Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
67
Configuring firewall
The term "router" in this document refers to both routers and routing-capable firewalls and firewall
modules.
Overview
A firewall blocks unauthorized Internet access to a protected network while allowing internal network
users to access the Internet through WWW, or to send and receive e-mails. A firewall can also be used
to control access to the Internet, for example, to permit only specific hosts within the organization to
access the Internet. Many of today's firewalls offer additional features, such as identity authentication
and encryption.
Another application of firewall is to protect the mainframe and important resources (such as data) on
internal networks. Any access to protected data is filtered by the firewall, even if the access is initiated by
a user within the internal network.
ACL based packet filter
An ACL packet-filter firewall implements IP packet specific filtering.
Before an IP packet can be forwarded, the firewall obtains the header information of the packet,
including the following:
Number of the upper layer protocol carried by the IP layer
Source address
Destination address
Source port number
Destination port number
The firewall compares the head information against the preset ACL rules and processes the packet based
on the comparison result.
IPv4 packet-filter firewalls are configured mainly through interzone policy and interzone policy group
configurations. For more information about interzone policies and interzone policy groups, see Access
Control Configuration Guide. This chapter mainly describes the IPv6 packet-filter firewall configuration.
ACL packet filter limitations
An ACL packet filter is a static firewall. It cannot solve the following issues:
For multi-channel application layer protocols, such as FTP and H.323, the values of some security
policy parameters are unpredictable.
Some attacks from the transport layer and application layer, such as TCP SYN flooding, cannot be
detected.
ICMP attacks cannot be prevented because not all faked ICMP error messages from the network
can be recognized.
For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the first
packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a network, the