Manualshelf

HP VPN Firewall Appliances Access Control Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
111112113114115116117118119120
109
Managing sessions
Overview
Session management is a common feature designed to implement session-based services such as NAT,
ASPF, and intrusion protection. Session management regards packet exchanges at transport layer as
sessions and updates the session status, or ages sessions out according to information in the initiator or
responder packet.
Session management allows multiple features to process the same service packet. Session management
can be applied for the follow purposes:
Fast match between packets and sessions
Management of transport layer protocol states
Identification of application layer protocols
Session aging based on protocol state or application layer protocol type
Persistent sessions
Checksum verification for transport layer protocol packets
Special packet match for the application layer protocols requiring port negotiation
Resolution of ICMP error control packets and session match based on resolution results
Session management operation
Session management tracks the connection status by inspecting the transport layer protocol (TCP or UDP)
information, performing unified status maintenance and management of all connections.
In actual applications, session management works together with ASPF to dynamically determine whether
a packet can pass the firewall and enter the internal network according to connection status, thus
preventing intrusion.
The session management function only implements connection status tracking. It does not block potential
attack packets.
Session management functions
Session management enables the device to provide the following functions:
Creates sessions for such IPv4 packets as TCP, UDP, ICMP, Raw IP packets, updates session states,
and sets aging time for sessions in different protocol states.
Supports port mapping for application layer protocols, enabling application layer protocols to use
customized ports.
Sets aging times for sessions of different application layer protocols.
Supports checksum verification for TCP, UDP, and ICMP packets.
In case of checksum verification failure, the system will not match sessions or create sessions.
Instead, other services based on session management will process the packets.