Solved

State-Ful Fitewalling in PIX/ASA

Posted on 2011-09-14
13
386 Views
Last Modified: 2012-05-12
hi,

Is there a method to see the Session table (Source/destinatin/TCPorUDP Flow) using State-ful Firewall
What is the Difference between Packet-Filtering Firewall and State-Ful Firewall.
Are all PIX/ASA firewall do state-ful firwalls?


Regards
Ramu
0
Comment
Question by:RAMU CH
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 150 total points
ID: 36541157
Packet filtering: A firewall only looks at a packet and decides based on a fixed set of rules whether it is allowed through.

Stateful: Here the firewall also learns about connections that have been allowed, permitting returning packets without extra rule definitions.

Example:
If you allow an outgoing connection for a PC to do HTTP access on a packet filtering firewall, returning answers to the TCP connection will not be allowed unless you also allow incoming packets. This can cause either security holes if you don't watch out (e.g., allowing any traffic in that has Port 80 as the source port), or requires lots of rules
On a stateful firewall, the firewall has seen and permitted the outgoing connection request and will in turn permit the returning packets through. It will also (or should) do sanity checks on the packets, and will additionally watch out for the termination of a connection (for TCP), and timeout the session if there was no traffic for a certain time.

Nowadays, almost any HW firewall will be stateful.

As for a session overview, I'm not aware of a command for ASA/PIX at the moment, and couldn't locate one in the "?" overviews ... maybe someone else knows one.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36541167
Thanks Garry

What is the default Time-out for a Session to be disconnected  in Ideal Condition

Regards
Ramu
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 150 total points
ID: 36541191
There are different time-outs due to the different types and stati of connections. For ASA with halfway current OS/ASDM, go to Firewall -> Advanced -> Global Timeouts, there's 18 different timeouts for the different session types, states and protocols. All can be adjusted to your needs, though the defaults are usually sufficient.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541210
All PIXes/ASAs are statefull, just like most hardware FWs. Most software ones ('normal' IOS, iptables, windows firewall) are sateless.

To have a look at all connections, try:
sh conn all or even better: sh conn all det

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541214
This is an overview of the timeouts that are by default in an ASA:

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541218
Oh, some crossposting here.........
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:RAMU CH
ID: 36542911
Hi Ernibeek,

How are you..
After a Long time we had met..

I want to be a expert in ASA Firewall , Will you send a basic about Firewall Connections pass through the Firewall / DMZ / Troubleshooting document on Connection etc

Regards
ramu
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 36543208
Ehr, well.................

I'm not too familiar with documentation on the subject. I've learned everything myself by just doing it (over and over) and trying things out, only reading up when I needed to know more about a specific topic.

I would say, not only start with firewalls but also with networking (which it is all about in the end). If I was to advise about reading/learning material I'd say: have a look at safari books. The few books I have ;) I got from there.

Something like: http://my.safaribooksonline.com/book/networking/firewalls/9781587141140
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36543215
And, of course, Google is your friend. There is lots to be found online to help you through the basics.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36543306
What are the Industrial Expectations from a  CCIE-Security guy because i am planning to go CCIE-Security in a Couple of Months and now i am CCNP-R&S Certified because i like Firewalls and  VPN Tunneings/Trouble shooting  than Routers and Switches.

will you help me what are oppertunities for CCIE-Secuirity Guys in the Outside Market. I have 4years
Experience in R&S but only 2 Years EXP in Firewalls and 1 Year EXP in Firewall Technologies

Regards
Ramu

0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 50 total points
ID: 36570300
Hi,

To view TCP or UDP flow one can Configure ( Debug ICMP Trace) and this will show all the flow of TCP or UDP packets passing through the Firewall.The configuration should be as below :

ASA#debug icmp trace ( this will show the tcp and udp packets flowing).

Packet Filtering firewalls are Proxy Firewall where data is secure but it is slow and stateful packet filtering firewalls are fast and reliable when compared to packet filtering firewall.

Yes,All ASA/PIX firewalls are Stateful Packet filtering Firewalls.
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 150 total points
ID: 36571609
Not too sure about your statement about Packet Filtering firewalls ... on the one hand, they are pretty quick and use very little memory because they don't care about the state of a flow, but rather just look at the packet itself. On the other hand, they are sort of less secure, because they might allow packets to get through that - when seen in context e.g. of a TWH or the state of a flow would not be permitted, plainly because an access list has to allow it in order for the regular packet flow to work ... they also require pretty good knowledge of the workings of the different IP protocols in order to get (a) all of the required packets through and (b) not let stuff through you don't actually want ...

Sample of the stateless packet filters is access lists on a router ...
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36922429
Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now