Configuring Aspf; Overview; Aspf Basic Concepts - HP MSR Series Configuration Manual

Configuring ASPF

Overview

Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall
cannot solve. An ASPF provides the following main functions:
•
Application layer protocol inspection—ASPF checks the application layer information of
packets, such as the protocol type and port number, and inspects the application layer protocol
status for each connection. ASPF maintains the status information of each connection, and
based on the status information, determines whether to permit a packet to pass through the
firewall into the internal network. In this way, ASPF defends the internal network against
attacks.
•
Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a
TCP/UDP packet's source and destination addresses and port numbers to determine whether
to permit the packet to pass through the firewall into the internal network.
•
ICMP error message check—ASPF inspects the connection information carried in an ICMP
error message. If the information does not match the connection, ASPF drops the packet.
•
TCP SYN check—ASPF checks the first packet of a TCP connection to determine if it is a SYN
packet. If it is not a SYN packet, ASPF drops the packet. When a router attached to the network
starts up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you
do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. The
router allows the first non-SYN packet that is used to establish a TCP connection to pass. After
the network topology becomes steady, you can enable TCP SYN check again.
At the border of a network, ASPF can work with a packet-filter firewall to provide the network with a
more comprehensive security policy that better meets the actual needs. The packet-filter firewall
permits or denies packets according to ACL rules. The ASPF records information about the
permitted packets to ensure that their return packets can pass through the packet-filter firewall.

ASPF basic concepts

Single-channel protocol and multichannel protocol
•
Single-channel protocol—A single-channel protocol establishes only one connection to
exchange both control messages and data for a user. SMTP and HTTP are examples of
single-channel protocols.
•
Multichannel protocol—A multichannel protocol establishes more than one connection for a
user and transfers control messages and user data through different connections. FTP is one
example of multichannel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect hosts and servers on the internal network, the
interfaces on the device are divided into internal interfaces and external interface:
•
Internal interfaces—Interfaces connected to the internal network.
•
External interfaces—Interfaces connected to the external network.
To protect the internal network, you can apply an ASPF in the outbound direction of the external
interfaces or in the inbound direction of the internal interfaces of the device.
Zone pair
A zone pair specifies the source zone and destination zone of a traffic flow to be inspected:
•
Source zone—A security zone from which the first packet of a traffic flow originates.
439