Chapter 10 Firewalls 167Nortel Business Secure Router 222 Configuration — BasicsAfter the Business Secure Router receives any subsequent packet (from theInternet or from the LAN), its connection information is extracted and checkedagainst the cache. A packet is only allowed to pass through if it corresponds to avalid connection (that is, if it is a response to a connection that originated on theLAN).UDP/ICMP securityUDP and ICMP do not contain any connection information (such as sequencenumbers). However, at the very minimum, they contain an IP address pair (sourceand destination). UDP also contains port pairs, and ICMP has type and codeinformation. All of this data can be analyzed in order to build virtual connectionsin the cache.For instance, any UDP packet that originates on the LAN creates a cache entry. ItsIP address and port pairs are stored. For a short period of time, UDP packets fromthe WAN that have matching IP and UDP information are allowed back in throughthe firewall.A similar situation exists for ICMP, except that the Business Secure Router iseven more restrictive. Specifically, only outgoing echoes allow incoming echoreplies, outgoing address mask requests allow incoming address mask replies, andoutgoing timestamp requests allow incoming timestamp replies. No other ICMPpackets are allowed in through the firewall, simply because they are toodangerous and contain too little tracking information. For instance, ICMP redirectpackets are never allowed in, since they can be used to reroute traffic throughattacking machines.Upper layer protocolsSome higher layer protocols (such as FTP and RealAudio) utilize multiplenetwork connections simultaneously. In general terms, they usually have a controlconnection, which is used for sending commands between endpoints, and thendata connections, which are used for transmitting bulk information.