Filter
Top Products
2-19
Cisco ASDM User Guide
OL-16647-01
Chapter 2 Introduction to the Security Appliance
Firewall Functional Overview
Firewall Mode Overview
The security appliance runs in two different firewall modes:
• Routed
• Transparent
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the “session management path,” and depending on the type of
traffic, it might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
–
Performing the access list checks
–
Performing route lookups
–
Allocating NAT translations (xlates)
–
Establishing sessions in the “fast path”
Note The session management path and the fast path make up the “accelerated security path.”
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the security appliance does not need to re-check packets;
most matching packets can go through the fast path in both directions. The fast path is responsible
for the following tasks:
–
IP checksum verification