R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

381

382

383

384

385

386

387

388

389

390

373

• If URL address filtering does not support IP addresses, the device checks the ACL rules for URL

address filtering. If the ACL permits the IP address, the device forwards the request. Otherwise, the

device drops the request.

URL parameter filtering

Many webpages are dynamic, connected with databases, and support data query and modification

through Web requests. This makes it possible to fabricate special SQL statements in Web requests to

obtain confidential data from databases or break down databases by repeatedly modifying database

information. This kind of attack is called SQL injection attack.

To address this problem, the device compares the URL parameters in a Web request against SQL

statement keywords and some other characters that might constitute SQL statements. If a match is found,

the device regards the request as an SQL injection attack and denies it. This protection mechanism is

called URL parameter filtering.

Web requests transmit parameters mainly by using GET and POST methods. The method used for

transmitting parameters determines the positions of the URL parameters. The device obtains parameters

based on the parameter transmission method and performs filtering. The device supports URL parameter

filtering of Web requests with the GET, POST or PUT method.

Processing procedure

After receiving a Web request containing URL parameters, the device obtains the parameters according

to the parameter transmission method and processes the request accordingly:

• If the parameters are transmitted by a method other than GET, POST and PUT, the device directly

forwards the Web request.

• If the parameters are transmitted by the method of GET, POST or PUT, the device obtains the URL

parameters from the Web request and compares the URL parameters against the configured

filtering entries. If a match is found, the device denies the request. Otherwise, the device forwards

the request.

Java blocking

Java blocking protects networks from Java applets attacks.

After the Java blocking function is enabled, all requests for Java applets of webpages are filtered. If Java

applets in some webpages are expected, configure ACL rules to permit requests to Java applets of these

webpages.

Processing procedure

• If the Java blocking function is enabled but no ACL is configured for it, the device replaces

suffixes .class and .jar with .block in all Web requests and then forwards the requests.

• If the Java blocking function is enabled and an ACL is configured for it, the device uses ACL rules

to determine whether to replaces suffixes .class and .jar with .block in Web requests. If the

destination server in a Web request is a server permitted by the ACL, no replacement occurs and

the request is forwarded. Otherwise, the suffix in the request is replaced with .block before the

request is forwarded.

• In addition to the default suffixes .class and .jar, you can add Java blocking suffixes (filename

suffixes to be replaced in Web requests) through command lines.