H3C Technologies H3C SecPath F1000-E User Manual

2

•

Real-Time Streaming Protocol (RTSP)

•

Skinny Client Control Protocol (SCCP)

•

Session Initiation Protocol (SIP)

•

SQLNET (a language in Oracle)

•

Trivial File Transfer Protocol (TFTP)

•

X Display Manager Control Protocol (XDMCP)

The following describes the operation of an ALG-enabled device, taking FTP as an example. As shown
in

Figure 1

, the host in the outside network accesses the FTP server in the inside network in passive mode

through the ALG-enabled device.

Figure 1 Network diagram for ALG-enabled FTP application in PASV mode

Inside network

Outside network

FTP server

Host

Device

FTP-ALG enabled

NAT

FTP_CMD(“PASV”)

FTP_CMD(“PASV”)

FTP_EnterPassive(“IP1, Port1”)

ALG

IP1, Port1-------

>

IP2, Port2

FTP_EnterPassive(“IP2, Port2”)

FTP_Connet(IP2, Port2)

FTP_Connet(IP1, Port1)

The communication process includes the following stages:

1.

Establishing a control connection

The host sends a TCP connection request to the server. If a TCP connection is established, the server and
the host enter the user authentication stage.

2.

Authenticating the user

The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the packet

will be resolved and used to check whether the state machine transition is going on correctly. If not, the

request will be dropped. In this way, ALG protects the server against clients that send packets with state

machine errors or log into the server with illegal user accounts.
An authentication request with a correct state is forwarded by the ALG-enabled device to the server,

which authenticates the host according to the information in the packet.

3.

Establishing a data connection