Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
11121314151617181920
6
client, it considers the client legitimate, and forwards SYN messages that the client sends to the
server during a period of time so that the client can establish a TCP connection to the server. After
the TCP connection is established, the TCP proxy forwards the subsequent packets of the
connection without any processing.
Unidirectional proxy mode can meet the requirements of most environments. Generally, servers do
not initiate attacks to clients, and packets from servers to clients do not need to be inspected by the
TCP proxy. In this case, you can configure a TCP proxy to inspect only packets that clients send to
servers. To filter packets destined to clients, you can deploy a firewall as required.
The unidirectional proxy mode requires that the clients use the standard TCP protocol suite.
Legitimate clients that use non-standard TCP protocol suites might be considered illegitimate by the
TCP proxy. In addition, when the TCP proxy function works, a client takes more time to establish
a TCP connection to a server because the client must send an RST message to the server to reinitiate
a TCP connection request.
Bidirectional proxy
Figure 4 Data exchange process in bidirectional proxy mode
After receiving a SYN message from a client to a protected server, the TCP proxy sends back a
SYN ACK message with the window size of 0 on behalf of the server. If the client is legitimate, the
TCP proxy receives an ACK message. Upon receiving an ACK message from the client, the TCP
proxy sets up a connection between itself and the server through a three-way handshake on behalf
of the client. Thus, two TCP connections are established, and the two connections use different
sequence numbers.
In bidirectional proxy mode, the TCP proxy plays two roles: a virtual server that communicates with
clients and a virtual client that communicates with servers. To use this mode, you must deploy the
TCP proxy on the key path that passes through the ingress and egress of the protected servers, and
make sure all packets that the clients send to the server and all packets that the servers send to the
clients pass through the TCP proxy device.
Intrusion detection statistics
Intrusion detection is an important network security feature. By analyzing the contents and behaviors of
packets passing by, it determines whether the packets are attack packets. If so, it takes actions
accordingly, as configured. Supported actions include outputting alarm logs, discarding packets, and
adding the attacker to the blacklist.