Circuit-Level Gateway - HP 7102dl - ProCurve Secure Router Configuration Manual
Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs
Also See for 7102dl - ProCurve Secure Router:
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages) ,
- Advanced management and configuration manual (1005 pages)
Table of Contents
Advertisement
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network
Overview
4-6
Circuit-level Gateway
A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor
the establishment of sessions between trusted and untrusted devices. Some
circuit-level gateways establish proxy sessions to untrusted hosts for their
clients.
Attack Checking. A circuit-level gateway monitors TCP handshakes
between trusted clients or servers and untrusted hosts to determine whether
or not a requested session is legitimate. A circuit-level gateway authorizes a
requested session only if the SYN (synchronize) flags, ACK (acknowledge)
flags, and sequence numbers involved in the TCP handshake are logical.
In addition, the client must meet basic filtering criteria before the gateway
accepts the session request. For example, Domain Name System (DNS) must
be able to locate the client's IP address and associated Web address.
Valid but illogical handshakes are often the sign of an attacker attempting to
infiltrate or gain information about a private network, as are packets with
invalid IP addresses.
The ProCurve Secure Router OS firewall automatically recognizes the flags
that mark common attacks and drops packets that contain them.
See "Configuring Attack Checking" on page 4-14 for information on how to
enable certain attack checks.
Proxy Server. A circuit-level gateway can also act as a proxy server to
establish a connection between internal and external hosts. All outgoing
packets from the trusted clients appear to have the proxy server's source IP
address. A proxy server can be processor intensive because it requires two
sessions (one between the internal host and the router and one between the
router and the external host). (See Figure 4-2.)
Although the stateful-inspection firewall on the ProCurve Secure Router does
not act as a proxy server, you can configure network address translation
(NAT) to provide some of the same services. Using NAT, the firewall translates
the private source addresses in packets' headers into a public address. How-
ever, unlike a proxy server, the ProCurve Secure Router acts transparently;
the session is between the internal and external host, not between each host
and the router. (See Figure 4-2.)
- Quick Links:
- Procurve Secure Router
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
