ccna 4 book

ccna 4 book.Suppose a user initiates an outbound connection from a protected network to an external network, such as Telnet, and the Classic Firewall is enabled to detect Telent traffic. Also assume that an ACL is applied on the external interface to block Telnet traffic from entering the protected network. The connection needs to go through multiple operations106 Chapter 4 Implementing Firewall Technologiesoperational steps, as follows.Step 1 When the traffic is first generated, it traverses the router and, if an inbound ACL is applied on the router interface, the ACL is processed first. if the ACL rejects this type of outbound connection, the packet is dropped. If the ACL allows this type of outbound connection, the classic firewall's detection rules are checked.Step 2 Based on the classic firewall detection rules, CiscoIOS may need to check the connection. If no Telent traffic is checked, the packet is allowed to pass and no other information is collected: otherwise, the connection proceeds to the next step. Step 3 The connection information is compared with the entry in the status table. If this connection is not in the table, add a new entry; if it already exists, reset the idle timer for this connection.Step 4 If a new entry is added, a dynamic ACL entry is added in the inbound direction of the external interface (from the external network to the internal network). This allows Telnet return traffic, that is, if the packet is part of the same Telent connection that was previously established via an outbound packet, to return to the network. The temporary opening will remain in effect as long as the session is open. These dynamic entries are not saved to NVRAM.Step 5 When the session is terminated, the dynamic information and dynamic ACL entries in the state table are deleted.This process is similar to the processing of self-reversing ACLs. The classic firewall creates a temporary open entry in the ACL to allow return traffic. These entries are created when traffic is detected leaving the network; they are deleted when the session is terminated or the idle timer for the connection is timed out. And as with self-reversing ACLs-an administrator can also indicate which protocols to check, as well as the interfaces and directions checked.The configuration of the classic firewall is quite flexible, especially in choosing the direction in which traffic is inspected. In a typical setup, the classic firewall is used on a border router or firewall to allow return traffic into the network. It is also possible to configure the Classic Firewall to detect traffic in both directions (inbound and outbound). This is useful when protecting both parts of the network (when both sides of the firewall initiate connections and should allow returning traffic to reach the source).4.2.3.3 Classic Firewall Detection Rules In a classic firewall, the protocol to be detected is specified in the detection rules. The detection rule is applied on the incoming or outgoing direction of the interface to be inspected. The firewall engine detects packets of a specific protocol only when such packets first pass through the inbound ACL applied to the internal interface. If the packet is rejected by the ACL, it is simply discarded and the firewall does not detect it. Packets that match the detection rule generate a dynamic ACL entry to allow the returning traffic to pass through the firewall. The firewall creates and deletes ACLo as needed by the application When the application terminates, the classic firewall deletes all dynamic ACLo for this session The CiscoIOS firewall engine can identify a command specific to the application (such as some illegal SMTP commands in the control channel) and can inspect and prevent certain application-layer attacks. When an attack is detected, the firewall can take the following actions: Issue warning messages; Protect system resources that can affect performance; Block packets from an attacker who can. Timeouts and thresholds are used to manage the status information of connections. These values help determine when to drop a connection that is no longer fully established or a connection that has timed out. The CiscoIOS Firewall provides three thresholds to defend against TCP-based DoS attacks.