Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Attack Protection Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
6
Unidirectional proxy mode can satisfy the requirements of most environments. Generally, servers do not
initiate attacks to clients, and packets from servers to clients do not need to be inspected by the TCP proxy.
In this case, you can configure a TCP proxy to inspect only packets that clients send to servers. To filter
packets destined to clients, you can deploy a firewall as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite. Legitimate
clients that use non-standard TCP protocol suites may be considered illegitimate by the TCP proxy. In
addition, when the TCP proxy function works, a client takes more time to establish a TCP connection to
a server because the client must send an RST message to the server to reinitiate a TCP connection request.
Bidirectional proxy
Figure 4 Data exchange process in bidirectional proxy mode
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a SYN ACK
message with the window size of 0 on behalf of the server. If the client is legitimate, the TCP proxy
receives an ACK message. Upon receiving an ACK message from the client, the TCP proxy sets up a
connection between itself and the server through a three-way handshake on behalf of the client. Thus,
two TCP connections are established, and the two connections use different sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the TCP
proxy on the key path that passes through the ingress and egress of the protected servers, and make sure
all packets that the clients send to the server and all packets that the servers send to the clients pass
through the TCP proxy device.
53BIntrusion detection statistics
Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it determines whether the packets are attack packets. If so, it takes actions
accordingly, as configured. Supported actions include outputting alarm logs, discarding packets, and
adding the attacker to the blacklist.
The intrusion detection statistics reflect the counts of attacks as per attack type, and the counts of attack
packets dropped. This helps you analyze the intrusion types and quantities present to generate better
network security policies.
For information about packet inspection, see "Configuring packet inspection." For information about
traffic abnormality detection, see "
267HTypes of network attacks the device can defend against."