You can use access control lists (ACL) to permit or deny requests to services that are available within your network. You can apply ACLs to packets entering or leaving a firewall interface. Two forms of filters exist: stateless and stateful session ACLs. Firewalls that you enable with stateless ACLs treat each packet as an individual entity. Because stateless ACLs do not track transport connection information, routers apply the ACL to every packet regardless of the transport flow the packet is part of. Conversely, stateful session ACLs track flows to ensure that packets belong to a valid flow before filtering takes place.
Firewalls can track TCP flows by inspecting the TCP flags and sequence numbers in the TCP segment header. Although UDP is connectionless, firewalls approximate UDP "connections" by examining the IP addresses and ports in the UDP segment and matching packets with the same UDP packet information. The firewall or router considers packets to be part of the same UDP connection if it receives UDP packets with the same IP addresses and UDP ports within the same approximate timeframe.
Stateful session ACLs are useful for filtering that is based on TCP/IP when you need to know the direction that the connection originates from. For example, your internal users may require access to an FTP site on the Internet, but you should block incoming FTP access to your internal network from the Internet. You cannot achieve this type of access control using stateless ACLs. Instead, you can use basic ACLs, reflexive ACLs, context-based access control (CBAC), or Cisco PIX firewalls, because these protocols use stateful inspection.
With stateful inspection, when your workstation sends an outgoing TCP SYN segment to an external resource, the firewall creates a temporary incoming ACL entry for your return traffic. The entry contains the same IP addresses and TCP port numbers as your outgoing request but with the source and destination values swapped. Figure 4-1 illustrates how firewalls implement stateful ACLs. In this example, the firewall is performing static source Network Address Translation (NAT), translating your client private IP 10.1.1.5 to the registered IP 184.108.40.206. When the server responds to your TCP SYN segment, it uses the registered IP in its TCP SYN-ACK response. This example configures the firewall to block all incoming traffic on interface Ethernet 0. However, the outgoing connection in this example creates a temporary incoming rule to permit return traffic to the inside user.
Figure 4-1. Stateful ACL Operation
Temporary ACLs approximate stateful inspection using a temporary incoming ACL entry. To perform true stateful inspection, Cisco devices maintain entries for individual flows in state tables. You will learn about state maintenance with session filtering later in this section.
Cisco supports three types of stateful ACLs:
Firewall load balancing is available to you as a content networking security service. See Chapter 11, "Switching Secured Content," for more information on firewall load balancing.