Oaa configuration, Oaa configuration overview – H3C Technologies H3C SecBlade IPS Cards User Manual

3-20

z

Apply the policy using blocking or interfering actions on the device.

z

The interfaces connected with the management interface and service interface (A management

interface is the interface through which the device sends out packets and manages bypass traffics;

a service interface is the interface through which the device receives bypass traffics and performs

detections. The two interfaces can actually be the same one) are configured in the same VLAN.

OAA Configuration

The OAA client and the OAA server mentioned in the following configuration procedure and

configuration examples indicate the ACFP client and the ACFP server in the OAA architecture.

OAA Configuration Overview

Basic data communication networks comprise of routers and switches, which forward data packets. As

data networks develop, more and more services run on them. It has become inappropriate to use

legacy devices for handling some new services. Therefore, some security products such as firewalls,

Intrusion Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless

products are designed to handle specific services.

For better support of new services, manufacturers of legacy networking devices (routers and switches

in this document) have developed various dedicated service boards (cards) to specifically handle these

services. Some manufacturers of legacy networking devices provide a set of software/hardware

interfaces to allow the boards (cards) or devices of other manufacturers to be plugged into or connected

to these legacy networking devices to handle these services. This gives full play to the advantages of

respective manufacturers for better support of new services while reducing user investments.

The open application architecture (OAA) is an open service architecture developed with this concept.

The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For

example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software

packages developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors

or redirects the received packets to an ACFP client after matching the ACFP collaboration rules. The

software running on the ACFP client monitors and detects the packets. Based on the monitoring and

detection results, the ACFP client sends back responses to the router or switch through collaboration

Management Information Bases (MIBs) to instruct the router or switch to process the results, such as

filtering out the specified packets.