335
Exact match slightly decreases the efficiency of packet filtering. The more the match items, the lower
the packet filtering efficiency. You can specify a threshold to limit the maximum number of match
entries to be processed by the firewall.
ACL packet-filter limitations
An ACL packet-filter is a static firewall. It cannot solve the following issues:
• For multi-channel application layer protocols, such as FTP and H.323, the values of some
security policy parameters are unpredictable.
• Some attacks from the transport layer and application layer, such as TCP SYN flooding and
malicious Java applets, cannot be detected.
• ICMP attacks cannot be prevented because not all faked ICMP error messages from the
network can be recognized.
• For a TCP connection, the first packet must be a SYN packet. Any non-SYN packet that is the
first packet over the TCP connection is dropped. If a packet-filter firewall is deployed in a
network, the non-SYN packets of existing TCP connections passing the firewall for the first time
are dropped, breaking the existing TCP connections.
ASPF
ASPF was proposed to address the issues that a static firewall cannot solve. An ASPF implements
application layer and transport specific, namely status-based, packet filtering. An ASPF can inspect
application layer protocols including FTP, GTP, HTTP, SMTP, Real RTSP, SCCP, SIP, and H.323
(Q.931, H.245, and RTP/RTCP), and transport layer protocols TCP and UDP.
ASPF functions
An ASPF provides the following functions:
• Application layer protocol inspection—ASPF checks the application layer information of
packets, such as the protocol type and port number, and inspects the application layer protocol
status for each connection. ASPF maintains the status information of each connection, and
based on the status information, determines whether to permit a packet to pass through the
firewall into the internal network, thus defending the internal network against attacks.
• Transport layer protocol inspection—ASPF checks a TCP/UDP packet's source and
destination addresses and port numbers to determine whether to permit the packet to pass
through the firewall into the internal network. ASPF checks an ESP packet's source and
destination addresses to determine whether to permit the packet to pass through the firewall
into the internal network.
• Java blocking—ASPF inspects the contents of application layer packets, and performs Java
blocking for untrusted sites, protecting the network against malicious Java applets.
• Enhanced session logging—ASPF can record the information of each connection, including
the duration, source and destination addresses and port numbers of the connection, and
number of bytes transmitted.
• Port to Application Mapping (PAM)—Allows you to specify port numbers other than the
standard ones for application layer protocols.
• TCP SYN check—ASPF checks the first packet of a TCP connection to see if it is a SYN packet.
If it is not a SYN packet, ASPF drops the packet.
At the border of a network, an ASPF can work in coordination with a packet-filter firewall to provide
the network with a security policy that is more comprehensive and better satisfies the actual needs.
Basic concepts of ASPF
• Java blocking
Java blocking is a feature for blocking malicious Java applets that are transported by HTTP.
With the Java blocking feature enabled, when a user attempts to get a program containing Java
applets from a Web page, the ASPF will process the response, so as to block the Java applets.
To Next Page
Loading...
Need help?
General
