Command Reference Guide
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 272
Functional Notes (Continued)
This command enables firewall processing for all interfaces with a configured policy class. Firewall
processing consists of the following functions:
Attack Protection: Detects and discards traffic that matches profiles of known networking exploits or
attacks.
Session Initiation Control: Allows only sessions that match traffic patterns permitted by access-control
policies to be initiated through the router.
Ongoing Session Monitoring and Processing: Each session that has been allowed through the router is
monitored for any irregularities that match patterns of known attacks or exploits. This traffic will be
dropped. Also, if NAT is configured, the firewall modifies all traffic associated with the session according to
the translation rules defined in NAT access-policies. Finally, if sessions are inactive for a user-specified
amount of time, the session will be closed by the firewall.
Application Specific Processing: Certain applications need special handling to work correctly in the
presence of a firewall.
Secure Router OS
uses ALGs (application-level gateways) for these applications.
The Secure Router OS includes several security features to provide controlled access to your network.
The following features are available when security is enabled (using the ip firewall command):
1. Stateful Inspection Firewall
The Secure Router OS (and your unit) act as an application-level gateway and employ a stateful inspection
firewall that protects an organization's network from common cyber attacks including TCP syn-flooding, IP
spoofing, ICMP redirect, land attacks, ping-of-death, and IP reassembly problems. In addition, further
security is added with use of Network Address Translation (NAT) and Port Address Translation (PAT)
capability.
2. Access Policies (ACPs)
Secure Router OS access control policies are used to allow, discard, or manipulate (using NAT) data for
each physical interface. Each ACP consists of a selector (access list) and an action (allow, discard, NAT).
When packets are received on an interface, the configured ACPs are applied to determine whether the
data will be processed or discarded.
3. Access Lists (ACLs)
Access control lists are used as packet selectors by ACPs; by themselves they do nothing. ACLs are
composed of an ordered list of entries. Each entry contains two parts: an action (permit or deny) and a
packet pattern. A permit ACL is used to permit packets (meeting the specified pattern) to enter the router
system. A deny ACL advances the Secure Router OS to the next access policy entry. The Secure Router
OS provides two types of ACLs: standard and extended. Standard ACLs allow source IP address packet
patterns only. Extended ACLs may specify patterns using most fields in the IP header and the TCP or UDP
header.
Usage Examples
The following example enables the Secure Router OS security features:
(config)#ip firewall