Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
1-36
Introduction
ProCurve Wireless Edge Services zl Module
Wireless Edge Services zl Module Firewall
The section above introduced you to the idea of controlling traffic with policies. The
Wireless Edge Services zl Module’s firewall is one of the components that helps you
to do so.
The module’s firewall examines routed packets. It checks for and drops:
packets with invalid TCP flags
corrupted packets:
multicast source address
unknown IP option
IP TTL set to zero
IP fragment overflowing the packet (last fragment length creates a packet
longer than 65,535 bytes)
IP fragment with a bad Length (non-last fragment length is not a multiple
of 8)
IP fragment with the same ID as another fragment in that packet (fragment
ID collision)
packets symptomatic of these attacks:
LAND attack (a TCP SYN packet in which the destination IP address and
port equal the source IP address and port)
Fragment death (fragment that overflows the valid packet length)
Traceroute attack (modified IP TTL value)
Xmas scan (all TCP flags set in TCP header)
TCP FIN scan
TCP NULL scan (no flags set in TCP header)
When the firewall drops a packet, the Wireless Edge Services zl Module creates a
log with the name and time of the attack.
Enabling Attack Checking. The firewall is always on; however, it only affects
packets that are routed from one VLAN interface to another VLAN interface. When
the Wireless Edge Services zl Module repackages an 802.11 frame from a WLAN as
an Ethernet frame in a VLAN, the module is acting as a bridge, not a router. The
attack checks do not occur at this point. However, if the module then routes the traffic
to a different VLAN, the firewall can check the traffic.