Session management, Connection limits, Attack detection and protection – H3C Technologies H3C SecBlade LB Cards User Manual

3

The device compares the head information against the preset ACL rules and processes (discards or

forwards) the packet based on the comparison result.

ALG

ALG can work with NAT to process payload information for application layer packets and implement

address translation in packet payloads.

Session management

Session management is a common feature designed to implement session-based services such as NAT
and intrusion protection. Session management tracks the connection status by inspecting the transport

layer protocol (TCP or UDP) information, and regards packet exchanges at transport layer as sessions

performing unified status maintenance and management of all connections.
The session management function only implements connection status tracking. It does not block potential

attack packets.

Connection limits

You can configure connection limit policies to collect statistics and limit the number of connections for

protecting internal network resources (hosts or servers) and properly allocating system resources on the

device.

Attack detection and protection

ND attack defense

The IPv6 ND protocol provides rich functions, but does not provide any security mechanisms. Attackers

can easily exploit the ND protocol to attack hosts and gateways by sending forged packets. The device
implements the ND attack detection technology, such as source MAC consistency check for ND packets,

for defending against these attacks.

Attack detection and protection

Attack detection and protection is an important network security feature. It determines whether received

packets are attack packets according to the packet contents and behaviors and, if detecting an attack,
take measures to deal with the attack, such as outputting alarm logs, dropping packets, and blacklisting

the source IP address. The attack protection function can detect network attacks such as single-packet

attacks, scanning attacks, and flood attacks.

TCP attack protection

Attackers can attack the device during the process of TCP connection establishment. To prevent such
attacks, the device provides the following features:

•

SYN Cookie

•

Protection against Naptha attacks

Other security technologies

The device also provides other network security technologies to implement a multifunctional and full
range of security protection for users.

Password control

Password control is a set of functions for enhancing the local password security, which controls user login

passwords, super passwords, and user login status based on predefined policies. Those policies include