6 Any packets that do not match the session object exactly are dropped and logged.
7 The source completes the connection by responding with an ACK. The
acknowledgment number is not randomized as it passes through the PIX, and the connection slot is marked as active-established.
8 The embryonic counter is reset, and data is transmitted between the nodes.
The process used by the PIX to handle UDP traffic is completely different from the process for TCP traffic. This is due to UDP’s characteristics. UDP is a connectionless protocol that does not negotiate a connection. Without any setup or termination, it is very difficult to determine the state of a UDP session. Because of the inability to determine session state, it is very easy to spoof UDP packets and hijack a UDP session. Some applications use UDP rather than TCP for data transfer. Many of these are real-time applications or applications that have no reliability requirements. These applications include network video applica- tions, Common Internet File System (CIFS), NetBIOS Domain Name System (DNS), and remote procedure call (RPC).
The default security policy allows UDP packets to pass from a higher security level to a lower security level. For UDP packets to pass in the other direction, they must be allowed by the security policy. It is very important to restrict inbound UDP access as much as possible. Due to UDP’s limitations, many applications that operate over UDP are targets for exploitation by hackers.
The Cisco PIX Firewall handles UDP traffic in the following manner:
1 The source machine initiates the UDP connection. It is received by the PIX Firewall en route to the destination. The PIX applies the default rule and any necessary translation, creates a session object in the state table, and allows the connection to pass to the outside interface.
2 Any return traffic is matched with the session object, and the session timeout is applied. The session timeout is 2 minutes by default. If the response does not match the session object or is not within the timeout, the packet is dropped. If everything matches, the response is allowed through to the requesting source.
3 Any inbound UDP sessions from a lower security level to a higher security level must be allowed by the security policy, or the connection is dropped.
Address Translation
The current Internet Protocol standard being used is version 4 (IPv4). IPv4 consists of 32 bits, which represents approximately 4 billion individual IP addresses. This seems like a tremendous number of addresses, but the Internet continues to grow at an incredible rate, and with the current standard, we will run out of addresses. Two factors are being imple- mented to help deal with this issue. This first is Internet Protocol version 6 (IPv6). IPv6 is a total redesign of the Internet Protocol and is still in development. The second factor that is being used to conserve the public address space is RFC 1918, which defines address
72 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
allocation for private internets. RFC 1918 sets aside network space to be used for private networks. This address space is not accessible via the public Internet. The Internet Assigned Numbers Authority (IANA) reserved the following address space for private networks:
10.0.0.0 through 10.255.255.255: 16,777,214 hosts 172.16.0.0 through 172.31.255.255: 1,048,574 hosts 192.168.0.0 through 192.168.255.255: 65,534 hosts
RFC 1918 has had a tremendous impact on Internet addressing and the design of public and private networks. The challenge to RFC 1918 addressing is that private addresses cannot be publicly routed. Hence, address translation is implemented. Not only does address trans- lation provide a method of conserving public address space, it also provides an additional level of protection for internal nodes, because there is no way to route to a private address from the Internet.
Address translation is the method used by the Cisco PIX Firewall to give internal nodes with private IP addresses access to the Internet. The internal node addresses that are trans- lated are called local addresses, and the addresses that are translated to are called global addresses. nat and global commands are applied to specific interfaces. Most commonly, Network Address Translation (NAT) takes place, translating internal addresses to external addresses, although the PIX is not limited to this configuration. It is possible to translate any address at one interface to another address at any other interface. Two types of NAT can be implemented on a Cisco PIX Firewall:
•
Dynamic address translation—Translates multiple local addresses into a limitednumber of global public addresses or possibly a single global address. This is called dynamic address translation because the firewall selects the first available global address and assigns it when creating an outbound connection. The internal source retains the global address for the duration of the connection. Dynamic address translation is broken into two types:
— Network Address Translation (NAT)—Translating multiple local addresses to a pool of global addresses.
— Port Address Translation (PAT)—Translating multiple local addresses to a single global address. This method is called Port Address Translation because the firewall uses a single translated source address but changes the source port to allow multiple connections via a single global address. The limitation for PAT is approximately 64,000 hosts due to the limited number of available ports (65,535) and the number of ports already assigned to specific services. Some applications do not work through PAT because they require specific source and destination ports.
•
Static translation—Allows for a one-to-one ratio of local to global addresses. Statictranslation is commonly used when the internal node must be accessed from the Internet. Web servers and mail servers must have static addresses so that users on the Internet can connect to them via their global address.
Address Translation 73