[Dr.WoW] [No.11] ASPF Highlighted

Latest reply: Jun 4, 2015 10:29:20 4558 2 0 1

After understanding security policies, you may think that security policies are configured once for all to defend against all threats. However, some protocols change unpredictably, such as FTP. FTP packets may override security policies during exchange. In this case, security policies are not enough to control packet forwarding and call for a mysterious aide for help.

Then, I use FTP as an example to unveil the mysterious aide.

1 Helping FTP Data Packets Traverse Firewalls

First, I use the eNSP to simulate an FTP client to access an FTP server, as shown in Figure 1-1. The FTP client and server directly connect to a firewall. The FTP client resides in the Trust zone, which the FTP server is in the Untrust zone.

Figure 1-1 Networking for an FTP client to access an FTP server

[Dr.WoW] [No.11] ASPF-1314047-1 

How should I configure a security policy if I want the FTP client to access the FTP server? You may say: "It is easy. Configure a security policy to allow FTP packets from 192.168.0.1 in the Trust zone to 172.16.0.1 in the Untrust zone."

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.1 0

[FW-policy-interzone-trust-untrust-outbound-1] policy destination 172.16.0.1 0

[FW-policy-interzone-trust-untrust-outbound-1] policy service service-set ftp

[FW-policy-interzone-trust-untrust-outbound-1] action permit

After the configuration, use the FTP client to access the FTP server on the eNSP. The access FAILS. Let's check the configuration. You can see that policy 1 was matched, indicating that the configuration has taken effect.

[FW] display policy interzone trust untrust outbound

policy interzone trust untrust outbound

 firewall default packet-filter is deny

 policy 1 (1 times matched)

  action permit

  policy service service-set ftp (predefined)

  policy source 192.168.0.1 0

  policy destination 172.16.0.1 0

Let's view the session table. You can see that a session has been established on the firewall.

[FW] display firewall session table

Current Total Sessions : 1

  ftp VPN:public --> public 192.168.0.1:2049-->172.16.0.1:21

Everything seems to be OK. Well, why did the access fail?

Let's see the particular characteristics of FTP. FTP is a typical multi-channel protocol. The FTP client and server establish two connections in between, namely, control and data connections. The control connection communicates FTP commands and parameters including information necessary for setting up the data connection. The data connection obtains directories and transfers data.

FTP works in either active (PORT) or passive (PASV) mode, determined by the data connection initiation mode. In active mode, the FTP server initiates a data connection to the FTP client. In passive mode, the FTP server receives the data connection initiated from the FTP client.

The working mode can be set on the FTP client. This example uses the active mode, as shown in Figure 1-2.

Figure 1-2 Working mode setting on the FTP client

[Dr.WoW] [No.11] ASPF-1314047-2 

Let's look at the FTP interactive process in active mode, as shown in Figure 1-3.

Figure 1-3 FTP interactive process in active mode

[Dr.WoW] [No.11] ASPF-1314047-3

 

 The process is described as follows:

1.         The FTP client uses a random port xxxx to initiate a control connection request to port 21 of the FTP server.

2.         The FTP client uses the PORT command to negotiate the port number with the server for a data connection. Port yyyy is obtained.

3.         The FTP server initiates a data connection request to port yyyy of the FTP client.

4.         The FTP server sends data to the client after the data connection is established.

In the preceding example, we have configured only one security policy to allow the FTP client to access the FTP server. That is, the control connection was established. When the firewall received the packet from the FTP server to port yyyy of the FTP client, the firewall considered the packet a new connection, not the subsequent packet of the previous connection. To allow the packet to arrive at the FTP client, we must configure another security policy on the firewall.

How to resolve this problem? Is that OK if we configure a security policy for packets from the FTP server to the FTP client? But there is another problem. The port used for the data connection is negotiated by the client and server and is therefore random. So we have to enable all ports, and this operation brings security risks to the FTP client. It would be perfect if the firewall could record the port and automatically configure a security policy to allow the packets to pass from the FTP server to the FTP client.

Fortunately, firewall designers have considered this issue and introduced the mysterious aide Application Specific Packet Filter (ASPF). As indicated by the feature name, ASPF works on the application-layer information of packets. Its working principle is to check the application-layer information of packets and record the key data in the application-layer information, so that the packets that are not clearly defined to pass in security policies can be properly forwarded.

Entries recording the key application-layer data are called server map entries. Once a packet matches a server map entry, it is no longer controlled by any security policy. It seems to enable an "invisible channel" on the firewall. Of course, this channel is not arbitrarily enabled. Instead, the firewall allows the existence of such a channel only after ***yzing the application-layer information of packets to predict the behavior of subsequent packets.

What is the difference between the server map and session table? First, the session table records the connection status of communicating parties. After generating a session for the first packet of a connection, the firewall directly forwards subsequent packets of the session based on this session, and the packets are no longer controlled by security policies. The server map records the information obtained by ***yzing the packets for existing connections. This information indicates packet features, according to which the firewall predicts packet behavior.

Second, after receiving a packet, the firewall checks whether the packet matches the session table. If so, the firewall directly forwards the packet. If not, the firewall checks whether the packet matches the server map. If the packet matches the server map, it is no longer controlled by security policies. Certainly, the firewall will generate a session for the packet.

Both the server map and session table are important for firewalls. They have different functions and cannot replace each other.

NOTE

In addition to ASPF, NAT can generate the server map, which will be detailed in chapter "NAT".

It is easy to enable ASPF. For example, enable ASPF for FTP in the Trust-Untrust interzone.

NOTE

ASPF can also be enabled for FTP within a security zone.

[FW] firewall interzone trust untrust

[FW-interzone-trust-untrust] detect ftp

Then, let's verify the access from the FTP client to the FTP server again. Run the display firewall server-map command on the firewall to view the server-map entry recording the FTP data connection.

[FW] display firewall server-map

 server-map item(s)

 ------------------------------------------------------------------------------

 ASPF, 172.16.0.1 -> 192.168.0.1:2052[any], Zone: ---

   Protocol: tcp(Appro: ftp-data), Left-Time: 00:00:57, Addr-Pool: ---

   VPN: public -> public

We can see that the firewall has generated a server-map entry. The packet from the FTP server to the FTP client matched this entry and has been forwarded. In this manner, no security policy is required for this packet. This server-map does not permanently exist. It will be deleted after its aging time expires. This means that the "invisible channel" is not permanently enabled, improving security.

View the session table on the firewall. The command output shows that the FTP server has established a data connection with the FTP client.

[FW] display firewall session table

 Current Total Sessions : 2

  ftp  VPN:public --> public 192.168.0.1:2051+->172.16.0.1:21

  ftp-data  VPN:public --> public 172.16.0.1:20-->192.168.0.1:2052

Figure 1-4 shows the ASPF processing for FTP. After ASPF is enabled, the firewall generates a server map in the FTP control connection, so that the FTP data connection can be established.

Figure 1-4 ASPF processing for FTP

[Dr.WoW] [No.11] ASPF-1314047-4 

In conclusion, ASPF dynamically generates server-map entries based on the application-layer information in packets, simplifying security policy configuration and improving security. ASPF can be considered a firewall traversal technique. Server-map entries "open" a channel on the firewall, so that subsequent packets of multi-channel protocols, such as FTP, traverse the firewall through the channel without being controlled by security policies.

In addition to FTP, firewalls support ASPF for other multi-channel protocols, such as the Session Initiation Protocol (SIP), H.323, and Media Gateway Control Protocol (MGCP). To check whether a firewall model supports ASPF for a specific protocol, see the product documentation of the firewall model.

2 Helping QQ/MSN Packets Traverse Firewalls

Firewalls also support ASPF for common instant messaging protocols Tencent QQ and Microsoft Service Network (MSN) Messenger. The implementation process differs from that for FTP. Let me introduce APSF for QQ and MSN for you.

Generally, text QQ/MSN messages are relayed by a QQ or MSN server. As audio and video messages consume a lot of resources, such messages are not relayed through a server. Instead, the communicating parties establish a connection to transmit such messages, as shown in Figure 1-5.

Figure 1-5 Networking for transmitting QQ/MSN messages

[Dr.WoW] [No.11] ASPF-1314047-5 

In most cases, we configure only the security policy for the Trust-Untrust interzone on a firewall to allow QQ/MSN clients on an intranet to access the Internet. Due to the lack of the security policy for the Untrust-Trust interzone, QQ/MSN clients on the Internet cannot initiate audio/video connection requests to the intranet.

QQ is used as an example. To allow QQ clients on the Internet to access the QQ server on an intranet, ASPF generates the following server-map entry (This entry is only an example. The actual entry should contain address translation information.):

Type: STUN,  ANY -> 192.168.0.1:53346,  Zone:---

 Protocol: udp(Appro: qq-derived),  Left-Time:00:05:45,  Pool: ---,

 Vpn: public -> public

In the entry, the source address is ANY, indicating that any user can initiate connection requests to 192.168.0.1 through port 53346, and the firewall allows the requests to pass. The entry contains the destination address (192.168.0.1), destination port (53346), and protocol type (udp), which are considered a triplet for server-map entries.

NOTE

The entry type is Simple Traversal of UDP Through Network Address Translators (STUN). QQ, MSN, and user-defined server-map entries, which will be described in the following part, are all of the STUN type. That is, firewalls consider QQ, MSN, and user-defined protocols are in the STUN type. STUN will be described in section "NAT ALG."

The command for enabling ASPF for QQ and MSN is similar to that for FTP. Enable ASPF for QQ and MSN in the Trust-Untrust interzone.

NOTE

ASPF can also be enabled for QQ and MSN within a security zone.

[FW] firewall interzone trust untrust

[FW-interzone-trust-untrust] detect qq

[FW-interzone-trust-untrust] detect msn

3 Helping User-Defined Protocol Packets Traverse Firewalls

For applications beyond the supported application scope of the detect command, firewalls provide ASPF for user-defined protocols. On the premise that we have understood the protocol principle of an application, we can define an ACL to identify the packets of this application. ASPF automatically establishes a triplet server-map entry for the application on a firewall, so that the packets of the application can pass the firewall. Note that precise ACL rules are preferred to minimize the adverse impact on other services.
Currently, the most typical application is the Trivial File Transfer Protocol (TFTP), as shown in Figure 1-6.

Figure 1-6 Networking for TFTP

[Dr.WoW] [No.11] ASPF-1314047-6 

The TFTP control and data connections share the TFTP client port number. After the TFTP client initiates an access request to the TFTP server, ASPF generates the following server-map entry:

Type: STUN,  ANY -> 192.168.0.1:55199,  Zone:---                              

 Protocol: udp(Appro: stun-derived),  Left-Time:00:04:52,  Pool: ---,

 Vpn: public -> public

In this entry, 192.168.0.1 is the TFTP client IP address, and 55199 is the port number enabled for the TFTP client. The TFTP client also uses this port number to access the TFTP server. Before this server-map entry expires, the TFTP client at any address can initiate connection requests to 192.168.0.1 through port 55199, ensuring that TFTP packets can pass through the firewall.

Similarly, it is not difficult to enable ASPF for user-defined protocols. The support condition and command syntax vary with firewall models. Be subject to the product documentation of a specific firewall model.

[FW] acl 3000

[FW-acl-adv-3000] rule permit ip source 192.168.0.1 0

[FW-acl-adv-3000] quit

[FW] firewall interzone trust untrust

[FW-interzone-trust-untrust] detect user-defined 3000 outbound

For QQ, MSN, and user-defined protocols, though triplet server-map entries generated by ASPF ensure the normal running of the services, this mechanism brings risks because the ports have been enabled for access and packets matching the server-map entries are no longer controlled by security policies.

To reduce the risks, firewalls provide ASPF-specific security policies (packet filtering) to filter the packets matching triplet server-map entries for refined access control. For example, after the previous triplet server-map entry is generated, configure the following ACL to allow only the matching packets from 192.168.0.1 to 172.16.0.1 to pass.

[FW] acl 3001

[FW-acl-adv-3001] rule permit ip source 192.168.0.1 0 destination 172.16.0.1 0

[FW-acl-adv-3001] quit

[FW] firewall interzone trust untrust

[FW-interzone-trust-untrust] aspf packet-filter 3001 outbound

Upon the preceding description, we find that ASPF generates server-map entries for multi-channel protocols (such as FTP), QQ, MSN, and user-defined protocols to help the packets of these protocols traverse firewalls.

In addition, ASPF on firewalls can block Java and ActiveX plug-ins in HTTP. These plug-ins provided by HTTP may be made into Trojan horses and viruses to compromise hosts in intranets. Generally, Java and ActiveX plug-ins are carried in HTTP payloads for transmission. If firewalls check only HTTP headers, they cannot identify the plug-ins. In this case, ASPF must be used to check HTTP payloads to block Java and ActiveX plug-ins.

It is easy to configure a firewall to block HTTP plug-ins. Run the detect activex-blocking and detect java-blocking commands in a security zone or an interzone. The support condition and command syntax vary with firewall models. Be subject to the product documentation of a specific firewall model.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created May 7, 2015 11:19:48 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

guaxi300
Created Jun 4, 2015 10:29:20 Helpful(0) Helpful(0)

thanks

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login