C H A P T E R 2
Firewall Technologies and the
Cisco PIX Firewall
The Cisco PIX Firewall is one of many firewalls on the market today. Different manufacturers employ different technologies in their designs. This chapter discusses the different technologies and how they are applied on the Cisco PIX Firewall.
How to Best Use This Chapter
This chapter is straightforward. It covers a few basic concepts and discusses how they are applied to the Cisco PIX Firewall. There are few questions in the “Do I Know This Already?” section, few review questions, and no scenarios. The fact that this topic is easy does not make it any less important. On the contrary, the concepts in this chapter are the foundation of much of what you need to understand to pass the CSPFA Certification Exam. Unless you do exceptionally well on the “Do I Know This Already?” pretest and are 110% confident in your knowledge of this area, I recommend that you read through the entire chapter.
“Do I Know This Already?” Quiz
The purpose of this quiz is to help you determine your current understanding of the topics covered in this chapter. Write down your answers and compare them to the answers in Appendix A. If you have to look at any references to correctly answer these questions, you should definitely read the entire chapter.
1What are the three basic firewall technologies?
2Of the three firewall technologies, which one generates a separate connection on behalf of the requestor and usually operates at the upper layers of the OSI model?
3Which firewall technology is commonly implemented on a router?
4What items does a packet filter look at to determine whether to allow the traffic?
14 Chapter 2: Firewall Technologies and the Cisco PIX Firewall
5 What firewall technology does the Cisco PIX Firewall use?
AProxy filtering
BPacket filtering
CStateful inspection
DProxy inspection
6What are the advantages of the Cisco PIX Firewall over competing firewall products?
7How many PIX firewalls can you operate in a high-availability cluster?
8What is the ASA, and how does the Cisco PIX Firewall use it?
9Why is cut-through proxy more efficient than traditional proxy?
Check your answers with Appendix A. Remember that this section is not called “How Much Am I Familiar With?”. If you did not do extremely well in this section, you should read this chapter.
Firewall Technologies 15
Foundation Topics
Firewall Technologies
Firewalls are the key equipment used for network perimeter security. The function of a firewall is to permit or deny traffic that attempts to pass through it based on specific predefined rules. All firewalls perform the function of examining network traffic and affecting this traffic based on the rule set, however the methods they employ can be different. There are three different types of firewall technologies:
•
•
•
Packet filtering
Proxy
Stateful inspection
Packet Filtering
A packet-filtering firewall simply inspects incoming traffic at the transport layer of the Open System Interconnection (OSI) reference model. The packet-filtering firewall analyzes TCP or UDP packets and compares them to a set of established rules called an access control list (ACL). Packet filtering inspects the packet for only the following elements:
•
•
•
•
•
Source IP address
Source port
Destination IP address
Destination port
Protocol
NOTE In addition to the elements just listed, some packet-filtering firewalls check for header information to determine if the packet is from a new connection or an existing connection.
These elements are compared to the ACL (rule set) to determine if the packets are permitted or denied. Some of the disadvantages of packet filtering are as follows:
•ACLs can be very complex and difficult to manage.
•A packet-filtering firewall can be tricked into permitting access to an unauthorized user falsely representing himself (spoofing) with an IP address that is authorized by the ACL.
16 Chapter 2: Firewall Technologies and the Cisco PIX Firewall
•Many new applications (such as multimedia applications) create multiple connections on random ports with no way to determine which ports will be used until the connection is established. Because access lists are manually configured, it is very difficult to provide support for these applications.
Packet filtering is a feature that is commonly used on routers. Chapter 7, “Configuring Access,” discusses ACLs as applied to the Cisco PIX Firewall in greater detail.
Proxy
proxy, n, the agency of a person who acts as a substitute for another person; authority to act for another. (New Webster’s Dictionary of the English Language)
Although this definition does not define a proxy firewall, the function is very similar. A proxy firewall, commonly called a proxy server, acts on behalf of hosts on the protected network segments. The protected hosts never make any connections with the outside world. Hosts on the protected network send their requests to the proxy server, where they are authenticated and authorized. At this point, the proxy server sends a request on behalf of the requesting host to the external host and forwards the reply to the requesting host. Proxies run at the upper layers of the OSI reference model. Most proxy firewalls are designed to cache commonly used information to expedite the response time to the requesting host. The processing workload required to perform proxy services is significant and increases with the number of requesting hosts. Large networks usually implement several proxy servers to avoid problems with throughput. The number of applications that a requesting host can access via a proxy is limited. By design, proxy firewalls support only specific applications and protocols. The major disadvantage of proxy servers is that they are applications that run on top of operating systems. A device can be only as secure as the operating system it is running on. If the operating system is compromised, the unauthorized user can take control of the proxy firewall and gains access to the entire protected network.
Stateful Inspection
Stateful inspection, also called stateful packet filtering, is a combination of packet filtering and proxy services. This technology is the most secure and provides the most functionality because connections are not only applied to an ACL, but are logged into a state table. After a connection is established, all session data is compared to the state table. If the session data does not match the state table information for that connection, the connection is dropped. Chapter 3, “The Cisco Secure PIX Firewall,” covers stateful inspection in further detail.
Stateful packet filtering is the method used by the Cisco PIX Firewall.