Table of Contents
Advertisement
Vantage CNM 2.0
Below is a brief technical description of how these connections are tracked. Connections may either be defined
by the upper protocols (for instance, TCP), or by the ZyXEL device itself (as with the "virtual connections"
created for UDP and ICMP).
12.5.3 TCP Security
The ZyXEL device uses state information embedded in TCP packets. The first packet of any new connection has
its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets that do not have this flag
structure are called "subsequent" packets, since they represent data that occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a connection from the
Internet into the LAN. Except in a few special cases (see "Upper Layer Protocols" shown next), these packets are
dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the
LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default
policy), the connection will be allowed. A cache entry is added which includes connection information such as
IP addresses, TCP ports, sequence numbers, etc.
When the ZyXEL device receives any subsequent packet (from the Internet or from the LAN), its connection
information is extracted and checked against the cache. A packet is only allowed to pass through if it
corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).
12.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence numbers). However, at
the very minimum, they contain an IP address pair (source and destination). UDP also contains port pairs, and
ICMP has type and code information. All of this data can be analyzed in order to build "virtual connections" in
the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address and port pairs
will be stored. For a short period of time, UDP packets from the WAN that have matching IP and UDP
information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyXEL device is even more restrictive. Specifically, only
outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address
mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets
are allowed in through the firewall, simply because they are too dangerous and contain too little tracking
information. For instance, ICMP redirect packets are never allowed in, since they could be used to reroute traffic
through attacking machines.
12.5.5 Upper Layer Protocols
Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously.
In general terms, they usually have a "control connection" which is used for sending commands between
endpoints, and then "data connections" which are used for transmitting bulk information.
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and
requests a file. At this point, the remote server will open a data connection from the Internet. For FTP to work
properly, this connection must be allowed to pass through even though a connection from the Internet would
normally be rejected.
In order to achieve this, the ZyXEL device inspects the application-level FTP data. Specifically, it searches for
outgoing "PORT" commands, and when it sees these; it adds a cache entry for the anticipated data connection.
This can be done safely, since the PORT command contains address and port information, which can be used to
uniquely identify the connection.
12-6
Configuration > Firewall
Advertisement
Table of Contents
