ASA and IPS Parallel Features – Part III

Monday, July 25, 2011

Dawn Hopper


Article by Doug McKillip

ASA and IPS Parallel Features – Part I HERE

ASA and IPS Parallel Features – Part II HERE

As I mentioned in a previous post, this third part of the series about parallel features of the Cisco ASA and IPS covers the topic of asymmetric packet flow.

This is a highly specialized exception condition (to be deliberately avoided, if possible!) where either (or both!) the ASA and IPS appliances see traffic in one direction only. We’ll briefly examine how this situation can be handled and the implications of its use.

Both the Cisco Adaptive Security Appliance and the Intrusion Prevention System have the capability of checking the state of TCP connections by examining sequence and acknowledgement numbers, flags, ports, and IP addresses.

In the case of the ASA, this “stateful inspection” has been optimized to allow many connections to utilize the “fast path” for virtual wire-speed packet delivery. It has further been enhanced to provide granular control of both open and half-open connection limits, a feature not present on the IPS.

One scenario in which asymmetric routing of packets is frequently seen is with topologies designed for load balancing. For a pair of ASA appliances deployed in an Active-Active failover implementation, a session could potentially be initiated through the first firewall and be returned via the second.

The unintended consequence of this behavior would be connectivity problems due to dropped packets not matching the device state table.

Fortunately, beginning in OS release 8.2, support was added for asymmetric routing groups as shown in the ASDM screenshot below (click image to enlarge):


When properly configured, a pair of ASA appliances in Active-Active failover will redirect an asymmetrically routed return packet to the other ASA for proper stateful inspection.

As Cisco IPS 7.0 — Signature Engines indicates, the Cisco IPS allows for stateful inspection of sensors deployed in a parallel load sharing topology as long as EtherChannel is used.

Now that we have shown how load balancing can be implemented while retaining stateful inspection, let’s examine the configuration support on both platforms for disabling it.

Again with OS version 8.2, a new feature entitled TCP State Bypass was introduced as detailed in the Cisco ASA 8.2 Configuration Guide — Configuring TCP State Bypass.

Supported in both the CLI and in ASDM, once bypass is enabled for a flow it is exempt from any connection limits as well as any further examination by an SSM module; therefore, as a best practice this should only be done for the most trusted set of endpoints.

The screenshot below illustrates how this analogous function is supported on the IPS. The reassembly of TCP streams is part of the function of the normalizer signature engines on the sensor and can be set to asymmetric if it is predetermined that the sensor will only see flow in one direction (click image to enlarge):


Cross-posted from Global Knowledge 

Possibly Related Articles:
Information Security
Cisco Network Security Configuration IDS/IPS TCP ASA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.