Protocols and Applications

Routing Information Protocol

RIP provides MD5 authentication of encryption keys. The firewall only listens in passive mode and/or broadcasts a default route. The firewall supports Cisco IOS software standards, which conform to RFC 1058, RFC 1388, and RFC 2082 of RIPv2 with text and keyed MD5 authentication. The firewall supports one key and key ID per interface. While the key has an infinite lifetime, for best security, you should change the key every two weeks or sooner.

The use of Telnet to change the configuration may expose the key and key ID on the network.

Configurable Proxy Pinging

The Configurable Proxy Pinging feature lets you control ICMP access to firewall interfaces. This feature shields firewall interfaces from detection by users on an external network.

Grant permission for ICMP unreachable message type (type 3). Denying ICMP unreachable messages, disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic.

Mail Guard

The Mail Guard feature provides safe access for Simple Mail Transfer Protocol ( SMTP) connections from the outside to an inside messaging server. This feature allows a single mail server to be deployed within the internal network without it being exposed to known security problems with some SMTP server implementations. Avoids the need for an external mail relay (or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands to avoid an SMTP server system from being compromised. This feature also logs all SMTP connections.

Supported Multimedia Applications

Users increasingly make use of a wide range of multimedia applications, many of which require special handling in a firewall environment. The firewall handles these without requiring client reconfiguration and without becoming a performance bottleneck. The specific multimedia applications supported by the firewall include the following:

  • RealAudio
  • Streamworks
  • CU-SeeMe
  • Internet Phone
  • IRC
  • Vxtreme
  • VDO Live

Support for specific protocols can be disabled using access-lists if required.

RAS Version 2

The Registration, Admission, and Status (RAS) protocol is required by multimedia applications such as video conferencing and Voice over IP that require video and audio encoding. A RAS channel carries bandwidth change, registration, admission, and status messages (following the recommendations in H.225) between endpoints and gatekeepers. Multimedia applications use a large number of dynamically negotiated data and control channels to handle the various visual and auditory streams.

RTSP

The firewall allows the secure forwarding of Real Time Streaming Protocol (RTSP) packets. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. This feature lets the firewall handle multimedia applications including Cisco IP/TV connections.

firewall does not yet have the ability to recognize HTTP cloaking where an RTSP message is hidden within an HTTP message. Also, RTSP is not supported with NAT.

Cisco IP Telephony

Cisco IP Telephony allows the integration of Vo IP (Voice over IP) networks and Public Switched Telephone Networks (PSTN). The transmission of voice traffic between internal and external voice networks requires support for the following protocols:

  1. H.323

    The firewall supports the secure use of H.323 Version 2. H.323 is a suite of protocols defined by the International Telecommunication Union (ITU) for multimedia conferences over LANs. Some of the features provided include:

    • Fast Connect or Fast Start Procedure for faster call setup

    • H.245 tunneling for resource conservation, call synchronization, and reduced set up time

    • Call redirection

    • Conferencing—The conference is not established until both endpoints agree to participate
  2. SIP

    The Session Initiation Protocol (SIP) enables call handling sessions—particularly two-party audio conferences, or "calls." The firewall supports SIP VoIP gateways and VoIP proxy servers. It also supports definition using SDP for dynamically allocated UDP ports.

NETBIOS over IP

The firewall supports NETBIOS over IP connections from the internal network to the external network. This allows Microsoft client systems on the internal network, possibly using NAT, to access servers, such as Windows NT, located on the external network. This allows security policies to encompass Microsoft environments across the Internet and inside an intranet. It allows the use of access controls native to the Microsoft environment.