Дорожная карта для Cisco Cisco Packet Data Gateway (PDG)
Personal Stateful Firewall Overview
▀ Supported Features
▄ Cisco ASR 5000 Series Product Overview
OL-22937-01
To parse application payloads, firewall employs ALGs. ALGs also check for application-level attacks. Personal Stateful
Firewall provides ALG functionality for the following protocols:
Firewall provides ALG functionality for the following protocols:
File Transfer Protocol (FTP)
Real Time Protocol (RTP)
Real Time Streaming Protocol (RTSP)
ALG support for Simple Mail Transfer Protocol (SMTP) and HTTP is ECS functionality.
Stateful Packet Inspection and Filtering Support
As described in the Overview section, stateful packet inspection and filtering uses Layer-4 information as well as the
application-level commands up to Layer-7 to provide good definition of the individual connection states to defend from
malicious security attacks.
application-level commands up to Layer-7 to provide good definition of the individual connection states to defend from
malicious security attacks.
Personal Stateful Firewall overcomes the disadvantages of static packet filters by disallowing any incoming packets that
have the TCP SYN flag set (which means a host is trying to initiate a new connection). If configured, stateful packet
filtering allows only packets for new connections initiated from internal hosts to external hosts and disallows packets for
new connections initiated from external hosts to internal hosts.
have the TCP SYN flag set (which means a host is trying to initiate a new connection). If configured, stateful packet
filtering allows only packets for new connections initiated from internal hosts to external hosts and disallows packets for
new connections initiated from external hosts to internal hosts.
Stateless Packet Inspection and Filtering Support
Stateful Firewall service can be configured for stateless processing. In stateless processing, packets are inspected and
processed individually.
processed individually.
Stateless processing is only applicable for TCP and ICMP protocols. By nature UDP is a stateless protocol without any
kind of acking or request and reply mechanism at transport level.
kind of acking or request and reply mechanism at transport level.
When TCP FSM is disabled, flows can start with any kind of packet and need not respect the TCP FSM. Such flows are
marked as dummy (equivalent to flows established during flow recovery timer running). For these flows only packet
header check is done; there will be no FSM checks, sequence number validations, or port scan checks done.
marked as dummy (equivalent to flows established during flow recovery timer running). For these flows only packet
header check is done; there will be no FSM checks, sequence number validations, or port scan checks done.
When ICMP FSM is disabled, ICMP reply without corresponding requests, ICMP error message without inner packet
data session, and duplicate ICMP requests are allowed by firewall.
data session, and duplicate ICMP requests are allowed by firewall.
Host Pool, IMSI Pool, and Port Map Support
This section describes the Host Pool, IMSI Pool, and Port Map features that can be used while configuring access
ruledefs.
ruledefs.