Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-SSL VPN configuration
- 11-Session management
- 12-Connection limit configuration
- 13-Attack detection and prevention configuration
- 14-IP source guard configuration
- 15-ARP attack protection configuration
- 16-ND attack defense configuration
- 17-ASPF configuration
- 18-Protocol packet rate limit configuration
- 19-Crypto engine configuration
- 20-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-ASPF configuration | 95.88 KB |
Restrictions and guidelines: ASPF configuration
Restrictions: Hardware compatibility with ASPF
Applying an ASPF policy to an interface
Display and maintenance commands for ASPF
Configuring ASPF
In this document, a "firewall" refers to a wireless access controller that is configured with ASPF policies.
About ASPF
Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve.
Main functions
An ASPF provides the following main functions:
· Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection. ASPF maintains the status information of each connection, and based on the status information, determines whether to permit a packet to pass through the firewall into the internal network. In this way, ASPF defends the internal network against attacks.
· Transport layer protocol inspection—ASPF checks the transportation layer information of packets. Transportation layer protocol includes TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP. For example, ASPF checks a TCP/UDP packet's source and destination addresses and port numbers to determine whether to permit the packet to pass through the firewall into the internal network.
· ICMP error message check—ASPF inspects the connection information carried in an ICMP error message. If the information does not match the connection, ASPF drops the packet.
· TCP SYN check—ASPF checks the first packet of a TCP connection to determine if it is a SYN packet. If it is not a SYN packet, ASPF drops the packet. When a router attached to the network starts up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. The router allows the first non-SYN packet that is used to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
ASPF application
At the border of a network, ASPF can work with a packet-filter firewall to provide the network with a more comprehensive security policy that better meets the actual needs. The packet-filter firewall permits or denies packets according to ACL rules. The ASPF records information about the permitted packets to ensure that their return packets can pass through the packet-filter firewall.
Basic ASPF concepts
Single-channel protocol and multichannel protocol
· Single-channel protocol—A single-channel protocol establishes only one connection to exchange both control messages and data for a user. of single-channel protocols.
· Multichannel protocol—A multichannel protocol establishes more than one connection for a user and transfers control messages and user data through different connections. FTP is one example of multichannel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect hosts and servers on the internal network, the interfaces on the device are divided into internal interfaces and external interface:
· Internal interfaces—Interfaces connected to the internal network.
· External interfaces—Interfaces connected to the external network.
To protect the internal network, you can apply an ASPF in the outbound direction of the external interfaces or in the inbound direction of the internal interfaces of the device.
ASPF inspection principles
This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.
Application layer protocol inspection
As shown in Figure 1, ACLs on the edge device deny incoming packets to the internal network. The ASPF application layer protocol inspection allows return packets from the external network to the internal network.
Figure 1 Application layer protocol inspection
ASPF inspects all application layer sessions as follows:
· For a single-channel protocol, the inspection process is simple.
ASPF creates a session entry immediately after it detects the session's first packet sent to the external network, and ASPF removes the entry when the connection is terminated.
The session entry helps record outgoing packets and their return packets. It can maintain the session status and determine whether state transitions of the session are correct. All packets that match a session entry can pass through the packet-filter firewall.
· For a multichannel protocol, ASPF creates session entries, and one or more associated entries to associate the sessions initiated by the same application layer protocol. Associated entries are created during the protocol negotiation and are removed after the negotiation. ASPF uses the associated entries to match the first packets of the sessions. All packets of the sessions matching the associated entries can pass through the packet-filter firewall.
The following uses FTP to explain the process of multichannel application layer protocol inspection.
Figure 2 FTP inspection
As shown in Figure 2, FTP connections are established and removed as follows:
1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.
2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.
3. When data transmission times out or ends, the data connection is removed.
ASPF implements FTP inspection during the FTP connection lifetime as follows:
1. ASPF checks the IP packets the FTP client sends to the FTP server to identify TCP-based FTP packets. Based on the port number, ASPF identifies the control connection between the FTP client and server and creates a control connection session entry.
2. ASPF checks each FTP control connection packet, and examines their TCP status based on the control connection session entry. ASPF analyzes the FTP instructions in the control connection packet. If the packet contains a data channel setup instruction, ASPF creates an associated entry for the data connection.
3. For return FTP control connection packets, ASPF examines their TCP status based on the control connection session entry to make packet forwarding decisions.
4. When the FTP data passes through the device, ASPF is triggered to create a session entry for the data connection and remove the associated entry.
5. For returned FTP data packets, ASPF examines their TCP status based on the data connection session entry to make packet forwarding decisions.
6. When the data transmission ends, ASPF removes the data connection session entry. When the FTP connection is removed, ASPF removes the control connection session entry.
Transport layer protocol inspection
The transport layer protocol inspection requires that return packets must match the corresponding packets that are previously sent out of the external interface. The return packets must have the same source/destination addresses and source/destination port numbers as the outgoing packets (but reversed). Otherwise, the return packets are blocked. For multichannel application layer protocols like FTP, the deployment of TCP inspection without application layer inspection leads to failure of establishing a data connection.
Restrictions and guidelines: ASPF configuration
ASPF inspection is required to ensure successful data connections for multichannel protocols.
Application protocols supported by the detect command (except TFTP) are multichannel protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable.
ASPF also supports protocol status validity check for . ASPF deals with packets with invalid protocol status, depending on the actions you have specified. For other application layer protocols, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
Restrictions: Hardware compatibility with ASPF
|
Hardware series |
Model |
Product code |
ASPF compatibility |
|
WX1800H series |
WX1804H-PWR |
EWP-WX1804H-PWR-CN |
Yes |
|
WX2500H series |
WX2508H-PWR-LTE WX2510H-PWR WX2510H-F-PWR WX2540H WX2540H-F WX2560H |
EWP-WX2508H-PWR-LTE EWP-WX2510H-PWR EWP-WX2510H-F-PWR EWP-WX2540H EWP-WX2540H-F EWP-WX2560H |
Yes |
|
MAK series |
MAK204 MAK206 |
EWP-MAK204 EWP-MAK206 |
Yes |
|
WX3000H series |
WX3010H WX3010H-X-PWR WX3010H-L-PWR WX3024H WX3024H-L-PWR WX3024H-F |
EWP-WX3010H EWP-WX3010H-X-PWR EWP-WX3010H-L-PWR EWP-WX3024H EWP-WX3024H-L-PWR EWP-WX3024H-F |
No |
|
WX3500H series |
WX3508H WX3510H WX3520H WX3520H-F WX3540H |
EWP-WX3508H EWP-WX3508H-F EWP-WX3510H EWP-WX3510H-F EWP-WX3520H EWP-WX3520H-F EWP-WX3540H EWP-WX3540H-F |
Yes |
|
WX5500E series |
WX5510E WX5540E |
EWP-WX5510E EWP-WX5540E |
Yes |
|
WX5500H series |
WX5540H WX5560H WX5580H |
EWP-WX5540H EWP-WX5560H EWP-WX5580H |
Yes |
|
Access controller modules |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
LSUM1WCME0 EWPXM1WCME0 LSQM1WCMX20 LSUM1WCMX20RT LSQM1WCMX40 LSUM1WCMX40RT EWPXM2WCMD0F EWPXM1MAC0F |
Yes |
|
Hardware series |
Model |
Product code |
ASPF compatibility |
|
WX1800H series |
WX1804H-PWR WX1810H-PWR WX1820H WX1840H |
EWP-WX1804H-PWR EWP-WX1810H-PWR EWP-WX1820H EWP-WX1840H-GL |
Yes |
|
WX3800H series |
WX3820H WX3840H |
EWP-WX3820H-GL EWP-WX3840H-GL |
Yes |
|
WX5800H series |
WX5860H |
EWP-WX5860H-GL |
Yes |
ASPF tasks at a glance
To configure ASPF, perform the following tasks:
2. Applying an ASPF policy to an interface
Configuring an ASPF policy
1. Enter system view.
system-view
2. Create an ASPF policy and enter its view.
aspf-policy aspf-policy-number
After an ASPF policy is created, ASPF inspection for transport layer protocols is always enabled and is not configurable.
3. (Optional.) Configure ASPF inspection for application layer protocols.
detect { ftp | h323 | sccp | sip | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
By default, ASPF inspection for FTP is configured.
4. (Optional.) Enable ICMP error message check.
icmp-error drop
By default, ICMP error message check is disabled. ASPF does not drop faked ICMP error messages.
5. (Optional.) Enable TCP SYN check.
tcp syn-check
By default, TCP SYN check is disabled. ASPF does not drop the non-SYN packet when it is the first packet to establish a TCP connection.
Applying an ASPF policy to an interface
About this task
You can apply an ASPF policy to inspect incoming or outgoing traffic on an interface. ASPF compares the packets against session entries. If a packet does not match any session entries, ASPF creates a new session entry.
You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows return packets from external to the internal network.
Restrictions and guidelines
An ASPF stores and maintains the application layer protocol status based on interfaces. Make sure a connection initiation packet and the corresponding return packet pass through the same interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an ASPF policy to the interface.
aspf apply policy aspf-policy-number { inbound | outbound }
By default, no ASPF policy is applied to the interface.
Display and maintenance commands for ASPF
|
|
IMPORTANT: The WX1800H series, WX2500H series, MAK series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode. |
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the configuration of all ASPF policies and their applications to interfaces. |
display aspf all |
|
Display ASPF policy applications to interfaces. |
display aspf interface |
|
Display the configuration of an ASPF policy. |
display aspf policy { aspf-policy-number | default } |
|
Display ASPF sessions. |
In standalone mode: display aspf session [ ipv4 | ipv6 ] [ verbose ] In IRF mode: display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ] |
|
Clear ASPF session statistics. |
In standalone mode: reset aspf session [ ipv4 | ipv6 ] In IRF mode: reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ] |
