Nortel Contivity 221 User Manual page 139

Firewalls 9-11
9.5.3 TCP Security
The Contivity 221 uses state information embedded in TCP packets. The first packet of any new
connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets. All packets
that do not have this flag structure are called "subsequent" packets, since they represent data that
occurs later in the TCP stream.
If an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases (see "Upper Layer
Protocols" shown next), these packets are dropped and logged.
If an initiation packet originates on the LAN, this means that someone is trying to make a
connection from the LAN to the Internet. Assuming that this is an acceptable part of the security
policy (as is the case with the default policy), the connection will be allowed. A cache entry is
added which includes connection information such as IP addresses, TCP ports, sequence numbers,
etc.
When the Contivity 221 receives any subsequent packet (from the Internet or from the LAN), its
connection information is extracted and checked against the cache. A packet is only allowed to
pass through if it corresponds to a valid connection (that is, if it is a response to a connection which
originated on the LAN).
9.5.4 UDP/ICMP Security
UDP and ICMP do not themselves contain any connection information (such as sequence
numbers). However, at the very minimum, they contain an IP address pair (source and destination).
UDP also contains port pairs, and ICMP has type and code information. All of this data can be
analyzed in order to build "virtual connections" in the cache.
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP address
and port pairs will be stored. For a short period of time, UDP packets from the WAN that have
matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the Contivity 221 is even more restrictive.
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask
requests will allow incoming address mask replies, and outgoing timestamp requests will allow
incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply
because they are too dangerous and contain too little tracking information. For instance, ICMP
redirect packets are never allowed in, since they could be used to reroute traffic through attacking
machines.
Contivity 221 VPN Switch User's Guide