HP 6600 Security Configuration Manual page 452

ASPF functions
An ASPF provides the following main functions:
• Application layer protocol inspection—ASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the connection-oriented application layer
protocol status. ASPF maintains the status information of each connection, and based on such
information, determines whether to permit a packet to pass through the firewall into the internal
network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
•
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Java blocking—ASPF inspects the contents of application layer packets, and perform Java blocking
•
for untrusted sites, protecting the network against malicious Java applets.
Enhanced session logging—ASPF can record the information of each connection, including the
•
duration, source and destination addresses and port numbers of the connection, and number of
bytes transmitted.
Port to Application Mapping (PAM)—Allows you to specify port numbers other than the standard
•
ones for application layer protocols.
• ICMP error message inspection—ASPF checks the connection information carried in an ICMP error
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connection—ASPF checks the first packet over a TCP connection. If
•
the first packet over a TCP connection is not a SYN packet, the ASPF will discard the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better meets the actual needs.
Basic concepts of ASPF
Java blocking
•
Java blocking is a feature for blocking malicious Java applets that are transported by HTTP. With
the Java blocking feature enabled, when a user attempts to get a program containing Java applets
from a Web page, the ASPF will process the response, so as to block the Java applets.
PAM
•
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
General port mapping—A mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are
regarded as HTTP packets.
Host port mapping—A mapping of a user-defined port number to an application layer protocol
for packets to/from specific hosts. For example, you can establish a host port mapping so that
all TCP packets using 8080 as the destination port and 10.1 10.0.0/16 as the destination
network segment are regarded as HTTP packets. The hosts can be specified by means of a basic
ACL.
Single-channel protocol and multi-channel protocol
•
438