Managing Sessions; Overview; Session Management Operation; Session Management Functions - HP VSR1000 Security Configuration Manual

Managing sessions

Overview

Session management is a common module, providing basic services for NAT, ASPF, and intrusion
detection and protection to implement their session-based services. Session management can be applied
for the follow purposes:
• Fast match between packets and sessions
Management of transport layer protocol states
•
Identification of application layer protocols
•
Session aging based on protocol states or application layer protocols
•
Persistent sessions
•
• Special packet match for the application layer protocols requiring port negotiation
ICMP/ICMPv6 error control packet resolution and session match based on the resolution results
•

Session management operation

Session management tracks the session status by inspecting the transport layer protocol information, and
updates session states, or ages out sessions according to data flows from the initiators or responders.
When a connection request passes through the device from a client to a server, the device creates a
session entry. The entry can contain the request and response information, such as:
Source IP address and port number.
•
Destination IP address and port number.
•
Transport layer protocol.
•
• Application layer protocol.
Protocol state of the session.
•
Multi-channel protocols might have the situation where the client and the server negotiate a new
connection based on an existing connection to implement an application. For such a protocol, session
management enables the device to create one or more relation entries to associate the connections with
the application. A relation entry is created during the negotiation phase and removed after it finishes its
support for the multi-channel protocol.
In actual applications, session management works with ASPF to dynamically determine whether a packet
can pass the firewall and enter the internal network according to connection status, thus preventing
intrusion.
Session management only tracks connection status. It does not block potential attack packets.

Session management functions

Session management enables the device to provide the following functions:
301