Cisco Cisco ASR 5700

Cisco

PSF Administration Guide, StarOS Release 17 ▄

iii

CONTENTS

About this Guide ................................................................................................. v

Conventions Used ....................................................................................................................................vi

Supported Documents and Resources ................................................................................................... vii

Related Common Documentation ....................................................................................................... vii

Related Product Documentation ..................................................................................................... vii

Obtaining Documentation ............................................................................................................... vii

Contacting Customer Support ................................................................................................................ viii

Personal Stateful Firewall Overview ................................................................. 9

Firewall Overview ................................................................................................................................... 10

Qualified Platforms ............................................................................................................................. 10

License Requirements........................................................................................................................ 10

Supported Features ................................................................................................................................ 11

Protection against Denial-of-Service Attacks ..................................................................................... 11

Types of Denial-of-Service Attacks ................................................................................................ 11

Source-IP based Flood Attack Detection ....................................................................................... 13

Protection against Port Scanning .................................................................................................. 14

Application-level Gateway Support .................................................................................................... 14

PPTP ALG Support ........................................................................................................................ 15

TFTP ALG Support ........................................................................................................................ 15

Stateful Packet Inspection and Filtering Support ............................................................................... 15

Stateless Packet Inspection and Filtering Support ............................................................................ 16

Host Pool, IMSI Pool, and Port Map Support ..................................................................................... 16

Host Pool Support .......................................................................................................................... 16

IMSI Pool Support .......................................................................................................................... 16

Port Map Support ........................................................................................................................... 16

Port Control Protocol Support ............................................................................................................ 16

Bulk Statistics Support ................................................................................................................... 18

Flow Recovery Support ...................................................................................................................... 18

ICSR Support for Dynamic Firewall Access Rules ............................................................................ 19

SNMP Thresholding Support ............................................................................................................. 19

Logging Support ................................................................................................................................. 20

How Personal Stateful Firewall Works ................................................................................................... 21

Disabling Firewall Policy .................................................................................................................... 21

Mid-session Firewall Policy Update ................................................................................................... 22

Firewall-and-NAT Checkpointing ....................................................................................................... 22

How it Works ...................................................................................................................................... 22

Understanding Rules with Stateful Inspection ........................................................................................ 26

Connection State and State Table in Personal Stateful Firewall ....................................................... 27

Transport and Network Protocols and States ................................................................................ 27

Application-Level Traffic and States .............................................................................................. 28

Personal Stateful Firewall Configuration ....................................................... 31

Before You Begin ................................................................................................................................... 32

Configuring the System .......................................................................................................................... 33

Configuring Stateful Firewall................................................................................................................... 34