What is TCP Established?

What is TCP Established?

TCP Established is a criteria applied by a rule where the "Acknowledge" bit in a TCP header is examined. If this option is not "checked", the rule will apply to the packets whose Acknowledge bit is clear (0). If the option is checked, packets that have the Acknowledge bit set will be affected by the rule.

The Acknowledge bit in the TCP header, when 0, indicates that the packet is an initial "call" to the destination. The host sending the message will clear the bit (0). The host that responds to the message will set the bit(1) indicating this message is a response. Effectively the call is now "Established". All subsequent packets between these two hosts for this session will have the Acknowledge bit set.

For example: Suppose the Avaya Multiservice switch has interfaces to "Outside" networks as well as interfaces to "Inside" networks. The Outside networks need access to a Web server and should be denied access to any other resource within the Inside network.

Hosts on the Inside networks should have full access to all other resources on the Inside.

The Web server itself should not be able to establish any new connections to the Outside but should be able to pass traffic to the other Inside networks.

Assume the following abbreviations:

WS = Web Server.

IN = Inside Networks

ON = Outside Networks

Any = Both Inside and Outside Networks

The rules for implementing the above restrictions would be as follows:


Rule No.	Rule	TCP Established
1	allow Any to call WS dest port 80	Un-Checked
2	allow WS to respond	Checked
3	allow WS to IN	Un-Checked
4	deny WS to Any (Outside)	Un-Checked
5	allow IN to Any	Un-Checked
6	deny remaining traffic from Outside to Any	Un-Checked

Rules 1 and 2 collectively manage Web traffic to and from the Web server (WS). Rule 1 says that any source address can get to the Web server's IP address using destination port 80. Because the TCP Established criteria is unchecked, hosts from any network can send a TCP "call setup" message as a first step in requesting a Web page.

Rule 2 says that the Web server may respond to any (TCP) Web request. Although it can send a message back to any address from any source port, only messages that are in response to a Web request will be forwarded because TCP Established is checked and the source port criteria is specified.

Rules 3 and 4 handle traffic from the Web server that is not in response to a Web request. Rule 3 gives the Web server access to the rest of the Inside networks. And Rule 4 blocks the Web server from getting to the rest of the networks (Outside).

Rule 5 gives the hosts on the Inside network access to any network.

Rule 6 blocks any other host from using resources on any of the Inside networks.

Note: In this simple example, pseudo-rules are used. In practice, the pseudo-rule "allow WS to IN" would require that you create rules that forward traffic from the Web server's IP address to each network on the Inside explicitly. If you had 30 inside networks, you'd create 30 rules. This is where a subnetted network would be powerful; because you could summarize subnets into a few rules.