R2511-HP MSR Router Series Security Configuration Guide(V5)
341
The information of Layer 3 and above carried in each first fragment is recorded by packet-filter firewalls
that are configured with advanced ACL rules providing for exact match. When subsequent fragments
arrive, the firewall uses saved information to implement exact match with each match condition of an ACL
rule. For more information about ACL, see ACL and QoS Configuration Guide.
Exact match slightly decreases the efficiency of packet filtering. The more the match items, the lower the
packet filtering efficiency. You can specify a threshold to limit the maximum number of match entries to
be processed by the firewall.
ACL packet-filter limitations
An ACL packet-filter is a static firewall. It cannot solve the following issues:
• For multi-channel application layer protocols, such as FTP and H.323, the values of some security
policy parameters are unpredictable.
• Some attacks from the transport layer and application layer, such as TCP SYN flooding and
malicious Java applets, cannot be detected.
• ICMP attacks cannot be prevented because not all faked ICMP error messages from the network
can be recognized.
• For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped,
breaking the existing TCP connections.
ASPF
ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements
application layer and transport specific, namely status-based, packet filtering. An ASPF can inspect
application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323 (Q.931,
H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following functions:
• Application layer protocol inspection—ASPF checks the application layer information of packets,
such as the protocol type and port number, and inspects the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
• Transport layer protocol inspection—ASPF checks a TCP/UDP packet's source and destination
addresses and port numbers to determine whether to permit the packet to pass through the firewall
into the internal network. ASPF checks an ESP packet's source and destination addresses to
determine whether to permit the packet to pass through the firewall into the internal network.
• Java blocking—ASPF inspects the contents of application layer packets, and performs Java
blocking for untrusted sites, protecting the network against malicious Java applets.
• Enhanced session logging—ASPF can record the information of each connection, including the
duration, source and destination addresses and port numbers of the connection, and number of
bytes transmitted.
• Port to Application Mapping (PAM)—Allows you to specify port numbers other than the standard
ones for application layer protocols.
• TCP SYN check—ASPF checks the first packet of a TCP connection to see if it is a SYN packet. If it
is not a SYN packet, ASPF drops the packet.