Manualshelf

3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
919293949596979899100
94 CHAPTER 7: FIREWALL CONFIGURATION
(IP Layer) information about the packet (basic ACL rule and advanced ACL rule not
containing information except Layer3) and non-Layer3 information (advanced ACL
rule containing non-Layer3 information) for matching, and obtains configured
ACL rule.
For advanced ACL rule that has configured exact matching filtering, packet
filtering firewall need to record the non-Layer3 information of each first fragment.
When the follow-up fragments arrive, the saved information will be used to
perform full matching on each matching condition of ACL rule. If exact matching
is used, make sure you disable the fast forwarding function by using the undo ip
fast-forwarding command on the corresponding interface.
After exact matching is used for filtering, the implementation efficiency of packet
filtering firewall will be slightly reduced. The more the configured matching
entries, the more the efficiency is reduced. Threshold can be configured to limit
the maximum processing number of firewall.
For definitions of normal matching and exact matching, refer to “ACL
Configuration”.
Application Specific
Packet Filter
ACL/packet filtering firewall is a static firewall with the following problems:
Some security policies are unable to foresee multi-channel application
protocols such as FTP and H.323.
It is unable to detect some attacks such as TCP SYN and Java applet from the
application layer.
Therefore, the concept of status firewall -- ASPF was brought forth. Application
specific packet filter (ASPF) is packet filtering oriented to the application and
transport layers, namely status based packet filtering. The application layer
protocol detections include FTP, HTTP, SMTP, RTSP, and H.323 (Q.931, H.245, and
RTP/RTCP) ones. The transport layer protocol detection contains general TCP/UDP
detection.
ASPF is able to perform the primary functions as follows:
Check application layer protocol information, such as the protocol type of a
packet and port number. In addition, it monitors the connection-based
application layer protocol status. ASPF maintains the information of each
connection and dynamically decides whether to permit a data packet into the
internal network for malicious-intrusion prevention.
Detect the transport layer protocol information, that is, general TCP and UDP
protocol detection. It can also decide whether to permit a TCP/UDP packet into
the internal network.
ASPF implements the following additional functions:
It can detect and defend the Denial of Service (DoS) attack.
Not only can it filter the packet based on the conncection, but it can also
detect the packet content at the application layer. Java Blocking to distrusted
sites provided protects the network from malicious Java Applet.