The AA firewall (FW) feature extends AA ISA application level analysis to provide an in-line integrated stateful service that protects subscribers from malicious security attacks. Using the AA stateful packet filtering feature combined with AA Layer 7 classifications and control empowers operators with advanced, next generation firewall functionalities that integrated are within. AA stateful firewall and application firewall run on the AA ISA. In a stateful inspection, the AA FW does not only inspect packets at Layers 3 — 7, but also monitors and keeps track of the connection's state. If the operator configures a ‟deny” action within a session filter then the matching packets (matching both the AQP and associated session filter match conditions) are dropped and no flow session state/context is created.
AA FW can be used in all deployments of AA ISA (on the related diverted AA subscriber context):
- BNG (ESM)
- WLAN Gateway (ESM or DSM)
- Transit-subscriber (SAP or spoke-sdp)
- Business AA (SAP or spoke-sdp)
- Gi firewall (SAP or spoke-sdp)
- SeGW firewall (SAP)
- GRX FW firewall (SAP)
AA FW enabled solution provides:
stateful/stateless packet filtering and inspection with Application-Level Gateway (ALG) support
security gateway (SeGW firewall protection for S1, MME (SCTP), S1-U (GTP-U) and OAM traffic protection)
Stateful flow processing and inspection uses IP Layers 3/4 header information to build a state of the flow within AA ISA. Layer 7 inspection is used to provide ALG support. Stateful flow/session processing takes note of the originator of the session and can therefore allow traffic to be initiated from the subscriber while denying, if configured, traffic originating from the network. Packets received from the network are inspected against the session filter and only those that are part of a subscriber-initiated-session are allowed.
Figure: Stateful firewall shows stateful firewall processing.
Stateless packet filtering does not take note of session initiator and therefore, it discards or allows packets independent of the any previous packets. Stateless packet filtering can be performed in the system using IOM ACLs.
AA FW inspection of packets at Layer 7 offers Application Layer Gateway functionality for the following applications:
rtsp
sip
h323 (IPv4 only)
googletalkvoice
ftp
tftp
pptp
citrix
sybase
msexchange
skinny
ares
bittorrent
dns
irc
mailru
qvod
R commands
sc2
socks
vudu
winmx
xunlei
Figure: Application layer gateway support shows application layer gateway support.
These applications make use of control channels and flows that spun other flows. AA FW inspects the payload of these control flows so that it can open a pinhole for the associated required flows.