R2511-HP MSR Router Series Security Configuration Guide(V5)
342
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
Basic concepts of ASPF
• Java blocking
Java blocking is a feature for blocking malicious Java applets that are transported by HTTP. With
the Java blocking feature enabled, when a user attempts to get a program containing Java applets
from a Web page, the ASPF will process the response, so as to block the Java applets.
• PAM
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{ General port mapping—A mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are
regarded as HTTP packets.
{ Host port mapping—A mapping of a user-defined port number to an application layer protocol
for packets to/from specific hosts. For example, you can establish a host port mapping so that
all TCP packets using 8080 as the destination port and 10.110.0.0/16 as the destination
network segment are regarded as HTTP packets. The hosts can be specified by means of a basic
ACL.
• Single-channel protocol and multi-channel protocol
{ Single-channel protocol—A single-channel protocol establishes only one channel to exchange
both control messages and data for a user. SMTP and HTTP are examples of single-channel
protocols.
{ Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user
and transfers control messages and user data through different channels. FTP and RTSP are
examples of multi-channel protocols.
• Internal interface and external interface
On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces and the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a
temporary channel can be opened on the firewall for return packets to internal network users
accessing the Internet.
Application layer protocol inspection
As shown in Figure 110, ACLs on the edge device deny incoming packets to the internal network. The
ASPF application layer protocol inspection allows return packets from the external network to the internal
network.