It is at the same time trivial to configure and powerful enough to provide the security that you need.
Its functions are:
- Traffic filtering
- Traffic inspection
- Alerts and audits trail
1) Traffic filtering
Traffic filtering is done with ACLsAll non-stateful rules can be applied
ACLs filter only initiating packets
2) Traffic inspection
Inspection engines examines IP packetsInspection engines updates states tables
Inspection engines permits only return traffic that belongs to existing sessions
Return traffic bypasses all ACLs
3) Alerts and Audit Trails
Automatic alerts can be disabled: they are sent by defaultsAudit trail will generate log entries with session information:
- Source Address and port
- Destination Address and port
- Amount of data transmitted
End-to-End connectivity
Stateful inspection breaks the end-to-end connectivitySame limitation as IPv4 NAT:
Only traffic that belongs to existing sessions is permitted
Layer 7 protocol-specific inspection is required for complex protocols.
Solution:
stateful inspection is performed only on end hostTCP Session Inspection
TCP is connection-orientedTCP flags are checked by stateful packet inspection engine to build state table
- SYN, SYN-ACK, or ACK exchange builds connections
- FIN and RST tear down connections
UDP and ICMP Traffic
Connectionless do not keep track of sessions.Hosts do not store the state of the connection.
For UDP, stateful packet inspectioin briefly waits for return packets that match the criteria (address, ports pairs).
For ICMP, statedul packet inspection briefly waits for matching packets, based on outgoing traffic.
FTP Inspection
FTP control packets are inspectedData connection informatioin is extracted
Data connection packets are permitted by stateful packet insepction
Mechanism fails ifencryption is used
Inspection Configuration
- Define inspection
- Apply inspection ti an interface an initiaing the direction``
ipv6 inspect Out tcp
ipv6 inspect Out udp
ipv6 inspect Out icmp
ipv6 inspect Out ftp
interface GigaEhernet
ipv6 inspect Out out
IPv6 Routing Header
by default they are dropped unless permitted:ipv6 inspect routing-header
Aucun commentaire:
Enregistrer un commentaire