Aspf - 3Com MSR 50 Series Configuration Manual

1790 C 94: F
HAPTER IREWALL
n

ASPF

C
ONFIGURATION
Support for fragment filtering
The current packet filter firewall supports fragment inspection and filtering. The
packet filter firewall inspects the packet type (non-fragmented packet, first
fragment, or non-first fragment), gets the Layer 3 information of the packet (for
match with basic ACL rules and advanced ACL rules without information of Layer
3 and above) and information of Layer 3 and above (for match with advanced ACL
rules containing information of Layer 3 and above).
For advanced ACL rules that provide for exact match, the packet filter firewall
needs to record the information of Layer 3 and above carried in each first
fragment. When subsequent fragments arrive, the firewall uses the information
saved to implement exact match with each match condition of an ACL rule.
If exact match is enabled, the efficiency of packet filtering will be slightly declined.
The more the match items, the lower the packet filtering efficiency. So, you can
specify a high watermark value to limit the maximum number of match entries to
be processed by the firewall.
For details about ACL, refer to
A packet filter firewall is a static firewall. Presently, the following issues exist.
In the case of multi-channel application layer protocols, such as FTP and H.323,
■
some security policy configurations are unpredictable.
A packet filter firewall alone cannot detect some attracts from the transport
■
layer and application layer, such as TCP SYN flooding and malicious Java
applets.
ASPF was proposed to address these issues. An ASPF implements application layer
and transport specific, namely status-based, packet filtering. An ASPF is able to
detect the following application protocols: FTP, HTTP, SMTP, RTSP, and H.323
(Q.931, H.245, and RTP/RTCP), and the following transport layer protocols:
TCP/UDP.
An ASPF provides the following functions:
An ASPF can check application layer information, including protocol type and
■
port number of packets, and monitor the connection-oriented application layer
protocol status. An ASPF maintains the status information of each connection,
which is used for dynamically determining whether a packet should be
permitted to pass through the firewall and get into the internal network, so as
to defense against malicious attacks.
An ASPF supports transport layer protocol information detection (namely,
■
general TCP and UDP detection), and is able to determine whether to permit a
TCP/UDP packet to pass through the firewall and get into the internal network
based on the packet's source and destination addresses and port number.
Other functions of an ASPF:
In addition to filtering packets based on the connection status, an ASPF can
■
also detect the contents of application layer packets, and provide Java Blocking
"Configuring ACLs" on page 1881.