Manualshelf

R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
11121314151617181920
4
Destination port number
The device compares the head information against the preset ACL rules and processes (discards or
forwards) the packet based on the comparison result.
ASPF
An ASPF implements status-based packet filtering, and provides the following functions:
Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Application layer protocol inspection—ASPF checks application layer information for packets, such
as the protocol type and port number, and monitors the application layer protocol status for each
connection. ASPF maintains status information for each connection, and based on status
information, determines whether to permit a packet to pass through the firewall into the internal
network, thus defending the internal network against attacks.
ASPF also supports other security functions, such as port to application mapping, Java blocking, ActiveX
blocking, ICMP error message inspection and first packet inspection for TCP connection.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
Connection limits
To protect internal network resources (hosts or servers) and correctly allocate system resources on the
device, you can configure connection limit policies to collect statistics and limit the number of connections,
connection establishment rate, and connection bandwidth.
Attack detection and protection
ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices. HP has provided a
comprehensive and effective solution against common ARP attacks, such as user and gateway spoofing
attacks and flood attacks.
IP source guard
IP source guard uses binding entries to improve port security by blocking illegal packets. For example, it
can prevent illegal hosts from using a valid IP address to access the network. It is applied on an interface
connected to the user side.
IP source guard can filter packets according to the packet source IP address, source MAC address, and
VLAN ID. An IP source guard entry can be statically configured or dynamically added through DHCP.
URPF
URPF protects a network against source address spoofing attacks, such as DoS and DDoS attacks.
Attack detection and protection
Attack detection and protection is an important network security feature. It determines whether received
packets are attack packets according to the packet contents and behaviors and, if detecting an attack,
take measures to deal with the attack, such as outputting alarm logs, dropping packets, and blacklisting
the source IP address. The attack protection function can detect network attacks such as single-packet
attacks, scanning attacks, and flood attacks.