3Com 3C13636 Configuration Manual page 1091

3Com Router 3000 Ethernet Family
Configuration Guide
It can both filer packets based on connection status and detect packet contents at
the application layer. Java Blocking to distrusted sites protects the network from
malicious Java Applet.
It enhances the session logging function and can log all the connection information
including time, source address, destination address, the port in use, and the
number of transmitted bytes.
It supports Port to Application Map (PAM) and allows user-defined application
protocol to use non-general port.
On the network edge, ASPF cooperates with common static firewall to provide
comprehensive and practical security policy for intranets.
I. Basic Concepts
Java blocking
Java Blocking blocks the java applet transferred by HTTP protocol. When Java
Blocking configured, ASPF will block and filter out the request commands sent by users
who attempt to obtain the Java applet-included programs from web pages.
Port to application mapping
Application layer protocols use some (well-known) port numbers pre-defined by the
system for communication. PAM (Port to Application Mapping) permits subscribers to
define a set of new port numbers other than port numbers pre-defined by the system for
different applications. PAM provides some mechanism to maintain and use port
configuration information defined by subscribers.
PAM supports two kinds of mapping mechanisms: general port mapping and
ACL-based host port mapping. General port mapping is to establish mapping
relationship between user-defined port numbers and application layer protocols. For
example, map 8080 port as HTTP protocol so that all TCP packets with destination port
of 8080 could be regarded as HTTP packets. Host mapping is to establish mapping
relationship between user-defined port numbers and application protocols for packets
to/from some specific hosts. For example, map the TCP packets using the port 8080
and destined to the network segment 10.110.0.0 to HTTP packets. The range of hosts
is specified by basic ACL.
Single-channel protocol/multi-channel protocol
Single-channel protocol: Only one channel is available for data interaction from the
establishment of a session to the end. Such protocols include SMTP and HTTP.
Multi-channel protocol: The interaction of the control information and the transfer of
data are achieved in different channels. They can be FTP and RTSP.
Internal interface and external interface
If a router connects an internal network and the Internet and deploys ASPF to protect
the server of the internal network, the interface on the router connecting with the
3Com Corporation
6-3
Chapter 6 Firewall Configuration