Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
311312313314315316317318319320
4-6
Firewall
General Firewall Concepts
Stateful Firewall
The TMS zl Module has a stateful firewall, which examines packet content at
several OSI layers. It combines aspects of:
A packet-filtering firewall
A circuit-level gateway
An application-level gateway
Packet-Filtering Firewall
A packet-filtering firewall is a router, switch, or computer that runs firewall
software that has been configured to screen incoming and outgoing packets.
Operating at the Network Layer (Layer 3) of the OSI model, a packet-filtering
firewall accepts or denies packets based on information contained in the
packets TCP and IP headers.
You must establish the access policies against which a packet-filtering firewall
compares the full association of the packets. Policies consist of the following:
Source zone
Destination zone
Source address
Destination address
Protocol
Source port number
Destination port number
See “Firewall Access Policies” on page 4-22.
Circuit-Level Gateway
A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor
the establishment of sessions between trusted and untrusted devices. Some
circuit-level gateways establish proxy sessions with untrusted hosts for their
clients. The TMS zl Module, however, simply monitors sessions.
Attack Checking. A circuit-level gateway monitors TCP handshakes
between devices to determine whether or not a requested session is legitimate.
A circuit-level gateway authorizes a requested session only if the SYN (syn-
chronize) flags, ACK (acknowledge) flags, and sequence numbers involved in
the TCP handshake are logical.