PrepAway - Latest Free Exam Questions & Answers

Which kind of table do most firewalls use today to keep track of the connections through the firewall?

Which kind of table do most firewalls use today to keep track of the connections through the
firewall?

PrepAway - Latest Free Exam Questions & Answers

A.
dynamic ACL

B.
reflexive ACL

C.
netflow

D.
queuing

E.
state

F.
express forwarding

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intro.html
Stateful Inspection Overview
All traffic that goes through the ASA is inspected using the Adaptive Security Algorithm and either
allowed through or dropped. A simple packet filter can check for the correct source address,
destination address, and ports, but it does not check that the packet sequence or flags are correct.
A filter also checks every packet against the filter, which can be a slow process.
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
• Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other

tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
session goes through the “session management path,” and depending on the type of traffic, it
might also pass through the “control plane path.”
The session management path is responsible for the following tasks:
–Performing the access list checks
–Performing route lookups
–Allocating NAT translations (xlates)
–Establishing sessions in the “fast path”
The ASA creates forward and reverse flows in the fast path for TCP traffic; the ASA also creates
connection state information for connectionless protocols like UDP, ICMP (when you enable ICMP
inspection), so that they can also use the fast path.
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered)
are passed on to the control plane path. Layer 7 inspection engines are required for protocols that
have two or more channels:
A data channel, which uses well-known port numbers, and a control channel, which uses different
port numbers for each session. These protocols include FTP, H.323, and SNMP.
• Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most
matching packets can go through the “fast” path in both directions. The fast path is responsible for
the following tasks:
–IP checksum verification
–Session lookup
–TCP sequence number check
–NAT translations based on existing sessions
–Layer 3 and Layer 4 header adjustments
Data packets for protocols that require Layer 7 inspection can also go through the fast path.
Some established session packets must continue to go through the session management path or
the control plane path. Packets that go through the session management path include HTTP
packets that require inspection or content filtering. Packets that go through the control plane path
include the control packets for protocols that require Layer 7 inspection.


Leave a Reply