Cisco Cisco Packet Data Interworking Function (PDIF) Documentation Roadmaps
Personal Stateful Firewall Overview
Supported Features ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22937-01
UDP-based Attacks:
Invalid UDP echo response
Invalid UDP packet length
UDP checksum errors
Short UDP header length
UDP flood attack — Detected only in downlink direction
ICMP-based Attacks:
Invalid ICMP response
ICMP reply error
Invalid ICMP type packet
ICMP error message replay attacks
ICMP packets with duplicate sequence number
Short ICMP header length
Invalid ICMP packet length
ICMP flood attack — Detected only in downlink direction
Ping of death attacks
ICMP checksum errors
ICMP packets with destination unreachable message
Other DoS Attacks
Port-scan attacks — Detected only in downlink direction
Protection against Port Scanning
Port scanning is a technique used to determine the states of TCP/UDP ports on a network host, and to map out hosts on
a network. Essentially, a port scan consists of sending a message to each port on the host, one at a time. The kind of
response received indicates whether the port is used, and can therefore be probed further for weakness. This way
hackers find potential weaknesses that can be exploited.
a network. Essentially, a port scan consists of sending a message to each port on the host, one at a time. The kind of
response received indicates whether the port is used, and can therefore be probed further for weakness. This way
hackers find potential weaknesses that can be exploited.
Stateful Firewall provides protection against port scanning by implementing port scan detection algorithms. Port-scan
attacks are only detected in the downlink direction—traffic from external network towards mobile subscribers.
attacks are only detected in the downlink direction—traffic from external network towards mobile subscribers.
Application-level Gateway Support
A stateful firewall while ensuring that only legitimate connections are allowed, also maintains the state of an allowed
connection. Some network applications require additional connections to be opened up in either direction and
information regarding such connections is sent in the application payload. For these applications to work properly, a
stateful firewall must inspect, analyze, and parse these application payloads to get the additional connection
information, and open partial connections/pinholes in the firewall to allow the connections.
connection. Some network applications require additional connections to be opened up in either direction and
information regarding such connections is sent in the application payload. For these applications to work properly, a
stateful firewall must inspect, analyze, and parse these application payloads to get the additional connection
information, and open partial connections/pinholes in the firewall to allow the connections.