H3C Technologies H3C SecBlade FW Cards User Manual

Page 35

Advertising
background image

28

The following describes the operation of an ALG-enabled device, taking FTP as an example. As shown

in

Figure 19

, the host in the outside network accesses the FTP server in the inside network in passive mode

through the ALG-enabled device.

Figure 19 Network diagram for ALG-enabled FTP application in PASV mode

The communication process includes the following stages:

1.

Establishing a control connection

The host sends a TCP connection request to the server. If a TCP connection is established, the server and

the host enter the user authentication stage.

2.

Authenticating the user

The host sends the server an authentication request, which contains the FTP commands (user and

password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the packet

will be resolved and used to check whether the state machine transition is going on correctly. If not, the

request will be dropped. In this way, ALG protects the server against clients that send packets with state

machine errors or log into the server with illegal user accounts.
An authentication request with a correct state is forwarded by the ALG-enabled device to the server,
which authenticates the host according to the information in the packet.

3.

Establishing a data connection

If the host passes the authentication, a data connection is established between it and the server. If the

host is accessing the server in passive mode, the data connection process is different. In passive mode,

the server sends the host a PASV response that uses its private network address and port number (IP1,
Port1). When the response arrives at the ALG-enabled device, the device resolves the packet and

translates the server’s private network address and port number into the server’s public network address

and port number (IP2, Port2) respectively. Then, the device uses the public network address and port

number to establish a data connection with the host.

4.

Exchanging data

The host and the FTP server exchange data through the established data connection.

Inside network

Outside network

FTP server

Host

Router

FTP-ALG enabled

NAT

FTP_CMD (“PASV”)

FTP_CMD (“PASV”)

FTP_EnterPassive (“IP1, Port1”)

ALG

IP1, Port1-------

>

IP2, Port2

FTP_EnterPassive (“IP2, Port2”)

FTP_Connet (IP2, Port2)

FTP_Connet (IP1, Port1)

Advertising
This manual is related to the following products:

H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals