Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
68
non-SYN packets of existing TCP connections passing the firewall for the first time are dropped,
breaking the existing TCP connections.
ASPF
Application Specific Packet Filter (ASPF) was proposed to address the issues that a static firewall cannot
solve. An ASPF implements application layer and transport specific, namely status-based, packet filtering.
An ASPF can detect application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP,
H.323 (Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following main functions:
Application layer protocol inspection—ASPF checks the application layer information of packets,
such as the protocol type and port number, and monitors the application layer protocol status for
each connection. ASPF maintains the status information of each connection, and based on the
status information, determines whether to permit a packet to pass through the firewall into the
internal network, thus defending the internal network against attacks.
Transport layer protocol inspection (generic TCP and UDP inspection)—ASPF checks a TCP/UDP
packet's source and destination addresses and port numbers to determine whether to permit the
packet to pass through the firewall into the internal network.
Enhanced session logging—ASPF can record the information of each connection, including the
duration, source and destination addresses and port numbers of the connection, and number of
bytes transmitted.
Port to Application Mapping (PAM)—Allows you to specify port numbers other than the standard
ones for application layer protocols.
ICMP error message inspection—ASPF checks the connection information carried in an ICMP error
message. If the information does not match the connection, the ASPF processes the packet as
configured, for example, it discards the packet.
First packet inspection for TCP connection—ASPF checks the first packet over a TCP connection. If
the first packet over a TCP connection is not a SYN packet, the ASPF will discard the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide the
network with a security policy that is more comprehensive and better satisfies the actual needs.
ASPF basic concepts
PAM
While application layer protocols use the standard port numbers for communication, PAM allows
you to define a set of new port numbers for different applications, and provides mechanisms to
maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{ General port mapping—A mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are
regarded as HTTP packets.
{ Host port mapping—A mapping of a user-defined port number to an application layer protocol
for packets to/from specific hosts. For example, you can establish a host port mapping so that
all TCP packets using 8080 as the destination port and 10.110.0.0/16 as the destination