Solved

State-Ful Fitewalling in PIX/ASA

Posted on 2011-09-14
13
393 Views
Last Modified: 2012-05-12
hi,

Is there a method to see the Session table (Source/destinatin/TCPorUDP Flow) using State-ful Firewall
What is the Difference between Packet-Filtering Firewall and State-Ful Firewall.
Are all PIX/ASA firewall do state-ful firwalls?


Regards
Ramu
0
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 150 total points
ID: 36541157
Packet filtering: A firewall only looks at a packet and decides based on a fixed set of rules whether it is allowed through.

Stateful: Here the firewall also learns about connections that have been allowed, permitting returning packets without extra rule definitions.

Example:
If you allow an outgoing connection for a PC to do HTTP access on a packet filtering firewall, returning answers to the TCP connection will not be allowed unless you also allow incoming packets. This can cause either security holes if you don't watch out (e.g., allowing any traffic in that has Port 80 as the source port), or requires lots of rules
On a stateful firewall, the firewall has seen and permitted the outgoing connection request and will in turn permit the returning packets through. It will also (or should) do sanity checks on the packets, and will additionally watch out for the termination of a connection (for TCP), and timeout the session if there was no traffic for a certain time.

Nowadays, almost any HW firewall will be stateful.

As for a session overview, I'm not aware of a command for ASA/PIX at the moment, and couldn't locate one in the "?" overviews ... maybe someone else knows one.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36541167
Thanks Garry

What is the default Time-out for a Session to be disconnected  in Ideal Condition

Regards
Ramu
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 150 total points
ID: 36541191
There are different time-outs due to the different types and stati of connections. For ASA with halfway current OS/ASDM, go to Firewall -> Advanced -> Global Timeouts, there's 18 different timeouts for the different session types, states and protocols. All can be adjusted to your needs, though the defaults are usually sufficient.
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541210
All PIXes/ASAs are statefull, just like most hardware FWs. Most software ones ('normal' IOS, iptables, windows firewall) are sateless.

To have a look at all connections, try:
sh conn all or even better: sh conn all det

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541214
This is an overview of the timeouts that are by default in an ASA:

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541218
Oh, some crossposting here.........
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36542911
Hi Ernibeek,

How are you..
After a Long time we had met..

I want to be a expert in ASA Firewall , Will you send a basic about Firewall Connections pass through the Firewall / DMZ / Troubleshooting document on Connection etc

Regards
ramu
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 50 total points
ID: 36543208
Ehr, well.................

I'm not too familiar with documentation on the subject. I've learned everything myself by just doing it (over and over) and trying things out, only reading up when I needed to know more about a specific topic.

I would say, not only start with firewalls but also with networking (which it is all about in the end). If I was to advise about reading/learning material I'd say: have a look at safari books. The few books I have ;) I got from there.

Something like: http://my.safaribooksonline.com/book/networking/firewalls/9781587141140
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36543215
And, of course, Google is your friend. There is lots to be found online to help you through the basics.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 36543306
What are the Industrial Expectations from a  CCIE-Security guy because i am planning to go CCIE-Security in a Couple of Months and now i am CCNP-R&S Certified because i like Firewalls and  VPN Tunneings/Trouble shooting  than Routers and Switches.

will you help me what are oppertunities for CCIE-Secuirity Guys in the Outside Market. I have 4years
Experience in R&S but only 2 Years EXP in Firewalls and 1 Year EXP in Firewall Technologies

Regards
Ramu

0
 
LVL 5

Accepted Solution

by:
Feroz Ahmed earned 50 total points
ID: 36570300
Hi,

To view TCP or UDP flow one can Configure ( Debug ICMP Trace) and this will show all the flow of TCP or UDP packets passing through the Firewall.The configuration should be as below :

ASA#debug icmp trace ( this will show the tcp and udp packets flowing).

Packet Filtering firewalls are Proxy Firewall where data is secure but it is slow and stateful packet filtering firewalls are fast and reliable when compared to packet filtering firewall.

Yes,All ASA/PIX firewalls are Stateful Packet filtering Firewalls.
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 150 total points
ID: 36571609
Not too sure about your statement about Packet Filtering firewalls ... on the one hand, they are pretty quick and use very little memory because they don't care about the state of a flow, but rather just look at the packet itself. On the other hand, they are sort of less secure, because they might allow packets to get through that - when seen in context e.g. of a TWH or the state of a flow would not be permitted, plainly because an access list has to allow it in order for the regular packet flow to work ... they also require pretty good knowledge of the workings of the different IP protocols in order to get (a) all of the required packets through and (b) not let stuff through you don't actually want ...

Sample of the stateless packet filters is access lists on a router ...
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 36922429
Thanks
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question