In this section, you see the details of the translation process and the resulting connections. The better these concepts are understood, the easier it is to understand the PIX security algorithms (ASA) and how they work.
To understand how ASA can perform stateful analysis and recognize common attack attempts, it’s necessary to review the data encapsulation/deencapsulation process introduced in any basic networking course. Figure 19-4 shows a common depiction of the process, with each layer’s encapsulation becoming the next layer’s payload. The TCP/IP model combines the top three layers into a single step.
Remember, the little “header” blocks in the diagram are, in fact, multiple binary bits that convey information about the payload. The obvious examples are the bits’ desig- nating source and destination IP addresses in the network layer header. But there’s additional information that a savvy programmer with a strong algorithm could use to make determinations about what’s happening in the communication session. Figure 19-5 shows the IP header information from a packet capture using the Fluke Network Optiview Protocol Expert.
While some of the information, such as the IP addresses, was converted to decimal form, other information, such as the fragmentation bits and Type of Service (TOS) bits, shows the type of detail carried in every IP header. Note that the Protocol ID, converted to decimals, indicates the payload is a TCP segment.
Figure 19-6 shows the TCP header fields from the previous captured packet. Clearly visible are the decimal equivalents of the sequence and acknowledgment numbers used to ensure proper data order and to show no segments are missed. The flag bits are used in the TCP session setup, data exchange, and tear-down processes.
The Source port—139—indicates this is a NetBIOS session service packet. Looking at the session layer information, not shown, reveals the packet is a Session Keepalive Packet. The upper-layer headers, OSI layers 5 to 7, or the TCP/IP application layer can either be quite simple or complex. Figure 19-7 shows only a small portion of an SNMP frame header. The more that ASA programming can interpret these pieces of information, the more granular and powerful it can be in maintaining its “state” table and allowing legitimate traffic flows.
ASA has both the capability to look at these upper-layer fields in the packet and is programmed to recognize appropriate values. This allows ASA to accept packets where an address/port combination might vary from the current state table entry because the upper-layer field entries are consistent with a known possible change.