may think this is a continuation of the previous point or you may agree that it is a new point, but the PIX does deep packet inspection and can make sure that the traffic streams conform to the expectations of the protocols being used. The router is not so good at deep packet inspection.
- one of the approaches to security that is frequently adopted is sometimes called defense in depth or may be called layered protection. With the router and the PIX you have 2 layers with each device providing its own service and its own contribution to the security of the network. With just the router you have 1 layer - and you have a single box which if compromised gives the attacker access to the network. With PIX and router there are 2 devices which must be compromised.
if the presentation to the Internet was ethernet then instead of
For example, pix e0--------------------internet
It's true that routers can do firewalling as well but CBAC (the IOS FW feature set) runs in software not hardware so there is a performance hit. Also there is a good argument sometimes to have a device for firewalling that can't act as a full blown router etc.
Pix 501's also have 4 ethernet ports. For a small office which is what it was designed for this might be all the internal ports you need and therefore one device can both firewall and provide internal communication if the number of internal machines is less than 4.
IOS router only has limited Firewall feature. This is one of the reasons.