No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Stateful Firewall

Stateful Firewall

A packet filtering firewall is a static firewall and has the following problems:

  • Some security policies cannot be configured for multi-channel application-layer protocols such as FTP and SIP.
  • Some attacks (such as TCP SYN and Java Applets) from the transport and application layers cannot be detected.
  • ICMP attacks cannot be prevented because bogus ICMP error packets cannot be identified.
  • The first packet of TCP connections must be an SYN packet. If the first packet of a TCP connection is not an SYN packet, the packet is discarded. When a firewall device connects to a network for the first time, non-first packets of existing TCP connections are all discarded if they pass through the new firewall, and the TCP connections are torn down.

Application specific packet filter (ASPF), a stateful firewall, is introduced to solve the preceding problems. ASPF can detect attacks related to the following protocols:

  • Application-layer protocols, including File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Session Initiation Protocol (SIP) and Real Time Streaming Protocol (RTSP)
  • Transport-layer protocols, including TCP and UDP

ASPF Functions

Major functions:

  • Checks application-layer protocol information, such as the protocol type and port number, and monitors the connection-based application-layer protocol status. ASPF maintains status information of each connection and uses the status information to determine whether to forward or discard data packets.
  • Checks transport-layer protocol information and determines whether to forward or discard TCP or UDP packets based on the source IP address, destination IP address, and port number.

Additional functions:

  • Checks contents of application-layer packets.
  • Checks the first packet of a TCP connection.
  • Filters ICMP error packets. An ICMP error packet carries information about a connection. If information in an ICMP error packet matches no connection, ASPF determines whether to discard the packet based on the current configuration.

The ASPF function and the packet filtering firewall can be used together on network edges to provide more comprehensive security policies on an enterprise's internal network.

Basic Concepts of ASPF

  • Single-channel protocol

    A single-channel protocol uses only one channel to exchange from session setup to deletion. An example is HTTP.

  • Multi-channel protocol

    A multi-channel protocol uses a control channel to exchange control information and several control channels to exchange data. An example is FTP or RTSP.

Basic Principle of Application-Layer Protocol Detection

Figure 6-3  Basic principle of application-layer protocol detection

As shown in Figure 6-3, an ACL is configured on the device to allow internal hosts to access external networks but reject access from external networks, which ensures internal network security. However, the ACL will filter out reply packets sent in response to connection requests, leading to connection failures.

After application-layer protocol detection is configured on the router, ASPF monitors each application-layer session and creates a status entry and a temporary access control list (TACL).
  1. ASPF creates a status entry when detecting the first packet sent to an external network. The status entry maintains the status of a session at a specified time and checks whether the session status transition is correct.
  2. A TACL is created when a status entry is created and is deleted after the session is disconnected. A TACL is an extended permit item of the ACL. A TACL matches all reply packets in a session and helps set up a temporary return channel on the external interface of the firewall for reply packets.

The following uses FTP as an example to describe the multi-channel protocol detection process.

Figure 6-4  FTP detection process

Figure 6-4 shows the FTP connection setup process. Assume that the FTP client uses port 1333 to initiate an FTP control channel connection to port 21 on the FTP server. After negotiation, the FTP server uses port 20 to initiate a data channel connection to port 1600 on the FTP client. If data transmission times out or ends, the connections are deleted.

The FTP detection process is as follows:
  1. Check whether IP packets sent from the outbound interface are TCP-based FTP packets.
  2. Check the port number and verify that the connection is a control connection. Create a status entry and TACL for the reply packets.
  3. Check FTP control connection packets, resolve FTP commands, and update the status entry based on the commands. If there is a data channel setup command, create a TACL for the data connection. The firewall does not perform status detection on data connections.
  4. Perform matching check on reply packets based on the protocol type. Determine whether to allow reply packets to pass based on the status entry and TACL.
  5. Delete the status entry and TACL when the FTP connection is deleted.

The process for detecting single-channel application layer protocols is simple. When a connection is initiated, the firewall creates a TACL. When the connection is deleted, the firewall deletes the TACL.

Basic Principle of Transport-Layer Protocol Detection

Transport-layer protocol detection is common TCP/UDP detection. Different from application-layer protocol detection, transport-layer protocol detection checks transport-layer information in packets, such as the source address, destination address, and port number. In common TCP/UDP detection, reply packets returned to the external interface of ASPF must exactly match the packet sent from the interface. That is, the source address, destination address, source port and destination port of the reply packet must be the same as the destination address, source address, destination port, and source port of the packet sent from the interface. Otherwise, reply packets are rejected. If you configure TCP detection without application-layer protocol detection for multi-channel application layer protocols (such as FTP), data connections cannot be set up.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 127300

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next