Manualshelf

Network Security Features of HP-UX 11i v1 and 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
11121314151617181920
Page 12
Host Based Firewalls with HP-UX IPFilter
A corporate intranet must be protected against intrusion and Denial of Service (DoS) attacks. This can be
achieved by using one or more network perimeter firewalls. There are many products available that fill
this role. However, individual hosts may need additional protection against external or internal attacks.
This protection is important for hosts that are directly accessible from the Internet. Protection is also
needed for hosts that store sensitive information within the corporate intranet or that provide essential
network services, such as routing or domain name services.
An efficient, effective way to protect individual hosts inside the intranet is to use a system firewall (also
known as a host-based firewall). A system firewall is a packet filtering mechanism built into the TCP/IP
stack of a host that provides filtering functionality specifically configured for the protection of critical
servers or individual hosts. The packet-filtering feature characterizes the Strong End-System (SES)
functionality described in RFC1122 of the IETF.
HP-UX IPFilter is based on IPFilter, a popular public-domain stateful inspection firewall. HP-UX IPFilter
is provided for use as a system firewall on HP-UX hosts. It is available for download from Software
Depot. Additionally, HP-UX IPFilter is a part of the HP-UX 11i Operating Environment (OE) software
packages and the on HP-UX Application Release CD.
HP-UX IPFilter Features
The key features and benefits of HP-UX IPFilter are:
Flexible configuration options: Provides an alternative to the restricted configuration of Internet
services.
Administrator-specified control over IP traffic passing through a host: HP-UX IPFilter explicitly
permits or denies a packet from passing through a host based on the following:
IP address or a range of IP addresses
IP protocol (IP/TCP/UDP)
IP fragments
IP options
IP security classes
TCP ports and port ranges
UDP ports and port ranges
ICMP message type and code
Combination of TCP flags
Network interface
Dynamic Connection Allocation (DCA): Controls the number of connections to the HP-UX system
from any one IP address or subnet. You can use DCA to block spam and to prevent DoS attacks. For
example, DCA can restrict a flood of traffic to the primary port of an LDAP server, while allowing
unrestricted traffic to its SSL port from known subnets. You can deploy DCA as a packet filtering
firewall for either an individual system or a network.