Cisco PIX 500 Series Configuration Manual page 50

Firewall Functional Overview
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the security appliance scanning threat detection feature maintains an
extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the security appliance to send system log messages about an attacker or you can
automatically shun the host.
Firewall Mode Overview
The security appliance runs in two different firewall modes:
•
•
In routed mode, the security appliance is considered to be a router hop in the network.
In transparent mode, the security appliance acts like a "bump in the wire," or a "stealth firewall," and is
not considered a router hop. The security appliance connects to the same network on its inside and
outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.
Stateful Inspection Overview
All traffic that goes through the security appliance is inspected using the Adaptive Security Algorithm
and either allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter
also checks every packet against the filter, which can be a slow process.
A stateful firewall like the security appliance, however, takes into consideration the state of a packet:
•
Note
Cisco Security Appliance Command Line Configuration Guide
1-4
Routed
Transparent
Is this a new connection?
If it is a new connection, the security appliance has to check the packet against access lists and
perform other tasks to determine if the packet is allowed or denied. To perform this check, the first
packet of the session goes through the "session management path," and depending on the type of
traffic, it might also pass through the "control plane path."
The session management path is responsible for the following tasks:
Performing the access list checks
–
Performing route lookups
–
– Allocating NAT translations (xlates)
– Establishing sessions in the "fast path"
The session management path and the fast path make up the "accelerated security path."
Chapter 1 Introduction to the Security Appliance
OL-12172-03