Stateful System

ASA, much like the PIX IOS Firewall CBAC feature covered in Chapter 6, incorporates a stateful approach to evaluating inbound traffic. A stateful approach allows the firewall to use knowledge of how certain applications and protocols function to create temporary openings in the firewall to allow effective data exchanges. This effectively creates as-needed application-level filtering capabilities for those supported technologies.

Stateless Firewalls

Firewalls based on the stateless packet filtering model can, at most, only create mirror images of outbound traffic, like reflexive ACLs on Cisco routers. By being limited to source and destination address/port combinations, these technologies are effectively limited to Layer 3/Layer 4 filtering. Technologies that change port specifications or port requirements after the initial session exchange, such as multimedia applications, typically can’t function within packet filtering-only systems. To accommodate these technologies, the network administrator is often required to create permanent port openings, which could be discovered and exploited by hackers.

Figure 19-3 shows an example of a typical type of filtering that could be created by a stateless, packet filter-based firewall. In this example, an outbound packet to a web server creates a mirror-image inbound filter that would allow the requested information to return. This works well in many situations, particularly with typical TCP traffic. But what if the original request was to an FTP server, where the packet was sent to port 20, but port 21 responds? Now the filter isn’t right. Remember, firewalls are mindless devices that can only follow rules and can’t interpret or be appealed to with logic. The return traffic would probably fail.

Figure 19-3: Stateless firewall with reflexive-type filtering

Another problem scenario is a client-server type application where the outgoing packet is a request to a SQL server. In meeting the request, the SQL server forwards the packet on to another SQL server. When the reply arrives at the firewall, the source address could be the second server and would, therefore, fail to match the filter. If a permanent ACL entry is created to allow predictable traffic from the SQL data server, it could be detected in a port scan of the firewall and possibly exploited.

That only a stateful firewall that’s programmed to support SQL traffic could recognize the returning traffic is a reasonable expectation, based on the stateful table entries created when the original request went out. To maintain security that’s as tight as possible, while allowing legitimate inbound traffic, the ASA stateful algorithm looks at other packet fields, such as sequence number, acknowledgment, and code bit fields.

TCP Header Knowledge

ASA’s programming allows it to recognize additional TCP fields, such as sequence number, acknowledgement, and code bit fields, as well as the TCP three-step handshake used to establish a session. This programming allows ASA to detect and respond to irregularities, such as too many embryonic (half-open) sessions, sequence number irregularities, or session fragments, all of which could indicate an attack.