Manualshelf

HP-UX IPFilter Version 17 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
12345678910
1 About this Product
HP-UX IPFilter, product number B9901AA version 17 is a TCP/IP packet filter suitable for use
as a system firewall to protect back-end servers. The firewall functions as a security defense by
cutting down the number of exposure points on a machine. Although HP-UX IPFilter is a superset
of the functionality in the IPFilter 3.5 Alpha 5 open source version of the product (developed by
Darren Reed), HP does not support some of the perimeter firewall features in that release. If you
are using features that are not supported by HP, you can request support from the open source
IPFilter website. The URL for this site is http://caligula.anu.edu.au/~avalon. HP-UX IPFilter
version 17 also supports various features in open source IPFilter 4.1.24.
The HP-UX IPFilter version 17 product is supported on HP-UX 11i v2 and HP-UX 11i v3 systems.
HP-UX IPFilter version 17 can be obtained from the HP Software Depot at http://
www.software.hp.com for HP-UX 11i v2 and HP-UX 11i v3. In addition, HP-UX IPFilter version
17 will be available on AR/OE media for HP-UX 11i v2 and HP-UX 11i v3 in March 2010.
HP-UX IPFilter Version StringOS Version
A.11.31.17HP-UX 11i v3
A.11.23.17HP-UX 11i v2
For a complete list of commands and utilities that are not supported by HP, see “Unsupported
Features” (page 22).
1.1 Benefits and Features
HP-UX IPFilter version 17 provides the following key benefits:
Protects an individual host on an intranet against internal attacks
Protects an individual host on an intranet against external attacks which have breached
perimeter defenses
Provides an alternative to the restricted configuration of Internet Services
Protects bastion host on the perimeter or in the DMZ
The following major features are included with HP-UX IPFilter version 17:
Explicitly permits or denies a packet from passing through based on:
— IP address or a range of IP addresses
— IP protocol (IP/TCP/UDP)
— IP fragments
— IP options
— IP security classes
— TCP ports and port ranges
— UDP ports and port ranges
— ICMP message type and code
— Combination of TCP flags
— Interface
Allows control of incoming TCP connections through DCA
Supports NAT, which lets an intermediate HP-UX system act as a translator of IP addesses
and network ports
Sends back ICMP error/TCP reset for blocked packets
Keeps packet state information for TCP, UDP, and ICMP
Keeps fragment state information for any IP packet, applying the same rule to all fragments
1.1 Benefits and Features 7