Manualshelf

HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
69
network segment are regarded as HTTP packets. The hosts can be specified by means of a basic
ACL.
Single-channel protocol and multi-channel protocol
{ Single-channel protocol—A single-channel protocol establishes only one channel to exchange
both control messages and data for a user. SMTP and HTTP are examples of single-channel
protocols.
{ Multi-channel protocol—A multi-channel protocol establishes more than one channel for a user
and transfers control messages and user data through different channels. FTP and RTSP are
examples of multi-channel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces and the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a
temporary channel can be opened on the firewall for return packets to internal network users
accessing the Internet.
Application layer protocol inspection
As shown in Figure 51, to protect the internal network, an ACL is usually required on the router to permit
internal hosts to access external networks while prohibiting hosts on external networks from accessing the
internal network. However, the ACL will also filter out the return packets to internal users, thus failing the
connection setup attempts.
Figure 51 Application layer protocol detection
ASPF implements the application layer protocol detection function in cooperation with the session
management and ALG features. After detecting the first packet of a session, ASPF matches the packet
with the configured policy and sends the result to the session management feature, which is responsible
for session information database establishment and session status maintenance. Then, the ASPF
processes subsequent packets of the session based on session status information returned by the session
management feature.
For information about session management, see Access Control Configuration Guide. For information
about ALG, see NAT and ALG Configuration Guide.
Basic idea of transport layer protocol inspection
The transport layer protocol inspection here refers to generic TCP/UDP inspection. Different from
application layer protocol inspection, generic TCP/UDP inspection is specific to the transport layer
information in the packets, such as source and destination addresses and port number. generic TCP/UDP
WAN
Client A
Client B
Client A initiates a session
Return packets of
the session are
permitted to pass
Packets of other sessions are blocked
Protected network
Router
Server