the adaptive security algorithm (asa) is a stateful approach to security. every inbound packet is checked against the adaptive security algorithm and against connection state information in memory.this stateful approach to security is regarded in the industry as being far more secure than a stateless packet screening approach.

    asa allows one way (inside to outside) connections without an explicit configuration for each internal system and application. asa is always in operation, monitoring return packets to ensure they are valid. it actively randomizes tcp sequence numbers to minimize the risk of tcp sequence number attack.

    asa applies to the dynamic translation slots and static translation slots. you create static translation slots with the static command and dynamic translation slots with the global command. collectively, both types of translation slots are referred to as "xlates." asa follows these rules:

    · no packets can traverse the pix firewall without a connection and state.

    · outbound connections or states are allowed, except those specifically denied by access control lists. an outbound connection is one where the originator or client is on a higher security interface than the receiver or server. the highest security interface is always the inside interface and the lowest is the outside interface. any perimeter interfaces can have security levels between the inside and outside values.

    · inbound connections or states are denied, except those specifically allowed. an inbound connection or state is one where the originator or client is on a lower security interface/network than the receiver or server. you can apply multiple exceptions to a single xlate (translation). this lets you permit access from an arbitrary machine, network, or any host on the internet to the host defined by the xlate.

    · all icmp packets are denied unless specifically permitted.· all attempts to circumvent the previous rules are dropped and a message is sent to syslog.

    pix firewall handles udp data transfers in a manner similar to tcp. special handling allows dns,archie, streamworks, h.323, and realaudio to work securely. the pix firewall creates udp "connection" state information when a udp packet is sent from the inside network. response packets resulting from this traffic are accepted if they match the connection state information. the connection state information is deleted after a short period of inactivity.