TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

391

392

393

394

395

396

397

398

399

400

4-92

Firewall

Application-Level Gateways (ALGs)

then the ALG verifies that FTP commands are allowed or denied by

the application-control record and takes action based on the status

of the command in the record.

• attack checks — The ALG checks for the following attacks

– FTP bounce — When the ALG detects a PORT command, the ALG

verifies that the IP address in the PORT command is the same as

the IP address of the client that initiated the connection. If the IPs

do not match, the connection is closed.

– invalid PASV replies — When the ALG detects a PASV reply, it

verifies that the client has sent a PASV command on the connec-

tion. If no PASV command was sent, then the PASV reply is

dropped and the connection is closed. The ALG also verifies that

the IP address in the PASV reply is the same as the server’s IP

address. If the IPs do not match, the connection is closed.

■ opens dynamic associations based on the information that is exchanged

in the control-connection payloads, which enables data connections to be

established between the server and client.

■ translates the IP address and port information in the control-connection

payload according to NAT policies.

ike

Some IKE applications expect the peers to always use source port UDP 500.

If a NAT device is present at the peer end, this does not work, because the

NAT device translates traffic coming from one of the internal devices inside

the private network.

The IKE ALG ensures that only one IKE session is in negotiation at one time,

thereby allowing the internal device to use UDP 500.

ils, ils2

The ILS ALGs process Lightweight Directory Access Protocol (LDAP) packets

that are used to communicate with ILS servers. They process only packets

with request type ADD, which contains the ASN.1-encoded source IP address

of the internal system that contacts the ILS server. They also replace the

private IP address with the NAT IP and translates it back to ASN.1.

ILS registers for TCP 389 and ILS2 registers for TCP 1002.

Limitations. In many-to-one NAT, support is provided for only one machine

to register with the ILS server.