Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

State-Ful Fitewalling in PIX/ASA

hi,

Is there a method to see the Session table (Source/destinatin/TCPorUDP Flow) using State-ful Firewall
What is the Difference between Packet-Filtering Firewall and State-Ful Firewall.
Are all PIX/ASA firewall do state-ful firwalls?


Regards
Ramu
0
RAMU CH
Asked:
RAMU CH
  • 5
  • 4
  • 3
  • +1
5 Solutions
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Packet filtering: A firewall only looks at a packet and decides based on a fixed set of rules whether it is allowed through.

Stateful: Here the firewall also learns about connections that have been allowed, permitting returning packets without extra rule definitions.

Example:
If you allow an outgoing connection for a PC to do HTTP access on a packet filtering firewall, returning answers to the TCP connection will not be allowed unless you also allow incoming packets. This can cause either security holes if you don't watch out (e.g., allowing any traffic in that has Port 80 as the source port), or requires lots of rules
On a stateful firewall, the firewall has seen and permitted the outgoing connection request and will in turn permit the returning packets through. It will also (or should) do sanity checks on the packets, and will additionally watch out for the termination of a connection (for TCP), and timeout the session if there was no traffic for a certain time.

Nowadays, almost any HW firewall will be stateful.

As for a session overview, I'm not aware of a command for ASA/PIX at the moment, and couldn't locate one in the "?" overviews ... maybe someone else knows one.
0
 
RAMU CHAuthor Commented:
Thanks Garry

What is the default Time-out for a Session to be disconnected  in Ideal Condition

Regards
Ramu
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
There are different time-outs due to the different types and stati of connections. For ASA with halfway current OS/ASDM, go to Firewall -> Advanced -> Global Timeouts, there's 18 different timeouts for the different session types, states and protocols. All can be adjusted to your needs, though the defaults are usually sufficient.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
Ernie BeekExpertCommented:
All PIXes/ASAs are statefull, just like most hardware FWs. Most software ones ('normal' IOS, iptables, windows firewall) are sateless.

To have a look at all connections, try:
sh conn all or even better: sh conn all det

0
 
Ernie BeekExpertCommented:
This is an overview of the timeouts that are by default in an ASA:

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

0
 
Ernie BeekExpertCommented:
Oh, some crossposting here.........
0
 
RAMU CHAuthor Commented:
Hi Ernibeek,

How are you..
After a Long time we had met..

I want to be a expert in ASA Firewall , Will you send a basic about Firewall Connections pass through the Firewall / DMZ / Troubleshooting document on Connection etc

Regards
ramu
0
 
Ernie BeekExpertCommented:
Ehr, well.................

I'm not too familiar with documentation on the subject. I've learned everything myself by just doing it (over and over) and trying things out, only reading up when I needed to know more about a specific topic.

I would say, not only start with firewalls but also with networking (which it is all about in the end). If I was to advise about reading/learning material I'd say: have a look at safari books. The few books I have ;) I got from there.

Something like: http://my.safaribooksonline.com/book/networking/firewalls/9781587141140
0
 
Ernie BeekExpertCommented:
And, of course, Google is your friend. There is lots to be found online to help you through the basics.
0
 
RAMU CHAuthor Commented:
What are the Industrial Expectations from a  CCIE-Security guy because i am planning to go CCIE-Security in a Couple of Months and now i am CCNP-R&S Certified because i like Firewalls and  VPN Tunneings/Trouble shooting  than Routers and Switches.

will you help me what are oppertunities for CCIE-Secuirity Guys in the Outside Market. I have 4years
Experience in R&S but only 2 Years EXP in Firewalls and 1 Year EXP in Firewall Technologies

Regards
Ramu

0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

To view TCP or UDP flow one can Configure ( Debug ICMP Trace) and this will show all the flow of TCP or UDP packets passing through the Firewall.The configuration should be as below :

ASA#debug icmp trace ( this will show the tcp and udp packets flowing).

Packet Filtering firewalls are Proxy Firewall where data is secure but it is slow and stateful packet filtering firewalls are fast and reliable when compared to packet filtering firewall.

Yes,All ASA/PIX firewalls are Stateful Packet filtering Firewalls.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Not too sure about your statement about Packet Filtering firewalls ... on the one hand, they are pretty quick and use very little memory because they don't care about the state of a flow, but rather just look at the packet itself. On the other hand, they are sort of less secure, because they might allow packets to get through that - when seen in context e.g. of a TWH or the state of a flow would not be permitted, plainly because an access list has to allow it in order for the regular packet flow to work ... they also require pretty good knowledge of the workings of the different IP protocols in order to get (a) all of the required packets through and (b) not let stuff through you don't actually want ...

Sample of the stateless packet filters is access lists on a router ...
0
 
RAMU CHAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now