Aspf - HP A6600 Configuration Manual

ASPF

A packet filtering firewall is a static firewall. A packet filtering firewall cannot solve the following issues:
For multi-channel application layer protocols, such as FTP and H.323, the values of some security
•
policy parameters are unpredictable.
Some attacks from the transport layer and application layer, such as TCP SYN flooding and
•
malicious Java applets, cannot be detected.
ICMP attacks cannot be prevented because some faked ICMP error messages from the network
•
cannot be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
•
packet over the TCP connection is dropped. In this scenario, if a packet filtering firewall is
deployed in a network, the non-SYN packets of existing TCP connections passing the firewall for
the first time are dropped, breaking the existing TCP connections.
ASPF was proposed to address these issues. An ASPF implements application layer and transport
specific, namely status-based, packet filtering. An ASPF can detect application layer protocols including
FTP, GTP, HTTP, SMTP, RTSP, SCCP, SIP, and H.323 (Q.931, H.245, and RTP/RTCP), and transport
layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following main functions:
An ASPF can check the application layer information of packets, such as the protocol type and port
•
number, and monitor the connection-oriented application layer protocol status. It maintains the
status information of each connection, and based on such information, determines whether to
permit a packet to go through the firewall into the internal network, thus defending the internal
network against attacks.
An ASPF supports transport layer protocol information detection, namely general TCP and UDP
•
detection. It can determine whether to permit a TCP/UDP packet to pass through the firewall and
get into the internal network based on the packet's source and destination addresses and port
numbers.
Other functions of an ASPF:
In addition to filtering packets based on connection status, an ASPF can also inspect the contents of
•
application layer packets and perform Java blocking for untrusted sites, protecting the network
against malicious Java applets.
An ASPF supports enhanced session logging. It can record the information of each connection,
•
including the duration, source and destination addresses and port numbers of the connection, and
number of bytes transmitted.
An ASPF supports PAM, allowing you to specify port numbers other than the standard ones for
•
application layer protocols.
An ASPF supports ICMP error message inspection. A normal ICMP error message carries
•
information about the corresponding connection. If the information does not match the connection,
the ASPF, for example, discards the packet as configured.
An ASPF supports first packet inspection for TCP connection. If the first packet over a TCP
•
connection is not a SYN packet, the ASPF, for example, discards the packet as configured.
At the border of a network, an ASPF can work in coordination with a packet filtering firewall to provide
the network with a security policy that is more comprehensive and better satisfies the actual needs.
346