TABLE OF CONTENTS One of the most important features of all firewalls is their ability to intelligently handle many different protocols and applications. Unfortunately, many applications, some of which were developed before the idea of a firewall emerged, act in a much more complicated manner than Telnet or HTTP. The general problem: these applications use more than one connection to operate and only one of these connections occurs on a well-known port, while the others use dynamically negotiated port numbers. Figure 8.7 shows an example of what happens when this situation occurs and no special measures are in place. (This is a simplified example of SQL*net session negotiation.)
A firewall needs to monitor such applications, understand them, and adjust accordingly. This situation becomes even more complicated when NAT or PAT are involved; the firewall might need to change the data portion of a packet that carries embedded address information in order for the packet to be correctly processed by a client or server on the other side of PIX. There are many implementations of this feature for various firewalls (for example, the ASA of Cisco PIX devices).
The ASA uses several sources of information during its operation:
ACLs that filter traffic based on hosts, networks, and the TCP or UDP ports involved.
Embedded rules for application inspection, which allows automatic processing of most of the complicated cases mentioned. Although some of these rules are configurable, others are fixed.
The following steps...
