User`s guide
XSR User’s Guide 325
Chapter 13 XSR Firewall Feature Set Functionality
Configuring Security on the XSR
Additionally, a stateful inspection firewall provides:
Inspection of a packet’s communication and application state -
acquired from past communication data throughout all layers. For
example, an FTP session’s PORT command can be saved to verify an
incoming FTP data connection
Dynamic filtering by opening ports only if the configured policy
permits and when the application requires it
The strongest security with the least processing overhead and fastest
performance because stateful inspection is implemented in the kernel
An Application Layer Gateway (ALG) to support applications which
dynamically allocate ports for secondary data streams. ALGs apply
stateful inspection to a difficult protocol such as FTP or H.323 by
tracking control messages between client and server and learning the
correct port number to open at the correct time.
Smart service filtering and blocking. For example, it blocks un-
authorized commands to an Email server, avoiding possible attacks
More intelligent packet flooding attack prevention
The capacity to search for and reject non-forming packets
XSR Firewall Feature Set Functionality
The XSR’s firewall feature set provides the following functionality:
Stateful Firewall Inspection (SFI) - Stateful inspection is provided for TCP and
UDP packets and monitoring of all incoming and outgoing TCP/UDP sessions.
Incoming sessions must be explicitly allowed by configuring policy rules.
For TCP, sessions are created and deleted by monitoring TCP SYN/ACK/FIN
flags. Sessions for UDP are created based on packet flows with the first
outbound UDP packet creating the session. Inactivity for an interval deletes
the session.
Stateful inspection is available for user-defined applications as well as those
shown in Table 12. Enter the
show ip firewall services command for
associated source and destination port ranges and TCP/UDP affiliations.