Manualshelf

3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
919293949596979899100
Introduction to Firewall 95
It enhances the session logging function and can log all the connection
information including time, source address, destination address, the port in
use, and the number of transmitted bytes.
It supports Port to Application Map (PAM) and allows user-defined application
protocol to use non-general port.
On the network edge, ASPF cooperates with common static firewall to provide
comprehensive and practical security policy for intranets.
Basic Concepts
Java blocking
Java Blocking blocks the java applet transferred by HTTP protocol. When Java
Blocking is configured, ASPF will block and filter out the request commands sent
by users who attempt to obtain the Java applet-included programs from web
pages. If Active Blocking is configured, ASPF will block Active controls transferred
through HTTP protocols to protect the user from installing unsafe or malicious
controls.
Port to application mapping
Application layer protocols use some (well-known) port numbers pre-defined by
the system for communication. PAM (Port to Application Mapping) permits
subscribers to define a set of new port numbers other than port numbers
pre-defined by the system for different applications. PAM provides some
mechanism to maintain and use port configuration information defined by
subscribers.
PAM supports two kinds of mapping mechanisms: general port mapping and
ACL-based host port mapping. General port mapping is to establish mapping
relationship between user-defined port numbers and application layer protocols.
For example, map 8080 port as HTTP protocol so that all TCP packets with
destination port of 8080 could be regarded as HTTP packets. Basic ACL-based host
mapping is to establish mapping relationship between user-defined port numbers
and application protocols for packets to/from some specific hosts. For example,
map the TCP packets using the port 8080 and destined to the network segment
10.110.0.0 to HTTP packets. The range of hosts is specified by basic ACL.
Single-channel protocol/multi-channel protocol
Single-channel protocol: Only one channel is available for data interaction from
the establishment of a session to the end. Such protocols include SMTP and HTTP.
Multi-channel protocol: The interaction of the control information and the transfer
of data are achieved in different channels. They can be FTP and RTSP.
Internal interface and external interface
If a security gateway connects an internal network and the Internet and deploys
ASPF to protect the server of the internal network, the interface on the security
gateway connecting with the internal network is an internal interface while the
one connecting with Internet is an external interface.