ASA packet inspection phase

Initial checking phase 1:
Packets arriving at firewall interface are checked for basic integrity.
Integrity of packet source address, use unicast RPF used to inspect the source IP address in each incoming packet and drops spoofed packet.

Note: Not Enabled by default.

XLATE phase 2:
2nd(outgoing) and the fifth(In-coming) phase.
Translation table, Dynamically created and Static created on Xlate entry.

Connection lookup phase 3:

Stateful inspection – ASA examines and documents the state of each connection passing through it.

Connection IDlE timeout period: The timeout period was use whenever there no data thru one of this flow or connection, Once those IDLE timeout are reach, the connection aged-out on the connection table.

Summary:
When ever connection is allowed thru the firewall it gonna create a flow or a connection entry in it’s connection table, When the return traffic is sent back it’s gonna match that flow in connection table and be immediately permitted to the device.

There’s a Idle timeout period for connections and whenever that timeout is reach
the connection is aged-out out of the connection table.
“set connection idle hh:mm:ss [reset]—The idle timeout period after which an established connection of any protocol closes, between 0:0:1 and 1193:0:0. The default is 1:0:0. For TCP traffic, the reset keyword sends a reset to TCP endpoints when the connection times out.
The default udp idle timeout is 2 minutes. The default icmp idle timeout is 2 seconds. The default esp and ha idle timeout is 30 seconds. For all other protocols, the default idle timeout is 2 minutes.”

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.pdf

ACL lookup phase 4:
A list of permit or deny statement on the firewall. It either ingressing or egressing of the interface of the firewall.

Once the access-list were applied on the firewall interface it’s become vital part of the packet inspection process because that ACL explicitly list the type of traffic can be permitted thru. If it’s not explicitly permitted it’s going to be implicitly denied.

ACL doesn’t inspect connection state, they s simply define what packet’s are permitted or deny in a single direction. By default ACL are not created or applied to any firewall interfaces. Cisco ASA uses the default security policy of security levels in order to filter traffic.

Default Security Policy(Security Levels):
Traffic sourcing to highest security level destined to lower security level is permitted.
But
Traffic sourcing to a lower security level to a higher security level is denied.
The only situation when traffic going from a lower security level to higher security is permitted is when it’s return traffic from a connection that was originated and initiated by a higher level security interface.

UAUTH Lookup phase 6:
Authentication – Autenticate users

Inspection Engine phase 7:
Inspection connectionles and connection-oriented protocol.
UDP Header example: Source/Destination Port / Lenght / Checksum
TCP Header example: Source/Destination Port / Sequence / ACK/ FLAGS / WINDOWING /Checksum / irgent / Options.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s