HP 6600 Security Configuration Manual page 453
Hide thumbs
Also See for 6600:
- Command reference manual (286 pages) ,
- Configuration manual (236 pages) ,
- Installation and getting started manual (103 pages)
Table of Contents
Advertisement
Single-channel protocol—A single-channel protocol establishes only one channel to exchange
both control messages and data for a user. SMTP and HTTP are examples of single-channel
protocols.
Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user
and transfers control messages and user data through different channels. FTP and RTSP are
examples of multi-channel protocols.
Internal interface and external interface
•
On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces and the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a
temporary channel can be opened on the firewall for return packets to internal network users
accessing the Internet.
Application layer protocol inspection
As shown in
internal hosts to access external networks while prohibiting hosts on external networks from accessing the
internal network. However, the ACL will also filter out the return packets to internal users, thus failing the
connection setup attempts.
Figure 225 Application layer protocol inspection
Client A
Client B
ASPF implements the application layer protocol inspection function in cooperation with the session
management and ALG features. After detecting the first packet of a session, ASPF matches the packet
with the configured policy and sends the result to the session management feature, which is responsible
for session information database establishment and session status maintenance. Then, the ASPF
processes subsequent packets of the session based on session status information returned by the session
management feature.
For information about session management, see "Managing sessions." For information about ALG, see
"Configuring ALG."
Basic idea of transport layer protocol inspection
The transport layer protocol inspection here refers to generic TCP and UDP inspection. Different from
application layer protocol inspection, generic TCP and UDP inspection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. Generic TCP and
UDP inspection requires a full match between the packets returned to the external interface of the ASPF
and the packets previously sent out from the external interface of ASPF, namely a perfect match of the
source and destination address and port number. Otherwise, the return packets will be blocked.
Figure
225, to protect the internal network, an ACL is usually required on the router to permit
Client A initiates a session
Return packets of
the session are
permitted to pass
Protected network
Packets of other sessions are blocked
WAN
Router
439
Server
Advertisement
Table of Contents
Troubleshooting
