- Enterasys Security Router User's Guide
XSR Firewall Feature Set Functionality
16-12 Configuring Security on the XSR
Stateful Inspection Firewalls
A stateful inspection firewall combines the aspects of other firewalls to filter packets at the
network layer, determine whether session packets are legitimate and evaluate the payload of
packets at the application layer. It allows a direct connection between client and host, alleviating
the lack of transparency of ALGs. Also, it employs algorithms to recognize and process Layer 5
data rather than run application-specific proxies.
Additionally, a stateful inspection firewall provides:
• Inspection of a packet’s communication and application state - acquired from past
communication data throughout all layers. For example, an FTP session’s PORT command
can be saved to verify an incoming FTP data connection
• Dynamic filtering by opening ports only if the configured policy permits and when the
application requires it
• The strongest security with the least processing overhead and fastest performance because
stateful inspection is implemented in the kernel
• An Application Layer Gateway (ALG) to support applications which dynamically allocate
ports for secondary data streams. ALGs apply stateful inspection to a difficult protocol such as
FTP or H.323 by tracking control messages between client and server and learning the correct
port number to open at the correct time.
• Smart service filtering and blocking. For example, it blocks un-authorized commands to an
Email server, avoiding possible attacks
• More intelligent packet flooding attack prevention
• The capacity to search for and reject non-forming packets
XSR Firewall Feature Set Functionality
The XSR’s firewall feature set provides the following functionality:
Stateful Firewall Inspection (SFI)
Stateful inspection is provided for TCP and UDP packets and monitoring of all incoming and
outgoing TCP/UDP sessions. Incoming sessions must be explicitly allowed by configuring policy
rules. For TCP, sessions are created and deleted by monitoring TCP SYN/ACK/FIN flags.
Sessions for UDP are created based on packet flows with the first outbound UDP packet creating
the session. Inactivity for an interval deletes the session.
Stateful inspection is available for user-defined and popular applications such as Bootp, FTP, AOL,
et al. Enter the
show ip firewall services command to display these and other supported
applications as well as their associated source/destination port ranges and TCP/UDP affiliations.
Filtering non-TCP/UDP Packets
Non-TCP and UDP IP packets are controlled by a separate filtering mechanism and configured
with a filter object. All non TCP and UDP packets are dropped by default. In order to pass a
particular IP protocol packet through the firewall, you must configure a filter object for that
protocol with the correct source and destination addresses.