Manualshelf

R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
171172173174175176177178179180
169
Session management
NOTE:
The LB module supports session management only in the command line interface
Session management overview
The session management feature is a common feature designed to implement session-based services
such as network address translation (NAT), application specific packet filter (ASPF), and intrusion
protection. This feature regards packet exchanges at transport layer as sessions and updates the status of
sessions or ages out sessions according to the information in the initiators’ or responders’ packet
information.
Session management allows multiple features to process the same service packet respectively. It
implements the following functions:
Fast match between packets and sessions
Management of transport layer protocol state
Identification of application layer protocol types
Session aging based on protocol state or application layer protocol type
Persistent session
Checksum verification for transport layer protocol packets
Special packet match for the application layer protocols requiring port negotiation
Resolution of ICMP error control packets and session match based on resolution results
Session management principle
The session management function tracks the status of connections by inspecting the transport layer
protocol (TCP or UDP) information, and performs unified status maintenance and management of all
connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
Note that the session management function implements only connection status tracking. It itself cannot
block potential attack packets.
Session management implementation
The session management feature implemented on the LB module provides the following functions:
Supporting session creation, session status update and timeout time setting based on protocol state
for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets.
Supporting port mapping for application layer protocols and allowing application layer protocols
to use customized ports and adopt different session timeout time.