In this section, you see the details of the translation
process and the resulting connections. The better these concepts are understood,
the easier it is to understand the PIX security algorithms (ASA) and how they
To understand how ASA can perform stateful analysis and recognize
common attack attempts, it’s necessary to review the data
encapsulation/deencapsulation process introduced in any basic networking course.
19-4 shows a common depiction of the process, with each layer’s
encapsulation becoming the next layer’s payload. The TCP/IP model combines the
top three layers into a single step.
Figure 19-4: OSI model
Remember, the little “header” blocks in the diagram are, in fact,
multiple binary bits that convey information about the payload. The obvious
examples are the bits’ desig- nating source and destination IP addresses in the
network layer header. But there’s additional information that a savvy programmer
with a strong algorithm could use to make determinations about what’s happening
in the communication session. Figure 19-5 shows the IP header information from a
packet capture using the Fluke Network Optiview Protocol Expert.
Figure 19-5: IP header
While some of the information, such as the IP addresses, was
converted to decimal form, other information, such as the fragmentation bits and
Type of Service (TOS) bits, shows the type of detail carried in every IP header.
Note that the Protocol ID, converted to decimals, indicates the payload is a TCP
Figure 19-6 shows the TCP header fields from the
previous captured packet. Clearly visible are the decimal equivalents of the
sequence and acknowledgment numbers used to ensure proper data order and to show
no segments are missed. The flag bits are used in the TCP session setup, data
exchange, and tear-down processes.
Figure 19-6: TCP header
information showing flag bits and other fields
The Source port—139—indicates this is a NetBIOS session service
packet. Looking at the session layer information, not shown, reveals the packet
is a Session Keepalive Packet. The upper-layer headers, OSI layers 5 to 7, or
the TCP/IP application layer can either be quite simple or complex. Figure 19-7
shows only a small portion of an SNMP frame header. The more that ASA
programming can interpret these pieces of information, the more granular and
powerful it can be in maintaining its “state” table and allowing legitimate
Figure 19-7: TCP/IP
application layer header for SNMP data
ASA has both the capability to look at these upper-layer fields in
the packet and is programmed to recognize appropriate values. This allows ASA to
accept packets where an address/port combination might vary from the current
state table entry because the upper-layer field entries are consistent with a
known possible change.