Stateful Packet-Filtering and the Cisco PIX Appliance

In 1995 the papers were full of bad news- the Oklahoma City bombing in April, the Ebola Virus, and the passing of American rock icon Jerry Garcia. With so much negative news, you might have missed that blurb about Cisco acquiring the original Private Internet Exchange or PIX. Yep- hard to believe it has been that long isn’t it? Fast forward 14 years and Cisco and their PIX appliances look much different but they remain a mainstay for many businesses that have had these in place for years. So what exactly is a PIX? The simple answer is that it’s a firewall device. To be more specific, the Cisco PIX appliances are network layer firewalls that use stateful inspection to keep the bad guys out of the network. The way this works is that these firewalls allow internal connections out (i.e. outbound traffic) and allow only inbound traffic in response to a valid request or traffic that is explicitly allows by an access control list (ACL). In addition to this core functionality, the Cisco PIX technology may be configured to also perform Network Address Translation (NAT) and Port Address Translation (PAT). Now before we get too far ahead of ourselves, perhaps it is worth a moment to discuss just what I mean when I say that the Cisco PIX performs “stateful packet inspection”. For those new to firewalls I would suggest that you review the various firewall technologies outlined in the CCNA Security Official Exam Certification Guide before sitting the exam. In brief, the key technologies in the firewall evolution include the following: Static Packet Filtering Firewalls, Circuit-level Firewalls, Application Layer Firewalls, and Dynamic Packet-Filtering Firewalls. Dynamic packet-filtering firewalls, the fourth generation firewall technology, are also referred to more specifically as “stateful firewalls”. Stateful firewalls represent the most versatile firewall technology. These firewalls have the ability to dynamically filter packets at the network layer. So unlike static packet filtering (an earlier technology) which examined packets based on the information in their header, stateful inspection can actually track each connection across all interfaces of the firewall and then confirm that they are valid or invalid and take appropriate action. So how exactly does it do all this? Stateful packet filtering relies upon the maintenance of a state table. This is part of the firewall’s internal structure and it tracks all of the various sessions and inspects all packets that pass through the firewall. As packets come across they are examined and if the properties of the packet match those listed in the state table, the firewall allows the packet to pass. Now what makes this interesting and especially useful is that depending on the actual packet flow, the state table changes dynamically. This state table is used to track the actual communications process and operates across layers 3, 4, and 5 of the OSI model. For instance, at the transport layer, the firewall examines all of the information in the headers of Layer 3 packets and Layer 4 segments. In terms of the TCP header, it would be examined for SYN, RST, ACK, and FIN control codes, along with others, to determine the state of the connection. This means that each time an outside service is accessed, the firewall “remembers” certain details about the connection that is established. This logging of information in a session flow table allows the firewall to compare received packets with the saved state in order to allow or deny access to the network. As Paul Harvey says, now it’s time for the rest of the story… Stateful firewalls, like the PIX sound pretty impressive, and they are but they are not without their drawbacks as well. They do offer speed and transparency but remember, a packet has to make its way to the outside network and in doing so, their internal IP address could be exposed to an attacker. Now to safeguard against this, stateful firewalls employ NAT and proxy servers, along with stateful inspection to provide additional security. Also, to help off-set this disadvantage, stateful firewalls keep track of the state of a connection and whether the connection is an initiation, data transfer, or termination state. This information is then used when we want to deny the initiation of connections from external devices but still allow our users to establish connections to these devices and permit responses to come back through the stateful firewall. There are many uses of stateful packet-Filtering Firewalls such as the PIX including: • Primary Means of Defense • An Intelligent First Line of Defense • To Strengthen Packet Filtering • Improve Routing Performance • Defend Against Spoofing and DoS Attacks However there are limitations to be aware of as well: • No prevention of Application Layer Attacks • Does not Monitor Non-Stateful Protocols such as UDP and ICMP • User Authentication is Not Supports • Cannot Handle Applications that Open Multiple Connections Now that you have a well-rounded idea of what Stateful Packet-Filtering Firewalls can do, let’s return to our discussion of the Cisco PIX appliances specifically to wrap things up. In addition to providing the firewall capabilities that we have been discussion, the Cisco Pix appliance has extended functionality. Specifically for the CCNA Security exam, you will want to be familiar with the Cisco 500 Series PIX Security Appliance. In addition to traditional firewall features, these also offer a robust set of VPN features as well. These appliances offer enhanced support for spoke-to-spoke VPNs which allow encrypted traffic to enter and exit the same interface. These also support the Cisco TCP and UDP NAT traversal. In addition, these offer the ability to enforce the use of security products on an end system such as the Cisco Security Agent (CSA), as well as the ability to verify end-system VPN properties such as VPN client version and security policies. The Cisco 500 Series PIX Appliances can also block VPN connections based on the type of Cisco VPN client being used and these support OSPF routing over an IPSec VPN as well. There is also support for integrated hardware acceleration on some Cisco 500 Series PIX appliance models. For those models that do support hardware acceleration, the following is a list of available hardware acceleration modules: • Advanced Integration Module (AIM) • Cisco IPSec VPN Shared Port Adapter (SPA) • Scalable Encryption Processing (SEP) • Cisco PIX Security Appliance VPN Accelerator Card+ (VAC+) Ok…time to come up for air! Hopefully this primer on Stateful Packet-Filtering Firewalls and the Cisco PIX appliance has been helpful to you. This entry, along with my earlier entry is meant to focus your studies with regard to the PIX and ASA for the CCNA Security exam. Of course additional detail is available in the Official Certification Guide from Cisco Press. Thanks for your time- Best of luck on your exam!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.