4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

251

252

253

254

255

256

257

258

259

260

248

The following uses FTP to explain the process of multi-channel application layer protocol inspection.

Figure 70 FTP inspection

As shown in Figure 70, FTP connections are established and removed as follows:

1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.

2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the

client.

3. When data transmission times out or ends, the data connection is removed.

ASPF implements FTP inspection during the FTP connection lifetime:

4. ASPF checks the IP packets the FTP client sends to the FTP server to identify TCP-based FTP packets.

Based on the port number, ASPF determines whether the connection is the control connection

between the FTP client and server and, if yes, creates a session entry.

5. ASPF checks each FTP control connection packet, and detects their TCP status based on the session

entry. ASPF analyzes the FTP instructions. If the packet contains a data channel setup instruction,

ASPF creates an associated entry for the data connection.

6. For returned FTP control connection packets, ASPF first matches these packets against the control

connection session entry, and then checks their TCP status, and determines whether to permit the

packets to pass.

7. When the FTP data passes through the device, ASPF is triggered to create a session entry for the

data connection. The associated entry is removed.

8. For returned FTP data connection packets, ASPF matches these packets against the data

connection session entry, and checks their TCP status, and determines whether to permit the

packets to pass.

9. When the data transmission ends, ASPF removes the data connection session entry. When the FTP

connection is removed, ASPF removes the control connection session entry.

Transport layer protocol inspection

The transport layer protocol inspection refers to generic TCP/UDP inspection. It creates session entries to

record the transport layer information of the packets, such as source and destination addresses and port

numbers, to dynamically filter packets.

Analyzes FTP instructions and responses, and

creates an associated entry for data connection

An FTP client initiates a FTP connection to FTP

server

FTP server

Data channel

A session entry for data connection is created and

the associated entry is removed

Removes the session

entry of data connection

at end of data

transmission

Port:1333 Port:21

Port:1600 Port:20

Device

FTP client

Control channel

A session entry is created for control connection