TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

321

322

323

324

325

326

327

328

329

330

4-77

Firewall

Application-Level Gateways

Unlike other ALGs that do either NAT-ALG or firewall-ALG functionality, the

ESP ALG also keeps track of SPI values to ensure that the packets are handed

over correctly to the internal machines.

ftpv4

The FTP ALG:

■ creates dynamic associations based on the information that is exchanged

in the control-connection payloads, which enables data connections to be

established between the server and client.

■ interprets the PORT command from the client and allows the server to

make a connection back to the client for data transfer by

• extracting the IP address and port from the PORT command

• opening up a new association so that the data connection can be

established successfully. Then the server makes a data connection to

the client for data transfer.

■ interprets the PASV reply from the server in response to a PASV request

from the client by

• extracting the IP address and port from the PASV command

• opening up a new connection for the data connection to be estab-

lished successfully. Then the client makes a data connection to the

server for data transfer.

■ performs the following functionality:

• application-control filters — If application control support is

enabled in the firewall, and the FTP application-control record is

attached to the policy that allowed the FTP connection to go through,

then the ALG verifies that FTP commands are allowed or denied by

the application-control record and takes action based on the status

of the command in the record.

• attack checks — The ALG checks for the following attacks

– FTP bounce — When the ALG detects a PORT command, the ALG

verifies that the IP address in the PORT command is the same as

the IP address of the client that initiated the connection. If the IPs

do not match, the connection is closed.

– invalid PASV replies — When the ALG detects a PASV reply, it

verifies that the client has sent a PASV command on the connec-

tion. If no PASV command was sent, then the PASV reply is

dropped and the connection is closed. The ALG also verifies that

the IP address in the PASV reply is the same as the server’s IP

address. If the IPs do not match, the connection is closed.

■ translates the IP address and port information in the control-connection

payload according to NAT policies.