347
Basic concepts
Java blocking
Java blocking is a feature for blocking malicious Java applets, which are transported by HTTP. With the
Java blocking feature enabled, when a user attempts to get a program containing Java applets from a
webpage, the ASPF processes the response in order to block the Java applets.
PAM
While application layer protocols use the standard port numbers for communication, PAM allows you to
define a set of new port numbers for different applications. It also provides some mechanisms for you to
maintain and use the configuration information of the user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port mapping.
•
General port mapping
—A mapping of a user-defined port number to an application layer protocol.
If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are regarded as HTTP
packets.
•
Host port mapping
—A mapping of a user-defined port number to an application layer protocol for
packets to/from specific hosts. For example, establish a host port mapping so that all TCP packets
using 8080 as the destination port and 10.110.0.0/16 as the destination network segment are
regarded as HTTP packets. The hosts can be specified by means of a basic ACL.
Single-channel protocol and multi-channel protocol
•
Single-channel protocol
—A single-channel protocol establishes only one channel to exchange both
control messages and data for a user. SMTP and HTTP are examples of single-channel protocols.
•
Multi-channel protocol
—A multi-channel protocol establishes more than one channel for a user and
transfers control messages and user data through different channels. FTP and RTSP are examples of
multi-channel protocols.
Internal interface and external interface
On an edge device configured with ASPF to protect servers on the internal network, interfaces connected
with the internal network are internal interfaces, and the interface connected with the Internet is the
external interface.
When an ASPF is applied on the outbound direction of the external interface of a router, a temporary
channel can be opened on the firewall for return packets to internal network users accessing the Internet.
Application layer protocol detection
Figure 121
Basic idea of application layer protocol detection