As I wrote in an earlier post I often find a Cisco security feature “interesting” if it represents something that originated some time ago and recently saw a rebirth or resurgence of emphasis. One such command was the ASA (and originally on the PIX) shun command which we’ll focus on here.
Although this command first appeared in very early PIX firewall code (OS 4.0), we didn’t see its final form until the next revision (4.2). Here’s what appears straight from the version 4.2 command reference:
Allow or disallow return connections based on an established connection. (Configuration mode.)
established protocol dst_port_1 [permitto protocol [dst_port_2[-dst_port_2]]] [permitfrom protocol [src_port[-src_port]]]
Now from a more recent ASA command reference (OS8.2) :
established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]
Obviously the command hasn’t changed much in more than ten years (OS4.2 was released by 2009). The command’s purpose is to allow the administrator to provide support for applications that don’t have a “built-in” inspection engine. As you probably already know, the “inspect ftp” default, for example, allows the auxiliary data connection in either active or passive mode through the firewall once a control connection is established. The above command extends this behavior further by allowing auxiliary UDP and/or TCP ports once there’s an initial connection to designated port.
As the Cert Advisory and Common Vulnerabilities and Exploits established commands indicate, there was a period of time early in the history of this command when some known vulnerabilities with its implementation were published; however, these were associated with a now-defunct conduit command (implemented only on the PIX). Nonetheless, as the 8.2 Command Reference indicates, special care should be taken to ensure that established is implemented along with the permitto and/or permitfrom arguments. The sample command “established tcp 4000 0” allows ALL ip traffic to traverse the firewall once a TCP connection exists to port 4000. The number 0 here is obviously a wildcard.
Now that I briefly discussed the history and caveats concerning its use, I can say from a recommended practice standpoint (taught in today’s training classes) that Cisco Systems endorses the use of the established command in place of alternatives such as static access lists. Since this command targets customized application ports with known port behavior (i.e. a set of sequenced conditions), using an access-list to unconditionally allow any source IP address to use the additional ports would be indeed foolish.