Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
401402403404405406407408409410
5
Figure 127 Data exchange process in unidirectional proxy mode
When the TCP proxy receives a SYN message sent from a client to a protected server, it sends
back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client,
if legitimate, responds with an RST message. If the TCP proxy receives an RST message from the
client, it considers the client legitimate, and forwards SYN messages that the client sends to the
server during a period of time so that the client can establish a TCP connection to the server. After
the TCP connection is established, the TCP proxy forwards the subsequent packets of the
connection without any processing.
Unidirectional proxy mode can meet the requirements of most environments. Generally, servers do
not initiate attacks to clients, and packets from servers to clients do not need to be inspected by the
TCP proxy. In this case, you can configure a TCP proxy to inspect only packets that clients send to
servers. To filter packets destined to clients, you can deploy a firewall as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite.
Legitimate clients that use non-standard TCP protocol suites may be considered illegitimate by the
TCP proxy. In addition, when the TCP proxy function works, a client takes more time to establish
a TCP connection to a server because the client must send an RST message to the server to reinitiate
a TCP connection request.
Bidirectional proxy
Figure 128 Data exchange process in bidirectional proxy mode
TCP client TCP proxy TCP server
1) SYN
2) SYN ACK (invalid sequence
number)
3) RST
4) SYN (retransmitting)
5) SYN (forwarding)
6) SYN ACK
7) ACK
8) ACK (forwarding)