Configuring Aspf; Overview; Aspf Basic Concepts - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
Configuring ASPF
Overview
A packet-filter firewall is a static firewall. It cannot solve the following issues:
•
Predefine security policies for multi-channel application layer protocols, such as FTP.
Detects attacks from the transport layer and application layer, such as SYN Flood.
•
Prevents ICMP attacks.
•
A packet-filter firewall cannot recognize faked ICMP error messages from the network.
Permits the non-SYN packets which are the first packets over a TCP connection.
•
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet which is the first
packet over the TCP connection is dropped. In this scenario, if a packet-filter firewall is deployed
in a network, the non-SYN packets of existing TCP connections passing the firewall for the first time
are dropped, breaking the existing TCP connections.
Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot
solve. An ASPF provides the following main functions:
•
Application layer protocol inspection—ASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
•
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
ICMP error message inspection—ASPF checks the connection information carried in an ICMP error
•
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connection—ASPF checks the first packet over a TCP connection. If
•
the packet is not a SYN packet, the ASPF permits or discards the packet as configured.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better meets the actual needs. The
packet-filter firewall permits or denies packets according to ACL rules. The ASPF records information
about the permitted packets to make sure their return packets to pass through the packet-filter firewall.
ASPF basic concepts
•
Single-channel protocol and multi-channel protocol
Single-channel protocol—A single-channel protocol establishes only one connection to
exchange both control messages and data for a user. SMTP and HTTP are examples of
single-channel protocols.
246
Advertisement
Table of Contents
Troubleshooting
