Traffic that traverses a network always has a source and destination address. This commu-nication is based on the seven layers of the OSI reference model. Layers 5 through 7 (the upper layers) handle the application data, and Layers 1 through 4 (lower layers) are respon-sible for moving the data from the source to the destination. The data is created at the appli-cation layer (Layer 7) on the source machine. Transport information is added to the upper-layer data, and then network information, followed by data link information. At this point the information is transmitted across the physical medium as electronic signals. The upper-layer data combined with the transport information is called a segment. As soon as the network information is added to the segment, it is called a packet. The packet is encapsu-lated at the data link layer (Layer 2) with the addition of the source and destination MAC address and is now called a frame. Figure 5-1 shows how the data is encapsulated at each layer of the OSI reference model.
68 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Figure 5-1 Encapsulation of Upper-Layer Data
The two transport protocols used by TCP/IP are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). These protocols are very different. Each has its strengths and weaknesses. For this reason, they are used in different ways to play on their strengths:
•
TCP—a connection-oriented transport protocol that is responsible for reliability and efficiency of communication between nodes. TCP completes these tasks by creating connections as virtual circuits that act as two-way communications between the source and destination. TCP is very reliable and guarantees the delivery of data between nodes. TCP also can dynamically modify a connection’s transmission variables based on changing network conditions. TCP sequence numbers and TCP acknowledgment numbers are included in the TCP header. These features allow the source and destination to verify the correct, orderly delivery of data. Unfortunately, the overhead required for TCP can make it slow and keeps it from being the optimum transport protocol for some connections.How the PIX Firewall Handles Traffic 69
•
UDP—a connectionless transport protocol that is used to get the data to thedestination. UDP provides no error checking, no error correction, and no verification of delivery. UDP defers the reliability issues to the upper-layer protocols and simply resends the data rather than verifying delivery. UDP is a very simple and very fast protocol.
The upper layers determine which of the transport protocols is used when data is encapsu-lated at the source node.
Figure 5-2 illustrates the TCP communication between nodes that do not have a firewall between them. This connection requires four different transmissions to negotiate the connection:
1 The source sends a segment to the destination, asking to open a TCP session. A TCP flag is set to SYN, indicating that the source wants to initiate synchronization or a handshake. The source generates a TCP sequence number of 125.
2 The destination receives the request and sends back a reply with the TCP flags ACK and SYN set, indicating an acknowledgment of the SYN bit (receive flow) and initiation of the transmit flow. It replies to the original TCP sequence number by adding 1, sending back a sequence number of 126. It also generates and sends its own TCP sequence number, 388.
3 The source receives the SYN/ACK and sends back an ACK to indicate the
acknowledgment of the SYN for the setup of the receive flow. It adds 1 to the value of the TCP sequence number generated by the destination and sends back the number 389.
4 The acknowledgment is received, and the handshake is complete.
Figure 5-2 TCP Communication Between Nodes Without a PIX Source
10.10.10.10 Destination
192.168.1.1
1
2
3
4
70 Chapter 5: Understanding Cisco PIX Firewall Translation and Connections
Now look at how this communication is handled by the Cisco PIX Firewall (see Figure 5-3). You first notice that the number of steps required for the same transaction has changed from four to eight, although everything appears to be the same to both the source and destination.
Figure 5-3 TCP Communication Between Nodes with a PIX
The following is a list of actions taken by the Cisco PIX Firewall when processing a TCP handshake and opening a TCP session (refer to Figure 5-3):
1 The source machine initiates the connection by sending SYN. It is received by the Cisco PIX Firewall en route to the destination. PIX verifies the connection against the running configuration to determine if translation is to be completed. The running configuration is stored in memory, so this process occurs very quickly. The firewall checks to see if the inside address, 10.10.10.10, is to be translated to an outside address—in this case, 192.168.1.10 s/b 192.168.1.1. If the translation is to be completed, the PIX creates a translation slot if one does not already exist for this connection.
2 All the session information is written to the state table, and the Cisco PIX Firewall randomly generates a new TCP sequence number. This connection slot is marked in the state table as an embryonic (half-open) connection.
3 After the connection is verified against the security policy, the PIX allows the connection outside using the translated source address and the newly generated TCP sequence number.
4 The destination receives the connection request (SYN) and replies with a SYN ACK.
5 The PIX verifies the SYN ACK from the destination and matches the
acknowledgment number against the randomly generated sequence number. It verifies the connection slot and forwards the connection back to the source using the original source address and sequence number plus 1.
Source