Managing sessions
Overview
Session management is a common module, providing basic services for NAT, ASPF, and intrusion
detection and protection to implement their session-based services. Session management can be applied
for the follow purposes:
•
Fast match between packets and sessions
Management of transport layer protocol states
•
Identification of application layer protocols
•
Session aging based on protocol states or application layer protocols
•
Persistent sessions
•
•
Special packet match for the application layer protocols requiring port negotiation
ICMP/ICMPv6 error control packet resolution and session match based on the resolution results
•
Session management operation
Session management tracks the session status by inspecting the transport layer protocol information, and
updates session states, or ages out sessions according to data flows from the initiators or responders.
When a connection request passes through the device from a client to a server, the device creates a
session entry. The entry can contain the request and response information, such as the source IP address
and port number, destination IP address and port number, transport layer protocol, application layer
protocol, and protocol state of the session. For a multi-channel protocol where the client and the server
negotiate a new connection based on an existing connection to implement an application, session
management enables the device to create one or more relation entries to associate the connections with
the application. A relation entry is created during the negotiation phase and removed after it finishes its
support for the multi-channel protocol.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
Session management only tracks connection status. It does not block potential attack packets.
Session management functions
Session management enables the device to provide the following functions:
Creates sessions for protocol packets, updates session states, and sets aging time for sessions in
•
different protocol states.
Supports port mapping for application layer protocols (see "Configuring PBAR"), enabling
•
application layer protocols to use customized ports.
•
Sets aging time for sessions based on application layer protocols.
260