Application Inspection

A stateful firewall can easily examine the source and destination parameters of packets passing through it. Many applications use protocols that also embed address or port information inside the packet, requiring special handling for examination.

Application inspection allows a firewall to dig inside the packets used by certain applications. The firewall can find and use the embedded information in its stateful application layer inspection engines.

Embedded address information can also become confusing when you use NAT. If the packet addresses are being translated, the firewall must also perform the same translation on any corresponding embedded addresses.

Application inspection also monitors any secondary channels or "buddy ports" that are opened as a part of an application connection. Only the primary or well-known port needs to be configured for the application inspection. In addition, only the primary port needs to be permitted in an access list applied to a firewall interface.

This becomes important for inbound connections, where permitted ports must be explicitly configured in the access list. Any secondary connections that are negotiated are tracked, and the appropriate access (additional xlate and conn entries) is added automatically.

To illustrate how this works, consider a simple example with the passive FTP application protocol, as shown in Figure 7-5. An FTP client is located on the outside of a firewall, and the FTP server is inside. The access list applied to the outside interface only permits inbound connections to TCP port 21, the FTP control channel. As soon as the client opens a connection to port 21, the server responds with the port number of the data channel the client should use next.

Figure 7-5. An Example of FTP Application Inspection [View full size image]

When the client initiates the inbound data connection to the server's negotiated port number, the firewall does not have an explicit access list statement to permit it. In fact, because the new connection port is negotiated within a previous FTP exchange over the control channel, the port number cannot be known ahead of time. However, the FTP application inspection understands the FTP protocol and listens to the packet exchange between the client and server. The firewall overhears the data channel port negotiation and can automatically create xlate and conn entries for it dynamically.

In releases before ASA 7.0(1), application inspection is called a fixup. If a fixup is enabled, it is used to examine all traffic passing through the firewall. Beginning with ASA 7.0(1) and FWSM 3.1(1), application inspection is much more flexible. Inspection engines can be used to examine specific types of traffic.

Table 7-6 lists the applications and well-known ports supported for application inspection on Cisco firewall platforms running PIX software.

Table 7-6. Application Inspection: Applications and Ports Supported

Was this article helpful?

+1 0

Post a comment