A Closer Look at Stateful Inspection on the Cisco ASA

VN:F [1.9.6_1107]
Rating: 5.0/5 (2 votes cast)
By Anthony Sequeira on April 11th, 2011

We know that the Adaptive Security Appliance (ASA) from Cisco inspects traffic in a stateful manner using something called the Adaptive Security Algorithm. It examines the traffic, and then either sends it on to a destination or drops it. But what are the finer details and points regarding this process, and how does the ASA manage to do all of this without a considerable performance bottleneck within the network infrastructure? Let us examine this stateful inspection in much more detail. As the name implies, a stateful firewall like the Cisco ASA recognizes the state of a packet and acts accordingly. For example, if the packet is part of a new connection that is being established on the network, the first packet of the session takes what Cisco calls a “session management path”. This session management path is responsible for:

  • Access list checks (to ensure the traffic is permitted through the device)
  • Route lookups
  • Allocating NAT translations
  • Establishing sessions in an alternate path through the ASA called the “fast path”

If the packet requires Layer 7 inspection, then the packet is actually placed on another path through the device called the “control plane path”. An example of a packet that might require this Layer 7 inspection is one belonging to a protocol that has a data channel and a control channel. An example is Simple Network Management Protocol (SNMP). Here, the data packets can follow the “fast path”, while the control packets will be forced along the control plane path.

If the packet is part of an established session, then the ASA can use the much faster “fast path” through the device for most of these packets in each direction. The fast path is much speedier and has some simple tasks it achieves:

  • IP checksum verification
  • Session lookup
  • TCP sequence number check
  • NAT translation with existing session
  • L3 and L4 header adjustments

Sometimes on the ASA, packets are forced to use the session management path. An example is when you have HTTP packets and you have configured advanced inspection or content filtering on your Cisco ASA.

I hope you have enjoyed this closer look at the Adaptive Security Algorithm and the many potential paths it leads a packet through on the Cisco ASA.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

A Closer Look at Stateful Inspection on the Cisco ASA, 5.0 out of 5 based on 2 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , , ,

This entry was posted on Monday, April 11th, 2011 at 9:00 am and is filed under CCIE, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply