337
• TACL—Created at the same time the status entry is created, and is deleted at the end of the
session. It is equivalent to a permit statement in an extended ACL. The TACL is mainly used to
match all the return packets of the session, and can set up a temporary return channel on the
external interface of the firewall for packets returned by the application.
Multi-channel application layer protocol inspection—Using FTP inspection as an example, the
following explains the process of multi-channel application layer protocol inspection:
As shown in Figure 113 , FTP
connections are established as follows:
1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.
2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the
client.
3. When data transmission times out or ends, the data connection is removed.
Figure 113 Network diagram for FTP inspection
ASPF implements FTP inspection during the FTP connection lifetime:
4. The ASPF checks IP packets on the outbound interface to identify TCP-based FTP packets.
5. Based on the port number, the ASPF determines whether the connection is a control
connection. If yes, it creates a TACL for returned packets and a status entry.
6. The ASPF checks each FTP control connection packet, analyzes the FTP instruction, and
updates the status entry based on the instruction. If the packet contains a data channel setup
instruction, the ASPF creates a TACL for the data connection. For a data connection, the ASPF
does not perform status inspection.
7. For returned control connection packets, the ASPF first matches these packets against the
control connection TACL, and then checks their application status based on the application
type, and determines whether to permit the packets to pass according to the results of the
match checks. For returned data connection packets, the ASPF only performs the data
connection TACL match.
8. When the FTP connection is removed, the ASPF removes the status entry and TACL
accordingly.
Single channel application protocol inspection—The inspection process for a single-channel
protocol (such as SMTP and HTTP) is relatively simple: a TACL is created at the connection initiation
and is deleted when the connection is removed.
Transport layer protocol inspection
The transport layer protocol inspection here refers to general TCP/UDP inspection. Different from
application layer protocol inspection, general TCP/UDP inspection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. General
TCP/UDP inspection requires a full match between the packets returned to the external interface of
the ASPF and the packets previously sent out from the external interface of ASPF, namely a perfect
match of the source and destination address and port number. Otherwise, the return packets will be
blocked. Therefore, for multi-channel application layer protocols like FTP and H.323, the deployment
of TCP inspection without application layer inspection will lead to failure of establishing a data
connection.
Port: 1333
Port: 1600
Port: 21
Port: 20
FTP instructions
and responses
Control connection
Data connection
FTP client FTP server
To Next Page
Loading...
Need help?
General
