R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

351

352

353

354

355

356

357

358

359

360

343

Figure 110 Application layer protocol inspection

After the application layer protocol inspection is enabled on the router, the ASPF inspects each

application layer session and creates a status entry and a temporary access control list (TACL) for the

session. For a multi-channel protocol, a TACL will also be created for data channels.

• Status entry—Created when ASPF detects the session's first packet sent to the Internet, and is used

to maintain the status of the session at different points of time and to determine whether state

transitions of the session are correct.

• TACL—Created at the same time the status entry is created, and is deleted at the end of the session.

It is equivalent to a permit statement in an extended ACL. The TACL is mainly used to match all the

return packets of the session, and can set up a temporary return channel on the external interface

of the firewall for packets returned by the application.

Multi-channel application layer protocol inspection—Using FTP inspection as an example, the following

explains the process of multi-channel application layer protocol inspection:

As shown in Figure 111, FTP

connections are established as follows:

1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.

2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the

client.

3. When data transmission times out or ends, the data connection is removed.

Figure 111 Network diagram for FTP inspection

ASPF implements FTP inspection during the FTP connection lifetime:

4. The ASPF checks IP packets on the outbound interface to identify TCP-based FTP packets.

5. Based on the port number, the ASPF determines whether the connection is a control connection. If

yes, it creates a TACL for returned packets and a status entry.

6. The ASPF checks each FTP control connection packet, analyzes the FTP instruction, and updates

the status entry based on the instruction. If the packet contains a data channel setup instruction, the

WAN

Client A

Client B

Client A initiates a session

Return packets of

the session are

permitted to pass

Packets of other sessions are blocked

Protected network

Router

Server

Port: 1333

Port: 1600

Port: 21

Port: 20

FTP instructions

and responses

Control connection

Data connection

FTP client FTP server