Configuring Cisco Unified Communications; Firewall Mode Overview; Stateful Inspection Overview - Cisco ASA 5505 Configuration Manual

Firewall Functional Overview
address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database
of known bad domain names and IP addresses (the blacklist), and then logs any suspicious activity. When
you see syslog messages about the malware activity, you can take steps to isolate and disinfect the host.

Configuring Cisco Unified Communications

The Cisco ASA 5500 Series appliances are a strategic platform to provide proxy functions for unified
communications deployments. The purpose of a proxy is to terminate and reoriginate connections
between a client and server. The proxy delivers a range of security functions such as traffic inspection,
protocol conformance, and policy control to ensure security for the internal network. An increasingly
popular function of a proxy is to terminate encrypted connections in order to apply security policies
while maintaining confidentiality of connections.

Firewall Mode Overview

The adaptive security appliance runs in two different firewall modes:
•
•
In routed mode, the adaptive security appliance is considered to be a router hop in the network.
In transparent mode, the adaptive security appliance acts like a "bump in the wire," or a "stealth firewall,"
and is not considered a router hop. The adaptive security appliance connects to the same network on its
inside and outside interfaces.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
multicast streams using an EtherType access list.

Stateful Inspection Overview

All traffic that goes through the adaptive security appliance is inspected using the Adaptive Security
Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source
address, destination address, and ports, but it does not check that the packet sequence or flags are correct.
A filter also checks every packet against the filter, which can be a slow process.
Note The TCP state bypass feature allows you to customize the packet flow. See the
section on page
A stateful firewall like the adaptive security appliance, however, takes into consideration the state of a
packet:
•
Cisco ASA 5500 Series Configuration Guide using ASDM
1-18
Routed
Transparent
48-3.
Is this a new connection?
If it is a new connection, the adaptive security appliance has to check the packet against access lists
and perform other tasks to determine if the packet is allowed or denied. To perform this check, the
first packet of the session goes through the "session management path," and depending on the type
of traffic, it might also pass through the "control plane path."
The session management path is responsible for the following tasks:
Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
"TCP State Bypass"
OL-20339-01