R0106-HP MSR Router Series Security Configuration Guide(V7)
363
Configuring ASPF
Overview
Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot
solve. An ASPF provides the following main functions:
• Application layer protocol inspection—ASPF checks the application layer information of packets,
such as the protocol type and port number, and inspects the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network. In this way, ASPF defends the internal network against attacks.
• Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
• ICMP error message check—ASPF inspects the connection information carried in an ICMP error
message. If the information does not match the connection, ASPF drops the packet.
• TCP SYN check—ASPF checks the first packet of a TCP connection to determine if it is a SYN packet.
If it is not a SYN packet, ASPF drops the packet. When a router attached to the network starts up,
it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want
to interrupt the existing TCP connection, you can disable the TCP SYN check. The router allows the
first non-SYN packet that is used to establish a TCP connection to pass. After the network topology
becomes steady, you can enable TCP SYN check again.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better meets the actual needs. The
packet-filter firewall permits or denies packets according to ACL rules. The ASPF records information
about the permitted packets to make sure their return packets to pass through the packet-filter firewall.
ASPF basic concepts
Single-channel protocol and multi-channel protocol
• Single-channel protocol—A single-channel protocol establishes only one connection to exchange
both control messages and data for a user. SMTP and HTTP are examples of single-channel
protocols.
• Multi-channel protocol—A multi-channel protocol establishes more than one connection for a user
and transfers control messages and user data through different connections. FTP is one example of
multi-channel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect hosts and servers on the internal network, the
interfaces on the device are divided into internal interfaces and external interface:
• Internal interfaces—Interfaces connected to the internal network.
• External interfaces—Interfaces connected to the external network.
To protect the internal network, you can apply an ASPF in the outbound direction of the external
interfaces or in the inbound direction of the internal interfaces of the device.