Manualshelf

F3215-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
181182183184185186187188189190
175
When the TCP proxy receives a SYN message sent from a client to a protected server, it sends
back a SYN ACK message that uses a wrong sequence number on behalf of the server. The client,
if legitimate, responds with an RST message. If the TCP proxy receives an RST message from the
client, it considers the client legitimate, and forwards SYN messages that the client sends to the
server during a period of time so that the client can establish a TCP connection to the server. After
the TCP connection is established, the TCP proxy forwards the subsequent packets of the
connection without any processing.
Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers
do not initiate attacks to clients, and packets from servers to clients do not need to be inspected by
the TCP proxy. In this case, you can configure a TCP proxy to inspect only packets that clients send
to servers. To filter packets destined to clients, you can deploy a TCP proxy as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite.
Legitimate clients that use non-standard TCP protocol suites may be considered illegitimate by the
TCP proxy. In addition, when the TCP proxy function works, a client takes more time to establish
a TCP connection to a server because the client must send an RST message to the server to reinitiate
a TCP connection request.
Bidirectional proxy
Figure 75 Data exchange process in bidirectional proxy mode
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a
SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the
TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP
proxy sets up a connection between itself and the server through a three-way handshake on behalf
of the client. Thus, two TCP connections are established, and the two connections use different
sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the
TCP proxy on the key path that passes through the ingress and egress of the protected servers, and
make sure all packets that the clients send to the server and all packets that the servers send to the
clients pass through the TCP proxy device.
Intrusion detection statistics
Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it determines whether the packets are attack packets. If so, it takes actions