Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
251252253254255256257258259260
4-6
Firewall
Overview
Circuit-Level Gateway
A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor
the establishment of sessions between trusted and untrusted devices. Some
circuit-level gateways establish proxy sessions with untrusted hosts for their
clients.
Attack Checking. A circuit-level gateway monitors TCP handshakes
between devices to determine whether or not a requested session is legitimate.
A circuit-level gateway authorizes a requested session only if the SYN (syn-
chronize) flags, ACK (acknowledge) flags, and sequence numbers involved in
the TCP handshake are logical.
Valid but illogical handshakes and packets with invalid IP addresses are often
a sign that an attacker is attempting to infiltrate or gain information about a
private network.
The TMS zl Module automatically recognizes the flags that mark common
attacks and drops packets that contain them. (See “Enable and Disable
Optional Attack Checks” on page 4-96 for instructions.)
Application-Level Gateway
Like a circuit-level gateway, an application-level gateway acts as a proxy
server between a trusted client and an untrusted host. Application-level
proxies filter packets at the OSI Application Layer (Layer 7). That is, they
accept only packets generated by services that they are designed to copy,
forward, and filter. For example, only a Telnet proxy can copy, forward, and
filter Telnet traffic. The proxy server reads each packet and filters particular
commands or information relating to applicable application protocols.
Each protocol needs its own proxy; the proxies themselves are sometimes
called application-level gateways (ALGs). In addition, the gateway imposes
two separate connections: one from the trusted network to the gateway and
one from the gateway to the trusted network.
For example, an FTP ALG regulates an FTP session between a trusted and
untrusted host.
Application-level gateways can be prohibitively draining on resources. Each
protocol needs a separate ALG, and the gateway imposes two separate con-
nections (from the trusted network to the gateway and from the gateway to
the trusted network).