ASPF

ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering. An ASPF can inspect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.

An ASPF provides the following functions:

• Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection. ASPF maintains the status information of each connection, and based on the status information, determines whether to permit a packet to pass through the firewall into the internal network, thus defending the internal network against attacks.

• Transport layer protocol inspection—ASPF checks a TCP/UDP packet's source and destination addresses and port numbers to determine whether to permit the packet to pass through the firewall into the internal network. ASPF checks an ESP packet's source and destination addresses to determine whether to permit the packet to pass through the firewall into the internal network.

• Java blocking—ASPF inspects the contents of application layer packets, and performs Java blocking for untrusted sites, protecting the network against malicious Java applets.

• Enhanced session logging—ASPF can record the information of each connection, including the duration, source and destination addresses and port numbers of the connection, and number of bytes transmitted.

• Port to Application Mapping (PAM)—Allows you to specify port numbers other than the standard ones for application layer protocols.

• TCP SYN check—ASPF checks the first packet of a TCP connection to see if it is a SYN packet. If it is not a SYN packet, ASPF drops the packet.

At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the network with a security policy that is more comprehensive and better satisfies the actual needs.

• Java blocking

  Java blocking is a feature for blocking malicious Java applets that are transported by HTTP. With the Java blocking feature enabled, when a user attempts to get a program containing Java applets from a Web page, the ASPF will process the response, so as to block the Java applets.

• PAM

  While application layer protocols use the standard port numbers for communication, PAM allows you to define a set of new port numbers for different applications, and provides mechanisms to maintain and use the configuration information of user-defined ports.

  PAM supports two types of port mapping mechanisms: general port mapping and host port mapping.

  • General port mapping—A mapping of a user-defined port number to an application layer protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are regarded as HTTP packets.

  • Host port mapping—A mapping of a user-defined port number to an application layer protocol for packets to/from specific hosts. For example, you can establish a host port mapping so that all TCP packets using 8080 as the destination port and 10.110.0.0/16 as the destination network segment are regarded as HTTP packets. The hosts can be specified by means of a basic ACL.

• Single-channel protocol and multi-channel protocol

  • Single-channel protocol—A single-channel protocol establishes only one channel to exchange both control messages and data for a user. SMTP and HTTP are examples of single-channel protocols.

  • Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user and transfers control messages and user data through different channels. FTP and RTSP are examples of multi-channel protocols.

• Internal interface and external interface

  On an edge device configured with ASPF to protect servers on the internal network, interfaces connected with the internal network are internal interfaces and the interface connected with the Internet is the external interface.

  When an ASPF is applied on the outbound direction of the external interface of a device, a temporary channel can be opened on the firewall for return packets to internal network users accessing the Internet.

As shown in Figure 112, ACLs on the edge device deny incoming packets to the internal network. The ASPF application layer protocol inspection allows return packets from the external network to the internal network.

After the application layer protocol inspection is enabled on the router, the ASPF inspects each application layer session and creates a status entry and a temporary access control list (TACL) for the session. For a multi-channel protocol, a TACL will also be created for data channels.

• Status entry—Created when ASPF detects the session's first packet sent to the Internet, and is used to maintain the status of the session at different points of time and to determine whether state transitions of the session are correct.

• TACL—Created at the same time the status entry is created, and is deleted at the end of the session. It is equivalent to a permit statement in an extended ACL. The TACL is mainly used to match all the return packets of the session, and can set up a temporary return channel on the external interface of the firewall for packets returned by the application.

Multi-channel application layer protocol inspection—Using FTP inspection as an example, the following explains the process of multi-channel application layer protocol inspection:

As shown in Figure 113, FTP connections are established as follows:

1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.

2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.

3. When data transmission times out or ends, the data connection is removed.

ASPF implements FTP inspection during the FTP connection lifetime:

1. The ASPF checks IP packets on the outbound interface to identify TCP-based FTP packets.

2. Based on the port number, the ASPF determines whether the connection is a control connection. If yes, it creates a TACL for returned packets and a status entry.

3. The ASPF checks each FTP control connection packet, analyzes the FTP instruction, and updates the status entry based on the instruction. If the packet contains a data channel setup instruction, the ASPF creates a TACL for the data connection. For a data connection, the ASPF does not perform status inspection.

4. For returned control connection packets, the ASPF first matches these packets against the control connection TACL, and then checks their application status based on the application type, and determines whether to permit the packets to pass according to the results of the match checks. For returned data connection packets, the ASPF only performs the data connection TACL match.

5. When the FTP connection is removed, the ASPF removes the status entry and TACL accordingly.

Single channel application protocol inspection—The inspection process for a single-channel protocol (such as SMTP and HTTP) is relatively simple: a TACL is created at the connection initiation and is deleted when the connection is removed.

The transport layer protocol inspection here refers to general TCP/UDP inspection. Different from application layer protocol inspection, general TCP/UDP inspection is specific to the transport layer information in the packets, such as source and destination addresses and port number. General TCP/UDP inspection requires a full match between the packets returned to the external interface of the ASPF and the packets previously sent out from the external interface of ASPF, namely a perfect match of the source and destination address and port number. Otherwise, the return packets will be blocked. Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment of TCP inspection without application layer inspection will lead to failure of establishing a data connection.