Filter
Top Products
17-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Understanding Inspection Rules
CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when
inspected traffic exits your internal network through the firewall. The openings allow returning traffic
(that would normally be blocked) and additional data channels to enter your internal network back
through the firewall. The traffic is allowed back through the firewall only if it is part of the same session
as the original traffic that triggered inspection when exiting through the firewall.
Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not
inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be
inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport,
TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol
session information.
For all protocols, when you inspect the protocol, the device provides the following functions:
• Automatically opens a return path for the traffic (reversing the source and destination addresses), so
that you do not need to create an access rule to allow the return traffic. Each connection is considered
a session, and the device maintains session state information and allows return traffic only for valid
sessions. Protocols that use TCP contain explicit session information, whereas for UDP
applications, the device models the equivalent of a session based on the source and destination
addresses and the closeness in time of a sequence of UDP packets.
These temporary access lists are created dynamically and are removed at the end of a session.
• Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that
are not within expected ranges.
• Uses timeout and threshold values to manage session state information, helping to determine when
to drop sessions that do not become fully established. When a session is dropped, or reset, the device
informs both the source and destination of the session to reset the connection, freeing up resources
and helping to mitigate potential Denial of Service (DoS) attacks.
The following topics provide more information about inspection:
• Choosing the Interfaces for Inspection Rules, page 17-2
• Selecting Which Protocols To Inspect, page 17-3
• Understanding Access Rule Requirements for Inspection Rules, page 17-4
• Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4
• Configuring Protocols and Maps for Inspection, page 17-21
• Configuring Inspection Rules, page 17-5
• Configuring Settings for Inspection Rules for IOS Devices, page 17-88
Choosing the Interfaces for Inspection Rules
Configure inspection on devices that protect internal networks. Use it with TCP, UDP, or more specific
protocols. Inspect these applications if you want the application’s traffic to be permitted through the
device only when the traffic session is initiated from a particular side of the device (usually from the
protected internal network).
Tip For IOS devices, you need to configure inspection explicitly, and you can identify the direction of traffic
to be inspected. For ASA, PIX, and FWSM devices, you cannot identify the direction, and you need to
configure inspection only if you do not want the inspection defaults. In the remaining discussion,
statements concerning direction apply only to IOS devices. For ASA, PIX, and FWSM, simply configure
inspection on the identified interface.