Personal Stateful Firewall Overview
Understanding Rules with Stateful Inspection ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-02
HTTP Application and State
HTTP is the one of the main protocols used on the Internet today. It uses TCP as its transport protocol, and its session
initialization follows the standard TCP connection method.
Due to the TCP flow, the HTTP allows an easier definition of the overall session‘s state. It uses a single established
connection from the client to the server and all its requests are outbound and responses are inbound. The state of the
connection matches with the TCP state tracking.
For content verification and validation on the HTTP application session, the Personal Stateful Firewall uses DPI
functionality in the chassis.
File Transfer Protocol and State
FTP is an application to move files between systems across the network. This is a two way connection and uses TCP as
its transport protocol.
Due to TCP flow, FTP allows an easier definition of the overall session‘s state. As it uses a single established
connection from the client to the server, the state of the connection matches with the TCP state tracking.
Personal Stateful Firewall uses application-port mapping along with FTP application-level content verification and
validation with DPI functionality in the chassis. It also supports Pinhole data structure and Initialization, wherein FTP
ALG parses FTP Port command to identify the initiation and termination end points of future FTP DATA sessions. The
source/destination IP and destination Port of FTP DATA session is stored.
When a new session is to be created for a call, a check is made to see if the source/destination IP and Destination Port of
this new session matches with the values stored. Upon match, a new ACS data session is created.
This lookup in the pinhole list is made before port trigger check and stateful firewall ruledef match. If the look up
returns a valid pinhole then a particular session is allowed. Whenever a new FTP data session is allowed because of a
pinhole match the associated pinhole is deleted. Pinholes are also expired if the associated FTP Control session is
deleted in, or when the subscriber call goes down.
Summary of Contents for ASR 5000 Series
Page 1: ......
Page 26: ......
Page 48: ...New In Release 10 0 SCM Features Cisco ASR 5000 Series Product Overview OL 22938 02 ...
Page 50: ......
Page 58: ......
Page 68: ......
Page 126: ......
Page 138: ......
Page 146: ......
Page 218: ......
Page 236: ......
Page 356: ......
Page 374: ......
Page 422: ......
Page 496: ......
Page 572: ......
Page 654: ......
Page 700: ......
Page 726: ......
Page 784: ......
Page 816: ......
Page 844: ......
Page 906: ......
Page 926: ......
Page 942: ......
Page 943: ...Cisco ASR 5000 Series Product Overview OL 22938 02 Chapter 30 Technical Specifications ...
Page 966: ......
Page 972: ......