Manualshelf

3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
919293949596979899100
96 CHAPTER 7: FIREWALL CONFIGURATION
When ASPF is applied to the outbound direction of an external interface on the
security gateway, a temporary channel can be opened on the firewall for the
returned packets of internal network users who access the Internet.
Fundamentals of application protocol layer detection
Figure 16 Fundamentals of application protocol layer detection
As shown in the above figure, generally a static ACL is needed on the security
gateway to allow a host of the internal network to access the external network
and to prohibit a host of the external network to access internal network.
However, a static ACL will filter out the returned packets after the user initiates a
connection, so the connection cannot be established. When a security gateway is
configured with application layer protocol detection, ASPF is able to detect every
session on application layer and create a status table and a temporary access
control list (TACL). The status table is created once the first packet is detected and
is used in maintaining the status of a session at a certain time detecting the
session status transition is correct. The entry of a TACL is created together with a
status entry and will be deleted after a session terminates. It seems like the permit
entry in an advanced ACL to match all the returned packets in a session, which
functions like that a temporary channel is created at the external interface of the
firewall for some returned packets.
Take FTP detection for example to illustrate the process of a multi-channel
application layer protocol detection.
Figure 17 FTP detection process
Following is how an FTP connection is set up:
Suppose that an FTP Client initiates an FTP control channel connection from its
port 1333 to the port 21 of FTP Server. After negotiation, Server initiates a data
channel connection from its port 20 to the port 1600 of Client. The timeout or
end of a data transfer makes a connection deleted.
WAN
Client A
Server
Protected network
Client A initializes a session
Returned packets of client A are
permitted to pass
Packets of other sessions blocked
Quidway
Switch 8800
FTP
Client
FTP
Server
FTP command and res ponse
Control channel connection
Data control connection
Port command
port: 21
port: 20
port: 1333
port: 1600
FTP
Client
FTP
Server
FTP command and res ponse
Control channel connection
Data control connection
Port command
port: 21
port: 20
port: 1333
port: 1600