Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
461462463464465466467468469470
450
Figure 136 Safe reset mode application
SYN cookie—Enables bidirectional TCP proxy for TCP clients and servers.
As shown in Figure 137, if
packets from clients and servers pass through the TCP proxy device,
either safe reset or SYN cookie can be used.
Figure 137 Safe reset/SYN cookie mode application
TCP proxy in safe reset mode
As shown in Figure 138, the safe reset mode functions as follows:
1. After receiving a SYN packet destined for a protected server, the TCP proxy sends back a SYN
ACK packet with an invalid sequence number.
2. If the TCP proxy receives an RST packet from the client, the client is verified legitimate.
3. The TCP proxy adds the client's IP address to the trusted IP list and starts forwarding TCP packets
from the client to the server.
The safe reset mode requires that TCP clients use the standard TCP protocol suite. Legitimate clients that
use non-standard TCP protocol suites will be verified as illegitimate by the TCP proxy. The verification
process makes the TCP connection establishment take more time.