Login
- Table of Contents
-
- 16-Security Configuration Guide
- 00-Preface
- 01-ACL configuration
- 02-Time range configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Public key management
- 06-PKI configuration
- 07-IPsec configuration
- 08-SSH configuration
- 09-SSL configuration
- 10-SSL VPN configuration
- 11-Session management
- 12-Connection limit configuration
- 13-Attack detection and prevention configuration
- 14-IP source guard configuration
- 15-ARP attack protection configuration
- 16-ND attack defense configuration
- 17-ASPF configuration
- 18-Protocol packet rate limit configuration
- 19-Crypto engine configuration
- 20-Security policy configuration
- 21-Object group configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-ASPF configuration | 93.46 KB |
Restrictions and guidelines: ASPF configuration
Applying an ASPF policy to an interface
Enabling real-time log sending mode
Display and maintenance commands for ASPF
Configuring ASPF
About ASPF
Advanced Stateful Packet Filter (ASPF) is proposed to address the issues that a packet-filter firewall cannot solve.
Main functions
An ASPF provides the following main functions:
· Application layer protocol inspection—ASPF checks the application layer information of packets, such as the protocol type and port number, and inspects the application layer protocol status for each connection. ASPF maintains the status information of each connection, and based on the status information, determines whether to permit a packet to pass through the firewall into the internal network. In this way, ASPF defends the internal network against attacks.
· Transport layer protocol inspection—ASPF checks the transportation layer information of packets. Transportation layer protocol includes TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP. For example, ASPF checks a TCP/UDP packet's source and destination addresses and port numbers to determine whether to permit the packet to pass through the firewall into the internal network.
· ICMP error message dropping—ASPF inspects the connection information carried in an ICMP error message. If the information does not match the connection, ASPF drops the packet.
· TCP SYN check—ASPF checks the first packet of a TCP connection to determine if it is a SYN packet. If it is not a SYN packet, ASPF drops the packet. When a router attached to the network starts up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. The router allows the first non-SYN packet that is used to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
ASPF application
At the border of a network, ASPF can work with a packet-filter firewall to provide the network with a more comprehensive security policy that better meets the actual needs. The packet-filter firewall permits or denies packets according to ACL rules. The ASPF records information about the permitted packets to ensure that their return packets can pass through the packet-filter firewall.
Basic ASPF concepts
Single-channel protocol and multichannel protocol
· Single-channel protocol—A single-channel protocol establishes only one connection to exchange both control messages and data for a user. of single-channel protocols.
· Multichannel protocol—A multichannel protocol establishes more than one connection for a user and transfers control messages and user data through different connections. FTP is one example of multichannel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect hosts and servers on the internal network, the interfaces on the device are divided into internal interfaces and external interface:
· Internal interfaces—Interfaces connected to the internal network.
· External interfaces—Interfaces connected to the external network.
To protect the internal network, you can apply an ASPF in the outbound direction of the external interfaces or in the inbound direction of the internal interfaces of the device.
ASPF inspection principles
This section introduces the basic idea of ASPF inspection on application layer and transport layer protocols.
Application layer protocol inspection
As shown in Figure 1, ACLs on the edge device deny incoming packets to the internal network. The ASPF application layer protocol inspection allows return packets from the external network to the internal network.
Figure 1 Application layer protocol inspection
ASPF inspects all application layer sessions as follows:
· For a single-channel protocol, the inspection process is simple.
ASPF creates a session entry immediately after it detects the session's first packet sent to the external network, and ASPF removes the entry when the connection is terminated.
The session entry helps record outgoing packets and their return packets. It can maintain the session status and determine whether state transitions of the session are correct. All packets that match a session entry can pass through the packet-filter firewall.
· For a multichannel protocol, ASPF creates session entries, and one or more associated entries to associate the sessions initiated by the same application layer protocol. Associated entries are created during the protocol negotiation and are removed after the negotiation. ASPF uses the associated entries to match the first packets of the sessions. All packets of the sessions matching the associated entries can pass through the packet-filter firewall.
The following uses FTP to explain the process of multichannel application layer protocol inspection.
Figure 2 FTP inspection
As shown in Figure 2, FTP connections are established and removed as follows:
1. The FTP client initiates an FTP control connection from port 1333 to port 21 of the FTP server.
2. As a result of negotiation, the server initiates a data connection from port 20 to port 1600 of the client.
3. When data transmission times out or ends, the data connection is removed.
ASPF implements FTP inspection during the FTP connection lifetime as follows:
1. ASPF checks the IP packets the FTP client sends to the FTP server to identify TCP-based FTP packets. Based on the port number, ASPF identifies the control connection between the FTP client and server and creates a control connection session entry.
2. ASPF checks each FTP control connection packet, and examines their TCP status based on the control connection session entry. ASPF analyzes the FTP instructions in the control connection packet. If the packet contains a data channel setup instruction, ASPF creates an associated entry for the data connection.
3. For return FTP control connection packets, ASPF examines their TCP status based on the control connection session entry to make packet forwarding decisions.
4. When the FTP data passes through the device, ASPF is triggered to create a session entry for the data connection and remove the associated entry.
5. For returned FTP data packets, ASPF examines their TCP status based on the data connection session entry to make packet forwarding decisions.
6. When the data transmission ends, ASPF removes the data connection session entry. When the FTP connection is removed, ASPF removes the control connection session entry.
Transport layer protocol inspection
The transport layer protocol inspection requires that return packets must match the corresponding packets that are previously sent out of the external interface. The return packets must have the same source/destination addresses and source/destination port numbers as the outgoing packets (but reversed). Otherwise, the return packets are blocked. For multichannel application layer protocols like FTP, the deployment of TCP inspection without application layer inspection leads to failure of establishing a data connection.
Restrictions and guidelines: ASPF configuration
ASPF inspection is required to ensure successful data connections for multichannel protocols.
Application protocols supported by the detect command (except TFTP) are multichannel protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable.
ASPF also supports protocol status validity check for . ASPF deals with packets with invalid protocol status, depending on the actions you have specified. For other application layer protocols, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
ASPF tasks at a glance
To configure ASPF, perform the following tasks:
2. Applying an ASPF policy to an interface
3. (Optional.) Enabling real-time log sending mode
Configuring an ASPF policy
1. Enter system view.
system-view
2. Create an ASPF policy and enter its view.
aspf-policy aspf-policy-number
After an ASPF policy is created, ASPF inspection for transport layer protocols is always enabled and is not configurable.
3. (Optional.) Configure ASPF inspection for application layer protocols.
detect { { ftp | h323 | sccp | sip } | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
By default, ASPF inspection for FTP is configured.
4. (Optional.) Enable ICMP error message dropping.
icmp-error drop
By default, ICMP error message dropping is disabled. ASPF does not drop faked ICMP error messages.
5. (Optional.) Enable TCP SYN check.
tcp syn-check
By default, TCP SYN check is disabled. ASPF does not drop the non-SYN packet when it is the first packet to establish a TCP connection.
Applying an ASPF policy to an interface
About this task
You can apply an ASPF policy to inspect incoming or outgoing traffic on an interface. ASPF compares the packets against session entries. If a packet does not match any session entries, ASPF creates a new session entry.
You can apply both ASPF and packet filter to implement packet filtering. For example, you can apply a packet filtering policy to the inbound direction of the external interface and apply an ASPF policy to the outbound direction of the external interface. The application denies unsolicited access from the external network to the internal network and allows return packets from external to the internal network.
Restrictions and guidelines
An ASPF stores and maintains the application layer protocol status based on interfaces. Make sure a connection initiation packet and the corresponding return packet pass through the same interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an ASPF policy to the interface.
aspf apply policy aspf-policy-number { inbound | outbound }
By default, no ASPF policy is applied to the interface.
Enabling real-time log sending mode
About this task
Real-time log sending mode takes effect only on logs sent by the security policy, object policy, and packet filtering features.
The device supports the following log sending modes:
· Cache log sending mode—When the first packet of a flow matches a policy, the device generates a log and caches it and starts a five-minute timer at the same time. If the log matches traffic within five minutes, the device sends the log when the timer expires. If the log does not match any traffic within five minutes, the device deletes the log. The device stops generating logs if the number of cached logs reaches the upper limit.
· Real-time log sending mode—When the first packet of a flow matches a policy, the device sends a log immediately. For a policy that permits specific packets, the device sends only one log for a flow that matches the policy. For a policy that denies specific packets, the device sends a log for each packet of a flow that matches the policy. The number of logs is not limited.
For more information about logging configuration of the security policy, object policy, and packet filtering features, see "Configuring security policies" and ACL and QoS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable real-time log sending mode.
aspf log sending-realtime enable
By default, real-time log sending mode is disabled. Logs are cached before they are sent.
Display and maintenance commands for ASPF
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the configuration of all ASPF policies and their applications to interfaces. |
display aspf all |
|
Display ASPF policy applications to interfaces. |
display aspf interface |
|
Display the configuration of an ASPF policy. |
display aspf policy { aspf-policy-number | default } |
|
Display ASPF sessions. |
display aspf session [ ipv4 | ipv6 ] [ verbose ] |
|
Clear ASPF session statistics. |
reset aspf session [ ipv4 | ipv6 ] |
