Manualshelf

HP MSR2000/3000/4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router
251252253254255256257258259260
247
{ Multi-channel protocol—A multi-channel protocol establishes more than one connection for a
user and transfers control messages and user data through different connections. FTP is one
example of multi-channel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect hosts and servers on the internal network,
interfaces connected to the internal network are called "internal interfaces" and the interfaces
connected to the external network are called "external interfaces."
To protect the internal network, you can apply an ASPF in the outbound direction of the external
interface or in the inbound direction of the internal interface of the device.
ASPF inspections
This section introduces the basic idea of ASPF inspection on application layer and transport layer
protocols.
Application layer protocol inspection
Figure 69 Application layer protocol inspection
As shown in Figure 69, to protect the internal network, an ACL is usually required on the edge device to
permit internal hosts to access external networks while prohibiting hosts on external networks from
accessing the internal network. However, the ACL can also filter out the return packets to internal users,
thus failing the connection setup attempts. The application layer protocol inspection of ASPF can address
this issue.
After the application layer protocol inspection is enabled on the device, ASPF detects all application
layer sessions, as follows:
For a single-channel protocol, ASPF creates a session entry immediately after it detects the session's
first packet sent to the external network. The session entry helps record the outgoing packet and its
corresponding return packets. It can maintain the session status and determine whether state
transitions of the session are correct. All packets that match a session entry can pass through the
packet-filter firewall.
For a multi-channel protocol, ASPF creates session entries, and one or more associated entries to
associate the sessions initiated by the same application layer protocol. Associated entries are
created during the protocol negotiation and are removed after the negotiation. ASPF uses the
associated entries to match the first packets of the sessions. All packets of the sessions matching the
associated entries can pass through the packet-filter firewall.
The inspection process for a single-channel protocol (such as HTTP) is simple. A session entry is created
at the connection initiation and is removed when the connection is removed.