Brocade Communications Systems Serveriron Adx 12 4 00A Users Manual Security Guide
12400a 72fbdcfc-9ca6-48f6-a23b-62683b253bfb Brocade Communications Systems Home Theater Server 12.4.00a User Guide |
2015-02-02
: Brocade-Communications-Systems Brocade-Communications-Systems-Serveriron-Adx-12-4-00A-Users-Manual-485191 brocade-communications-systems-serveriron-adx-12-4-00a-users-manual-485191 brocade-communications-systems pdf
Open the PDF directly: View PDF 
.
Page Count: 226
| Download | |
| Open PDF In Browser | View PDF |
53-1002440-03 June 2012 ServerIron ADX Security Guide Supporting Brocade ServerIron ADX version 12.4.00a ® © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners. Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it. The product described by this document may contain "open source" software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd. Brocade Communications Systems, Incorporated Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 E-mail: info@brocade.com Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com Document History Title Publication number Summary of changes Date ServerIron ADX Security Guide 53-1002440-01 New document January, 2012 ServerIron ADX Security Guide 53-1002440-02 Corrections made to ACL chapter April, 2012 ServerIron ADX Security Guide 53-1002440-03 Updates made to documentation. June, 2012 Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Notes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . . . xiv Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Getting technical help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Chapter 1 Network Security TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 IP TCP syn-proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Granular application of syn-proxy feature . . . . . . . . . . . . . . . . . . . . . . 2 Syn-def . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 show server traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 SYN-def-dont-send-ack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 show server debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 No response to non-SYN first packet of a TCP flow . . . . . . . . . . . . . . 4 Prioritizing management traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Protection against attack in hardware . . . . . . . . . . . . . . . . . . . . . 6 Peak BP utilization with TRAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Show CPU-utilization command enhancement . . . . . . . . . . . . . . 6 BP utilization threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 MP utilization threshold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 ServerIron ADX Security Guide 53-1002440-03 v Transaction Rate Limit (TRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Understanding transaction rate limit . . . . . . . . . . . . . . . . . . . . . . 7 Configuring transaction rate limit . . . . . . . . . . . . . . . . . . . . . . . . . 8 Configuring the maximum number of rules . . . . . . . . . . . . . . . . 12 Saving a TRL configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Transaction rate limit command reference . . . . . . . . . . . . . . . . 13 Global TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 TRL plus security ACL-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 security acl-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Transaction rate limit hold-down value. . . . . . . . . . . . . . . . . . . . 15 Displaying TRL rules statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying TRL rules in a policy. . . . . . . . . . . . . . . . . . . . . . . . . . 15 Displaying IP address with held down traffic . . . . . . . . . . . . . . . 16 Refusing new connections from a specified IP address . . . . . . 16 HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Overview of HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 HTTP TRL features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuring HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configuring HTTP TRL client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configuring HTTP TRL defaults . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Sample HTTP TRL configuration . . . . . . . . . . . . . . . . . . . . . . . . . 20 Displaying HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Display all HTTP TRL policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Display HTTP TRL policy from index . . . . . . . . . . . . . . . . . . . . . . 22 Display HTTP TRL policy client. . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Display HTTP TRL policy starting from index . . . . . . . . . . . . . . . 23 Display HTTP TRL policy matching a regular expression . . . . . . 24 Display HTTP TRL policy client index (MP) . . . . . . . . . . . . . . . . . 24 Display HTTP TRL policy client index (BP). . . . . . . . . . . . . . . . . . 25 Display HTTP TRL policy for all client entries (BP) . . . . . . . . . . . 26 Downloading an HTTP TRL policy through TFTP . . . . . . . . . . . . . . . . 26 HTTP TRL policy commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Client-namemonitor-interval . . . . . . . . . . . . . . . 27 Client-name max-conn . . . . . . . . . . . . . . . . . . . . 27 Client-name exceed-action . . . . . . . . . . . . . . . . 28 Default monitor-interval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Default max-conn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Default exceed-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Logging for DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 show server conn-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Maximum connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 clear statistics dos-attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Maximum concurrent connection limit per client . . . . . . . . . . . . . . . 32 Limiting the number of concurrent connections per client. . . . 32 vi ServerIron ADX Security Guide 53-1002440-03 Firewall load balancing enhancements . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling firewall strict forwarding. . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling firewall VRRPE priority . . . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling track firewall group. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Enabling firewall session sync delay. . . . . . . . . . . . . . . . . . . . . . 35 Syn-cookie threshhold trap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Service port attack protection in hardware. . . . . . . . . . . . . . . . . . . . 35 Traffic segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 VLAN bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Considerations when configuring VLAN bridging . . . . . . . . . . . . 38 Configuring VLAN bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Displaying VLAN bridge information . . . . . . . . . . . . . . . . . . . . . . 39 Traffic segmentation using the use-session-for-vip-mac command41 DNS attack protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Notes: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Configuring DNS attack protection . . . . . . . . . . . . . . . . . . . . . . . 43 Displaying DNS attack protection information . . . . . . . . . . . . . . 46 Chapter 2 Access Control List How ServerIron processes ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Prior to release 12.3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Beginning with release 12.3.01 and later . . . . . . . . . . . . . . . . . 49 Rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 How fragmented packets are processed . . . . . . . . . . . . . . . . . . 51 Default ACL action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Types of IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 ACL IDs and entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 ACL entries and the Layer 4 CAM. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Aging out of entries in the Layer 4 CAM . . . . . . . . . . . . . . . . . . . 53 Displaying the number of Layer 4 CAM entries . . . . . . . . . . . . . 53 Specifying the maximum number of CAM entries for rule-based ACLs 54 Configuring numbered and named ACLs. . . . . . . . . . . . . . . . . . . . . . 54 Configuring standard numbered ACLs . . . . . . . . . . . . . . . . . . . . 55 Configuring extended numbered ACLs . . . . . . . . . . . . . . . . . . . . 56 Extended ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Configuring standard or extended named ACLs . . . . . . . . . . . . 62 Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Displaying ACLs using keywords . . . . . . . . . . . . . . . . . . . . . . . . . 64 Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Displaying a list of ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Applying an ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Reapplying modified ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 ServerIron ADX Security Guide 53-1002440-03 vii ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Displaying ACL log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Displaying ACL statistics for flow-based ACLs . . . . . . . . . . . . . . 72 Clearing flow-based ACL statistics . . . . . . . . . . . . . . . . . . . . . . . 72 Dropping all fragments that exactly match a flow-based ACL . . . . . 72 Clearing the ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Enabling ACL filtering of fragmented packets . . . . . . . . . . . . . . . . . . 73 Filtering fragmented packets for rule-based ACLs. . . . . . . . . . . 73 Enabling hardware filtering for packets denied by flow-based ACLs75 Enabling strict TCP or UDP mode for flow-based ACLs . . . . . . . . . . . 76 Enabling strict TCP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Enabling strict UDP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Configuring ACL packet and flow counters. . . . . . . . . . . . . . . . . 78 ACLs and ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Using flow-based ACLs to filter ICMP packets based on the IP packet length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 ICMP filtering with flow-based ACLs . . . . . . . . . . . . . . . . . . . . . . 79 Using ACLs and NAT on the same interface (flow-based ACLs) . . . . 82 Displaying ACL bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Troubleshooting rule-based ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Chapter 3 IPv6 Access Control Lists IACL overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Configuration Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Processing of IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Applying an IPv6 ACL to an interface . . . . . . . . . . . . . . . . . . . . . 93 Displaying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Displaying ACLs bound to an interface. . . . . . . . . . . . . . . . . . . . 94 Using an ACL to Restrict SSH Access. . . . . . . . . . . . . . . . . . . . . . . . . 94 Using an ACL to Restrict Telnet Access . . . . . . . . . . . . . . . . . . . . . . . 95 Logging IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Chapter 4 Network Address Translation Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Configuring NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Configuring static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Configuring dynamic NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 NAT configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Forwarding packets without NAT translation. . . . . . . . . . . . . . . . . .103 viii ServerIron ADX Security Guide 53-1002440-03 Translation timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Configuring the NAT translation aging timer . . . . . . . . . . . . . .104 Stateless static IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Enabling IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Enabling static NAT redundancy . . . . . . . . . . . . . . . . . . . . . . . .106 Enabling dynamic NAT redundancy . . . . . . . . . . . . . . . . . . . . . 107 Displaying NAT information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Displaying NAT statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Displaying NAT translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Displaying NAT redundancy information. . . . . . . . . . . . . . . . . .111 Displaying VRRPE information . . . . . . . . . . . . . . . . . . . . . . . . .112 Clearing NAT entries from the table . . . . . . . . . . . . . . . . . . . . . . . . .112 Chapter 5 Syn-Proxy and DoS Protection Understanding Syn-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Syn-Proxy auto control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Difference between ServerIron ADX and JetCore Syn-Proxy Behavior 113 Configuring Syn-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Setting a minimum MSS value for SYN-ACK packets . . . . . . . 117 Configuring Syn-Proxy auto control . . . . . . . . . . . . . . . . . . . . . .120 Displaying Syn-Proxy Commands . . . . . . . . . . . . . . . . . . . . . . .121 DDoS protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Configuring a security filter . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Configuring a Generic Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Configuring a rule for common attack types. . . . . . . . . . . . . .127 Configuring a rule for ip-option attack types . . . . . . . . . . . . . .129 Configuring a rule for icmp-type options . . . . . . . . . . . . . . . . .130 Configuring a rule for IPv6 ICMP types . . . . . . . . . . . . . . . . . . .131 Configuring a rule for IPv6 ext header types . . . . . . . . . . . . . .132 Binding the filter to an interface . . . . . . . . . . . . . . . . . . . . . . . .133 Clearing DOS attack statistics. . . . . . . . . . . . . . . . . . . . . . . . . .133 Clearing all DDOS Filter & Attack Counters . . . . . . . . . . . . . . .133 Logging for DoS attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Displaying security filter statistics . . . . . . . . . . . . . . . . . . . . . .134 Address-sweep and port-scan logging . . . . . . . . . . . . . . . . . . .134 ServerIron ADX Security Guide 53-1002440-03 ix Chapter 6 Secure Socket Layer (SSL) Acceleration SSL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . .135 Asymmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . .136 Cipher suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Digital certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Digital signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Key pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 SSL acceleration on the ServerIron ADX . . . . . . . . . . . . . . . . . . . . .137 SSL Termination Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 SSL Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 ServerIron ADX SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Configuring SSL on a ServerIron ADX . . . . . . . . . . . . . . . . . . . . . . .140 Obtaining a ServerIron ADX keypair file . . . . . . . . . . . . . . . . . .140 Certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Converting certificate formats. . . . . . . . . . . . . . . . . . . . . . . . . . 147 Importing keys and certificates. . . . . . . . . . . . . . . . . . . . . . . . .148 Support for SSL renegotiation. . . . . . . . . . . . . . . . . . . . . . . . . .164 Basic SSL profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 Specifying a keypair file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Specifying a cipher suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Specifying a certificate file . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Advanced SSL profile configuration . . . . . . . . . . . . . . . . . . . . . . . . .166 Configuring client authentication . . . . . . . . . . . . . . . . . . . . . . .166 Enabling session caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 Configuring session cache size. . . . . . . . . . . . . . . . . . . . . . . . .170 Configuring a session cache timeout . . . . . . . . . . . . . . . . . . . . 171 Enabling SSL Version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Enabling close notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Disabling certificate verification . . . . . . . . . . . . . . . . . . . . . . . . 171 Enabling a ServerIron ADX SSL to respond with renegotiation headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Configuring Real and Virtual Servers for SSL Termination and Proxy Mode 172 Configuring Real and Virtual Servers for SSL Termination Mode173 Configuring Real and Virtual Servers for SSL Proxy Mode . . . 174 Configuration Examples for SSL Termination and Proxy Modes . . 176 Configuring SSL Termination Mode . . . . . . . . . . . . . . . . . . . . . 176 Configuring SSL Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 TCP configuration issues with SSL Terminate and SSL Proxy .178 Other protocols supported for SSL . . . . . . . . . . . . . . . . . . . . . .184 Configuring the system max values . . . . . . . . . . . . . . . . . . . . .185 x ServerIron ADX Security Guide 53-1002440-03 SSL debug and troubleshooting commands . . . . . . . . . . . . . . . . . .187 Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Displaying SSL information . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Displaying the status of a CRL record . . . . . . . . . . . . . . . . . . .191 Displaying socket information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Displaying SSL Statistics information . . . . . . . . . . . . . . . . . . . .201 Displaying TCP IP information . . . . . . . . . . . . . . . . . . . . . . . . . .205 ASM SSL dump commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .209 ServerIron ADX Security Guide 53-1002440-03 xi xii ServerIron ADX Security Guide 53-1002440-03 About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP. Supported hardware and software Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for 12.3 documenting all possible configurations and scenarios is beyond the scope of this document. The following hardware platforms are supported by this release of this guide: • • • • ServerIron ADX 1000 ServerIron ADX 4000 ServerIron ADX 8000 ServerIron ADX 10000 Document conventions This section describes text formatting conventions and important notice formats used in this document. Text formatting The narrative-text formatting conventions that are used are as follows: ServerIron ADX Security Guide 53-1002440-03 xiii bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold: for example, show version. Notes, cautions, and danger notices The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Notice to the reader This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations. These references are made for informational purposes only. xiv Corporation Referenced Trademarks and Products Sun Microsystems Solaris ServerIron ADX Security Guide 53-1002440-03 Corporation Referenced Trademarks and Products Microsoft Corporation Windows NT, Windows 2000 The Open Group Linux Related publications The following Brocade documents supplement the information in this guide: • • • • • • • • • • • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.00 ServerIron ADX Graphical User Interface ServerIron ADX Server Load Balancing Guide ServerIron ADX Advanced Server Load Balancing Guide ServerIron ADX Global Server Load Balancing Guide ServerIron ADX Security Guide ServerIron ADX Administration Guide ServerIron ADX Switching and Routing Guide ServerIron ADX Firewall Load Balancing Guide ServerIron ADX Chassis Hardware Installation Guide Ironware MIB Reference Manual Getting technical help To contact Technical Support, got to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information.. ServerIron ADX Security Guide 53-1002440-03 xv xvi ServerIron ADX Security Guide 53-1002440-03 Chapter Network Security 1 TCP SYN attacks ServerIron software contains many intrusion detection and prevention capabilities. The ServerIron can be configured to defend against a variety of TCP SYN attacks, Denial of Service (DoS) attacks, and Smurf attacks. TCP SYN attacks disrupt normal traffic flow by exploiting the way TCP connections are established. When a normal TCP connection occurs, the connecting host first sends a TCP SYN packet to the destination host. The destination host (actually the ServerIron, acting as an intermediary between the source and destination hosts) responds with a SYN ACK packet. The connecting host then returns an ACK packet. This process, known as a “TCP three-way handshake”, establishes the TCP connection. A TCP SYN attack floods a host with TCP SYN packets. For each of these TCP SYN packets, the ServerIron responds with a SYN ACK packet and adds an entry to its session table. However, no ACK packet is actually sent back, so the connection is incomplete. If the attacker sends enough TCP SYN packets, the session table fills up with incomplete connections, and service can be denied to legitimate TCP connections. syn-proxy IP TCP syn-proxy Configure the ip tcp syn-proxy command as shown in the following. 1. Configure syn-proxy in the global mode. ServerIronADX(config)# ip tcp syn-proxy Syntax: ip tcp syn-proxy NOTE You must configure ip tcp syn-proxy command only at the global level, to turn on and off the global syn-proxy flag. 2. Enable syn-proxy on each interface handling inbound SYN requests (no change here). ServerIronADX(config)#interface e 3/1 ServerIronADX(config-if-3/1)# ip tcp syn-proxy in Usage guidelines: • The default value for a valid ACK time is 32 seconds and is not user configurable. • If you enter a value, it is ignored. The command remains in the config file the way you enter it, in case you need to downgrade to the previous release. ServerIron ADX Security Guide 53-1002440-03 1 1 Granular application of syn-proxy feature • ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy algorithm, but it does not accept the ACK after 64 seconds. • If you enter a value for the ip tcp syn-proxy command from the CLI or upgrade from an older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy command in the config file, you receive the following warning message. Warning: The value 10 is being ignored. Default ACK validate time of 32 seconds will be used. To change the MSL value, issue 'server msl '. Granular application of syn-proxy feature This feature applies to ServerIron ADX Syn-Proxy. When this feature is enabled, traffic destined to a virtual server IP is denied if the destination port is not defined under any of the virtual server definitions. This feature prevents ServerIron ADX from responding with TCP SYN-ACK to TCP SYN for ports not defined under VIP. Use the following command to validate traffic against a configured virtual port. ServerIronADX(config)# server syn-cookie-check-vport Syntax: [no] server syn-cookie-check-vport Syn-def Introduction Use SYN-def (also known as SYN-Defense) to protect the hosts behind the ServerIron (not the ServerIron itself) by the ServerIron to complete the TCP three-way handshake on behalf of a connecting client. There is no SYN-cookie functionality with SYN-def. NOTE SYN-Defense is recommened for only where Direct Server Return (DSR) is used. DSR is not supported with SYN-proxy and is supported with SYN-def. For non DSR scenarios, use Syn-Proxy only. show server traffic Use the show server traffic command to display information about the number of times the incomplete connection threshold was reached. 2 ServerIron ADX Security Guide 53-1002440-03 Syn-def ServerIronADX# show server traffic Client->Server = 0 Server->Client Drops = 0 Aged Fw_drops = 0 Rev_drops FIN_or_RST = 0 old-conn Disable_drop = 0 Exceed_drop Stale_drop = 0 Unsuccessful TCP SYN-DEF RST = 0 Server Resets Out of Memory = 0 Out of Memory = = = = = = = = 1 0 0 0 0 0 0 0 0 The last line contains information relevant to the incomplete connection threshold. The TCP SYN-DEF RST field displays the number of times the incomplete connection threshold was reached. The Server Resets field displays the number of times the ServerIron sent a TCP RESET packet to the destination real server. SYN-def-dont-send-ack The SYN-def feature allows the ServerIron to complete the TCP three-way handshake on behalf of a connecting client. When a connecting client sends a TCP SYN to a server, the ServerIron forwards the SYN to the real server, then forwards the SYN ACK from the server to the client. Next, the ServerIron sends an ACK to the real server, completing the three-way handshake on behalf of the connecting client. This action allows the real server to move the connection from its pending connection queue to its established (and much larger) connection queue. Use the server syn-def-dont-send-ack command to prevent the ServerIron from sending the ACK to the real server to complete the three-way handshake. Example ServerIronADX(config)#server syn-def-dont-send-ack show server debug Use the show server debug command to display information about the configuration, as shown in the following example. ServerIron ADX Security Guide 53-1002440-03 3 1 No response to non-SYN first packet of a TCP flow SLB-chassis1/1#show server debug Generic Deug Info BP Distribution No of BPs Partner Chassis MAC Partner BP1 MAC Partner BP3 MAC Partner BP5 MAC = = = = = = Enabled 3 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000 JetCore No of Partner BPs = = No 0 Partner BP2 MAC Partner BP4 MAC Partner BP6 MAC = = = 0000.0000.0000 0000.0000.0000 0000.0000.0000 Server Load Balancing Debug Info Total Get = 3 Get Fails = 0 Forward Sp = 0 Bad creates = 0 Fw resets = 0 Double Free = 0 Free inv Sess Idx = 0 Cache-Reassigns = 0 Multi Path Fwd Use = 0 Bad non-owner = 0 FTP-trans-error = 0 Fw tcp inside move = 0 Fw SYNC delayed = 0 FW stale to conns = 0 FW stale from conns = 0 FW stale from nuke c = 0 Total Free Get Buffer failure Reverse Sp TCP Resets Rev Resets Error Free list Idx inv Trans-Denied Multi Path Rev Use Select Fwall Cache track-error Fw udp inside move ownership contention FW stale to delq con FW stale from delq c Sac frwds = = = = = = = = = = = = = = = = 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Unxpectd udata Client->Server Drops Fw_drops FIN_or_RST Disable_drop Stale_drop SYN def/proxy RST Out of Memory last conn rate last TCP attack rate fast vport found Fwd to non-static FI = = = = = = = = = = = = = 0 0 0 0 0 0 0 0 0 0 0 0 0 Unxpectd udata(def) Server->Client Aged Rev_drops old-conn Exceed_drop Unsuccessful Server Resets Out of Memory max conn rate max TCP attack rate fast vport n found Dup stale SYN = = = = = = = = = = = = = 0 0 0 0 0 0 0 0 0 0 0 0 0 TCP forward FIN Fast path FWD FIN Fast path SLB SYN Duplicate SYN TCP ttl FIN recvd Sessions in DEL_Q Fwd sess not found Sess rmvd from delQ Fragment buf full er New sess sync sent L4 msg sent foundry packet sent TCP SYN received TCP SYN to MP TCP SYN ACK received TCP pkt received TCP pkt to MP = = = = = = = = = = = = = = = = = 0 TCP reverse FIN = 0 0 Fast path REV FIN = 0 0 Dup SYN after FIN = 0 0 Duplicate sessions = 0 0 TCP ttl reset recvd = 0 0 Sess force deleted = 0 0 sess already in delQ = 0 0 0 Incoming TCP cksum e = 0 0 New sess sync recvd = 0 0 L4 msg recvd = 0 0 ipc packet sent = 2818942 0 TCP SYN dropped = 0 0 TCP SYN ACK to MP = 0 0 TCP SYN ACK dropped = 0 0 TCP pkt dropped = 0 0 PBSLB tftp status = In progres Avail. Sessions Hash size = = 1999996 200001 Total Sessions = 2000000 Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 Server State - 0: diasbled, 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server St CurrConn TotConn TotRevConn CurrSess PeakConn R1 rs1 1 1 0 0 0 0 0 0 0/0/0 0/0/0 0 0 No response to non-SYN first packet of a TCP flow ServerIron can remain passive for non-SYN packet in the beginning of the flow. The default behavior is to send TCP RESET to client when a non-SYN packet is received in the beginning. 4 ServerIron ADX Security Guide 53-1002440-03 Prioritizing management traffic 1 By default, when ServerIron ADX receives TCP packet that is destined to VIP and there is no session match then it sends TCP reset to the sender. However, if one desires to remain passive then the above feature can be enabled. To not send the reset packet, use the following command. ServerIronADX(config)# server reset-on-syn-only To remove the configuration, use the following command. ServerIronADX(config)# no server reset-on-syn-only Syntax: [no] server reset-on-syn-only Prioritizing management traffic ServerIron ADX software allows the system to prioritize traffic destined to the management IP address in order to facilitate uninterrupted access to the ServerIron switch even under heavy load conditions. This feature allows you to prioritize management traffic based on the following. 1. Client IP address/subnet 2. Protocol (TCP/UDP/IP) and 3. TCP or UDP port number With this feature turned on, the specified traffic is directly forwarded to the Management Module in hardware. In the following example, traffic from the source subnet 1.1.1.1 and destined to management IP 10.45.16.104 for TCP port 22 (SSH) is prioritized. ServerIronADX(config)# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 10.45.16.104 6 22 Syntax: server prioritize-mgmt-traffic [ ] [ ] The variable specifies the Source IP address. The variable specifies the Mask for the source IP address. The variable specifies the Destination management IP address. The destination IP address must already be configured on the ServerIron ADX. If the IP address is not configured, the command is rejected. The variable specifies any protocol. The variable specifies a TCP or UDP port. It is also possible to prioritize management traffic from any source ip as shown in the example below. ServerIronADX(config)# server prioritize-mgmt-traffic any 10.45.16.104 6 22 Syntax: [no] server prioritize-mgmt-traffic any [ ] [ ] NOTE The prioritizing management traffic feature should not be enabled for a ServerIron ADX router VE address if this interface is used for source-NAT as that would break the SLB traffic flow. Refer to the following examples. Prioritization of TCP port 80 traffic to management IP 200.1.1.1 ServerIron ADX Security Guide 53-1002440-03 5 1 Peak BP utilization with TRAP ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 6 80 Prioritization of TCP port 80 traffic to management IP 200.1.1.1 from any source IP address ServerIronADX# server prioritize-mgmt-traffic any 200.1.1.1 6 80 Prioritization of UDP port 2222 traffic to management IP 200.1.1.1 ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 17 2222 Prioritization of IP protocol 89 (OSPF) traffic to management IP 200.1.1.1 ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 89 Protection against attack in hardware ServerIron ADX allows for protection against attack in hardware without impacting MP or BP CPU utilization. Configure the server the drop-all-mgmt-access command to drop all traffic destined to a specified management IP address. The following command drops all traffic destined to the management IP address 10.45.16.104. ServerIronADX(config)# server drop-all-mgmt-access 10.45.16.104 Syntax: [no] server drop-all-mgmt-access NOTE For a router, the destination IP address is the physical or ve interface IP address For a switch, the destination IP address is the management IP address. The server drop-all-mgmt-access feature when used in combination with the server prioritize-mgmt-traffic feature allows you to prioritize valid traffic while blocking unwanted traffic destined to the management IP address. For example, with the following configuration, only ssh, telnet and http traffic destined to management IP address 10.45.16.104 will be prioritized and all other traffic destined to 10.45.16.104 will be dropped. ServerIronADX(config)#server 10.45.16.104 6 22 ServerIronADX(config)#server 10.45.16.104 6 23 ServerIronADX(config)#server 10.45.16.104 6 80 ServerIronADX(config)#server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 drop-all-mgmt-access 10.45.16.104 Peak BP utilization with TRAP Show CPU-utilization command enhancement The show cpu-utilization command displays CPU utilization peaks since the system boot or the last reset of counters (using the clear cpu utilization command). The command, clear cpu-utilization, on both the MP and the BP is used to reset the counter. 6 ServerIron ADX Security Guide 53-1002440-03 Transaction Rate Limit (TRL) 1 BP utilization threshold The bp-utilization-threshold command allows you to specify a threshold for BP CPU utilization. Define this command under the global configuration mode. When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one per two minutes. The command takes a percentage string as parameter. Example ServerIronADX(config)# bp-utilization-threshold 80.5% Syntax: bp-utilization-threshold MP utilization threshold The mp-utilization-threshold command specifies a threshold for BP CPU utilization. Define this command under the global configuration mode. When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one every two minutes. The command takes a percentage string as parameter. Example ServerIronADX(config)# mp-utilization-threshold 80.5% Syntax: mp-utilization-threshold Transaction Rate Limit (TRL) Transaction Rate Limit, allows the ServerIron ADX to monitor and limit traffic from any one IP address. Understanding transaction rate limit Transaction Rate Limit counts the number of transactions received from any one IP address. If the transaction count exceeds a specified threshold value, traffic from that IP address is held and not processed for a specified number of minutes. Transaction rate limit provides the flexibility to specify different configurations for different clients, based on the client IP address/prefix. Transaction rate limit provides the following benefits: • Ability to apply a default transaction rate limit value to all clients, while maintaining an exception list. • Ability to apply a different transaction rate limit rate per client IP or prefix. • Ability to exclude specific IP addresses or prefixes from transaction rate limit and maintain an exclude list. • Ability to apply transaction rate limit to traffic coming to a specific VIP only. ServerIron ADX Security Guide 53-1002440-03 7 1 Transaction Rate Limit (TRL) • Ability to operate on a per VIP basis, whereby a different rate limit can be applied to traffic coming to a different VIP. Configuring transaction rate limit To enable transaction rate limit, you must configure parameters for each client address/prefix and apply the transaction rate limit configuration to a specific VIP. Prerequisites Before you can configure transaction rate limit, you must configure a virtual server. The following example shows how to configure a virtual server. ServerIronADX> enable ServerIronADX# config terminal ServerIronADX(config)# server virtual-name-or-ip bwVIP 1.1.1.33 Syntax: [no] server virtual-name-or-ip Configure transaction rate limit rule set The transaction rate limit parameters are grouped into a set and each set is associated with a name. To create a set of transaction rate limit rules, follow these steps. 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Configure name of a transaction rate limit rule set and enter client transaction rate limit configuration mode. ServerIronADX(config)#client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp | udp | icmp 4. Specify the trl keyword for client subnet and set connection rate. For IPv4: ServerIronADX(config-client-trl-trl1)# trl 100.1.1.0 255.255.255.0 monitor-interval 3 conn-rate 10 hold-down-time 1 For IPv6: ServerIronADX(config-client-trl-trl1)# trl 100::1/128 monitor-interval 3 conn-rate 10 hold-down-time 1 Syntax: [no] trl { | } monitor-interval conn-rate hold-down-time Configure transaction rate limit to exclude a client You can configure a client address/prefix to be excluded from transaction rate limiting within a transaction rate limit configuration group. To exclude a client from transaction rate limit, follow these steps. 8 ServerIron ADX Security Guide 53-1002440-03 Transaction Rate Limit (TRL) 1 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify the name of the transaction rate limit rule set and enter client transaction rate limit configuration mode. ServerIronADX(config)# client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp | udp | icmp 4. Specify the trl parameter for the client subnet and the exclude keyword. For IPv4: ServerIronADX(config-client-trl-TRL1)# trl 100.1.1.0 255.255.255.0 exclude For IPv6: ServerIronADX(config-client-trl-TRL1)# trl 300::1/128 exclude Syntax: [no] trl { | } exclude Configure a transaction rate limit default You can specify a default transaction rate limit configuration for all other clients that are not explicitly configured. To create a transaction rate limit default for a group, follow these steps. 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify name of transaction rate limit rule set and enter client transaction rate limit configuration mode. ServerIronADX(config)# client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp | udp | icmp 4. Specify the default trl parameter for this group. ServerIronADX(config-client-trl)# trl default monitor-interval 3 conn-rate 10 hold-down-time 1 Syntax: [no] trl default monitor-interval conn-rate hold-down-time ServerIron ADX Security Guide 53-1002440-03 9 1 Transaction Rate Limit (TRL) Configure transaction rate limit for pass through traffic You can configure transaction rate limit for traffic that is not going to a virtual server. You can configure only one group for pass through traffic. To create a transaction rate limit group for pass through traffic, follow these steps. 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify name of BW rule set and enter client bandwidth configuration mode. ServerIronADX(config)# client-trans-rate-limit tcp default Syntax: [no] client-trans-rate-limit tcp | udp | icmp default 4. Specify the trl parameter for the client subnet and set a connection rate. For IPv4: ServerIronADX(config-client-trl)#trl 100.1.1.0 255.255.255.0 monitor-interval 3 conn-rate 10 hold-down-time 1 For IPv6: ServerIronADX(config-client-trl)#trl 300:11/128 monitor-interval 3 conn-rate 10 hold-down-time 1 Syntax: [no] trl { | } monitor-interval conn-rate hold-down-time 5. The transaction rate limit policy pertaining to the protocol and the port must be applied to either the physical or the virtual interface for pass through traffic. This will ensure that the traffic is brought to the application processor (BP) for rate-limitation. Applying policy on physical interface ServerIronADX(config) # interface eth 1/1 ServerIronADX(config-if-1/1) # ip tcp trans-rate 80 Applying policy on virtual interface ServerIronADX(config) # interface ve 20 ServerIronADX(config-vif-20) # ip udp trans-rate 53 Syntax: [no} ip tcp | udp trans-rate Syntax: [no} ip icmp trans-rate The parameter specifies one or more TCP or UDP ports to monitor. You can monitor up to four ports. Apply transaction rate limit to a VIP After configuring transaction rate limit, you must bind transaction rate limit to a VIP. To enable transaction rate limit, follow these steps. 1. Enable privileged EXEC mode. ServerIronADX> enable 10 ServerIron ADX Security Guide 53-1002440-03 Transaction Rate Limit (TRL) 1 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify server virtual-name-or-ip command and VIP name to enter virtual server configuration mode. ServerIronADX(config)# server virtual-name-or-ip bwVIP Syntax: [no] server virtual-name-or-ip 4. Specify the BW parameter and BW rule set. ServerIronADX(config-vs-bwVIP)# client-trans-rate-limit trl Syntax: [no] client-trans-rate-limit 5. The transaction rate limit policy pertaining to the protocol and the port must be applied to either the physical or the virtual interface for traffic hitting to Virtual IP. Applying policy on physical interface ServerIronADX(config) # interface eth 1/1 ServerIronADX(config-if-1/1) # ip tcp trans-rate 80 Applying policy on virtual interface ServerIronADX(config) # interface ve 20 ServerIronADX(config-vif-20) # ip udp trans-rate 53 Syntax: [no} ip tcp | udp trans-rate Syntax: [no} ip icmp trans-rate The parameter specifies one or more TCP or UDP ports to monitor. You can monitor up to four ports. Deleting all TRL rules in a policy You can delete all TRL rules in a policy as shown. ServerIronADX(config)# client-trans-rate-limit tcp trl1 ServerIronADX(config-client-trl-trl1)# trl delete-all-rules Syntax: trl delete-all-rules Download transaction rate limit configuration from a TFTP server. (optional) When a Transaction Rate Limit configuration becomes very large, you can download the configuration from a TFTP server. NOTE A TRL configuration file can have IPv4 as well as IPv6 rules. The following example shows how to download a Transaction Rate Limit configuration from a TFTP server. ServerIronADX(config)# server trl tftp 100.1.1.1 test.trl 2 Syntax: server trl tftp Specify the following values. ServerIron ADX Security Guide 53-1002440-03 11 1 Transaction Rate Limit (TRL) —IP address of the TFTP server. —File name of Transaction Rate Limit configuration. —Retry number for the download. Verify that the Transaction Rate Limit configuration file is in the following format. client-trans-rate-limit tcp trl101 trl 10.2.24.0/24 monitor-interval 50 conn-rate 100 hold-down-time 60 trl 10.2.24.10/32 exclude NOTE This is the same format as the show running-configuration command generates. Configuring the maximum number of rules By default a TRL a policy can have up to 2500 IPv4 rules and 2500 IPv6 rules. A maximum of 15,000 IPv4 and 15,000 IPv6 rules are supported on a ServerIron ADX for all policies. While the maximum number of rules cannot be increased over the 15,000 maximum, these limits can be changed globally or locally per-policy. Changing the maximum number of rules globally. You can change the maximum number of TRL rules globally on a ServerIron ADX for all policies as shown. ServerIronADX(config)# client-trans-rate-limit max-ipv4-rules 2000 Syntax: [no] client-trans-rate-limit { max-ipv4-rules | max-ipv6-rules } The max-ipv4-rules parameter specifies that the rules limit is being set for IPv4 rules. The max-ipv6-rules parameter specifies that the rules limit is being set for IPv6 rules. The variable specifies the number of rules that will be supported globally. The maximum values (also the default) are: 15,000 for IPv4 and 15,000 for IPv6. Changing the maximum number of rules locally per-policy. You can change the maximum number of TRL rules for an individual policy on a ServerIron ADX for as shown. ServerIronADX(config)# client-trans-rate-limit tcp trl1 ServerIronADX(config-client-trl-trl1)# trl max-ipv4-rules 2000 Syntax: [no] trl { max-ipv4-rules | max-ipv6-rules } The max-ipv4-rules parameter specifies that the rules limit is being set for IPv4 rules for the specified policy. The max-ipv6-rules parameter specifies that the rules limit is being set for IPv6 rules for the specified policy. The variable specifies the number of rules that will be supported for the specified policy that this command is being configured under. The default values are: 2500 for IPv4 and 2500 for IPv6. The value for each (IPv4 and IPv6) can be set to any number as long as the global limits are observed. 12 ServerIron ADX Security Guide 53-1002440-03 Transaction Rate Limit (TRL) 1 Saving a TRL configuration The following applies to saving a TRL config: • the startup-config cannot store 15,000 IPv4 and 15,000 IPv6 rules. • If the total number of IPv4 and IPv6 rules exceeds 2500, issuing the write mem command stores the TRL rules in the “trl_conf.txt” file on the internal USB drive. • the policy config and global/local maximum rule count config is always stored in the startup-config. Disabling the storage of TRL rules on the internal USB drive By default, storage of TRL rules on the internal USB drive of a ServerIron ADX is enabled. You can disable the storage of TRL rules on the internal USB drive of a ServerIron ADX as shown. ServerIronADX(config)# no client-trans-rate-limit usb-config-gen Syntax: no client-trans-rate-limit usb-config-gen NOTE Where the storage of TRL rules on the internal USB drive of a ServerIron ADX is disabled and the total rules exceeds 2500, only 2500 rules would be saved in startup-config. Transaction rate limit command reference This section describes the syntax, semantics, and usage for each transaction rate limit command. This section contains the following sections: • “client-trans-rate-limit” • “trl” client-trans-rate-limit Use the client-trans-rate-limit command in the global configuration mode to configure a transaction rate limit rule name and traffic type. Syntax: client-trans-rate-limit {icmp | default} | {tcp | default} | {udp | default} icmp - Specifies ICMP transaction rate limit for client subnet. tcp - Specifies TCP transaction rate limit for client subnet. udp - Specifies UDP transaction rate limit for client subnet. - Specifies the name for this configuration. default - Specifies default. trl Use the trl command in the global configuration client-trl mode to configure transaction rate limit rules. ServerIron ADX Security Guide 53-1002440-03 13 1 Transaction Rate Limit (TRL) Syntax: trl {default | { | } {exclude | monitor-interval conn-rate hold-down-time }} default - Specifies default transaction rate limit parameter. - Specifies IPv4 client subnet and - Specifies the IPv4 client mask. - Specifies IPv6 client subnet and - Specifies the IPv6 client mask bits. exclude - Specifies to exclude the prefix from transaction rate limit. monitor-interval - Specifies time interval for monitoring in 100ms. - Specifies value of time interval for monitoring. conn-rate - Specifies connection rate. - Specifies value of connection rate for client. hold-down-time - Specifies time for holding down source. - Specifies hold down time in minutes. Command modes Global configuration mode. Global TRL If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to all the incoming traffic. Use ip [tcp | udp | icmp] trans-rate to enable TRL on the ServerIron for TCP, UDP, or ICMP traffic. If any more than a specified number packets per second come from the same IP address over a specified interval, then all traffic from that IP address is held down for a specified number of minutes. Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval conn-rate hold-down-time monitor-interval Amount of time used to measure incoming traffic. This parameter is specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you would specify 10 for this. conn-rate Threshold for the number of connections per second from any one IP address. Traffic exceeding this rate over the specified interval is subject to hold down. hold-down-time Number of minutes that traffic from an IP address that has sent packets at rate higher than the configured threshold is to be held down. Example ServerIronADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100 hold-down-time 5 This command configures the ServerIron to monitor incoming TCP traffic. If more than 100 TCP connections per second arrive from the same IP address over a 60-second interval (600 X 100ms), then all TCP traffic from that IP address is held down for 5 minutes. To apply TRL to TCP traffic coming into port 80 on interface 1/1. 14 ServerIron ADX Security Guide 53-1002440-03 Transaction Rate Limit (TRL) 1 ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-1/1)# ip tcp trans-rate 80 where sets one or more TCP or UDP ports to monitor. With TRL, the ServerIron can monitor up to 4 specific ports. The ServerIron can also monitor traffic to all the ports by configuring the default port. TRL plus security ACL-ID Even though TRL is applied to an interface and effects all traffic received on this interface, with the security acl-id command TRL can be applied only to specific traffic coming in on that interface.Refer to “security acl-id” on page 15. security acl-id The security global command accepts acl-id as a parameter. Syntax: [no] security acl-id Example ServerIronADX(config)# security acl-id 4 Once security acl-id is configured, only packets matching the configured ACL will be subject to the L4 security rules configured on the system. (Specifically, TRL and manual hold down will take effect only for packets matching this configured ACL). If you want specific traffic to bypass the L4 security features, then do not include those IP addresses in the access list. NOTE The security acl-id takes precedence over all TRL configuration. Transaction rate limit hold-down value if you configure "hold down 0," the incoming request is not held down. Instead it generates a log. Displaying TRL rules statistics You can display statistics for TRL rules as shown. ServerIronADX#show client-trl rules-stat Policy-Name default-rule ipv4-rules-alloted ipv4-rules-added trl1 0 2500 0 trl2 0 2500 0 trl3 0 2500 0 Global ipv4 rule num: 2500, total-alloted-ipv4-rules: 7500 Global ipv6 rule num: 2500, total-alloted-ipv6-rules: 7500 ipv6-rules-alloted 2500 2500 2500 ipv6-rules-added 0 0 0 Syntax: show client-trl rules-stat Displaying TRL rules in a policy You can display TRL rules in a policy as shown. ServerIron ADX Security Guide 53-1002440-03 15 1 Transaction Rate Limit (TRL) ServerIronADX#show client-trl trl-policy1 ipv6 40 Max Count: 2500 Total Count: 2 IP address/Mask --------------300::3a95/128 300::3a96/128 interval -------1 66 attempts -------67 38 holddown -------93 34 Syntax: show client-trl { ipv4 | ipv6} The variable specifies the TRL policy that you want to display rules for. The show client-trl command displays entries in the TRL policy list, starting from the point specified with the parameter. Displaying IP address with held down traffic To display a list of IPv4 and IPv6 addresses whose traffic has been held down, enter commands such as the following. ServerIronADX# rconsole 2 1 ServerIronADX2/1 #show security holddown source 192.168.2.30 192.168.2.40 destination Any tcp Any tcp vers attempt start 0 000ab6ae 0 000ab6ea last HD time 00000000 Y 9 00000000 Y 9 Syntax: rconsole Syntax: show security holddown The following table lists the output from the show security holddown command. TABLE 1 Output from the show security holddown command Field Description source Source IPv4 or IPv6 address that is currently being held down destination TCP, UDP, or ICMP depending on the type of traffic sent by the client. vers Used by Brocade Technical Support. attempt Number of connection attempts made by the client during the current monitoring interval. start Time stamp representing the start of the monitoring interval. last Time stamp representing the last time the ServerIron received a connection request from the client. HD Whether the IP address is currently being held down. Y indicates that the address is being held down. N indicates that it is not. time Time remaining for this IP address to be held down, if the HD field contains Y. Refusing new connections from a specified IP address Use the security hold-source-ip command to refuse new connections from a specified IP address for a specified amount of time. This feature applies to all TCP, UDP, and ICMP traffic originating from the specified IP address. Syntax: [no] security hold-source-ip 16 ServerIron ADX Security Guide 53-1002440-03 HTTP TRL 1 Example To configure the ServerIron to refuse connections from 192.168.9.210 for 20 minutes, enter. ServerIronADX(config)# security hold-source-ip 192.168.9.210 20 To display the IP addresses from which connections are currently being refused. ServerIronADX# rconsole 2 1 ServerIronADX2/1 # show security holddown source 192.168.2.30 192.168.2.40 destination Any tcp Any tcp vers attempt start 0 000ab6ae 0 000ab6ea last HD time 00000000 Y 9 00000000 Y 9 The IP addresses for which connections are being refused are displayed in the source column. HTTP TRL This section describes how to use the HTTP Transaction Rate Limiting (TRL) feature with ServerIron devices. Overview of HTTP TRL HTTP TRL provides HTTP transaction rate limiting for SSL and HTTP traffic, based on a customer ID. Existing ServerIron TRL features, which are based on source IP addresses, are inadequate in environments where a client is identified by an application user ID. HTTP TRL allows you to prevent per-client over subscription by allowing you to configure features, such as transaction and connection rate limiting, based on customer IDs. With HTTP TRL, the rate limit configuration for each customer is grouped into a set. Each of these groups can be applied to multiple VIPs. A counter is maintained on per-VIP basis. When a client request is received, the client customer ID is extracted and decoded. A table lookup is performed on the customer ID and, if the client is subjected to a rate limit, a session lookup is done to locate the current connection information. For each BP, the current counter is checked against the configuration. If the limit is exceeded, the configured action occurs. HTTP TRL features Before you configure HTTP TRL, you should be aware of the following benefits and restrictions for this feature: • The customer ID is contained within the HTTP header, is alphanumeric, and can be up to 101 characters in length. • Maximum customer ID entries is 35K. • Customer ID entries can be manually configured or have dynamic upload support. • All customer connections are supported on a single VIP with support for up to 10K connections. • Customer report response times can run up to 120 seconds before they timeout at the gateway tier. ServerIron ADX Security Guide 53-1002440-03 17 1 Configuring HTTP TRL • Rate-limiting functionality must support rate over time and total connections, based on customer ID. • Max-conn currently works only for HTTP1.0. • This feature supports http redirect, or drop client response actions once rate-limit has been exceeded. • This feature provides event and threshold alert monitoring and notification, based on specific customer connection SLAs. Configuring HTTP TRL This section describes how to configure the HTTP TRL feature. NOTE For traffic going through a VIP, Brocade recommends that you apply the TRL policy to the VIP and Interface. Configuring HTTP TRL client Use the following procedures to configure the HTTP TRL client rate limit and the client maximum connection. Configuring HTTP TRL client rate limit To configure the HTTP TRL client rate limit, follow these steps. 1. Define an HTTP TRL policy. ServerIronADX(config)# http-trl-policy p1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL client rate limit. ServerIronADX(config-http-trl-p1)# client-name c1 monitor-interval 1 10 20 0 Syntax: [no] client-name monitor-interval For more detailed command information, refer to “Client-name monitor-interval” on page 27. 3. Configure the action to take if a client exceeds the configured rate limit (optional). ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action reset Syntax: [no] client-name exceed-action reset Configuring HTTP TRL client maximum connection To configure HTTP TRL client maximum connection, follow these steps. 1. Define an HTTP TRL policy. ServerIronADX(config)# http-trl-policy p1 18 ServerIron ADX Security Guide 53-1002440-03 Configuring HTTP TRL 1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL client maximum connection. ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 Syntax: [no] client-name max-conn —specifies maximum number of connection client can setup. 3. Configure the action to take if a client exceeds the configured maximum connections (optional). ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action reset Syntax: [no] client-name exceed-action reset Configuring HTTP TRL defaults Use the following procedures to configure the HTTP TRL default rate limit and the default maximum connection. Configuring HTTP TRL default rate limit To configure HTTP TRL default rate limit, follow these steps. 1. Define an HTTP TRL policy. ServerIronADX(config)# http-trl-policy p1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL default rate limit. ServerIronADX(config-http-trl-p1)# default monitor-interval 1 10 20 0 Syntax: [no] default monitor-interval 3. Configure the action to take if a client exceeds the configured rate limit (optional). ServerIronADX(config-http-trl-p1)# default exceed-action reset Syntax: [no] default exceed-action reset Configuring HTTP TRL default maximum connection To configure HTTP TRL default maximum connection, follow these steps. 1. Define an HTTP TRL policy. ServerIronADX(config)# http-trl-policy p1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL default maximum connection. ServerIronADX(config-http-trl-p1)# default max-conn 10 Syntax: [no] default max-conn 3. Configure the action to take if a client exceeds the configured maximum connection (optional). ServerIronADX(config-http-trl-p1)# default exceed-action reset ServerIron ADX Security Guide 53-1002440-03 19 1 Configuring HTTP TRL Syntax: [no] default exceed-action reset Sample HTTP TRL configuration This section describes how to configure a sample HTTP TRL configuration. This scenario describes all the required steps for configuring HTTP TRL, with notes the optional steps. This configuration consists of four parts: • • • • Creating an HTTP TRL policy with a client rate limit Configuring Layer 4 server load balancing Creating a CSW rule and policy with HTTP TRL Enabling Layer 7 server load balancing Creating an HTTP TRL policy with client rate limit To configure a HTTP TRL policy with client rate limit, follow these steps. 1. Define an HTTP TRL policy. ServerIronADX(config)# http-trl-policy p1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL client rate limit. ServerIronADX(config-http-trl-p1)# client-name c1 monitor-interval 1 10 20 0 Syntax: [no] client-name monitor-interval 3. Configure the action to take if a client exceeds the configured rate limit (optional). ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action reset Syntax: [no] client-name exceed-action reset Configuring Layer 4 SLB To configure Layer 4 SLB, follow these steps. 1. Define a real server (1) with an IP address. ServerIronADX(config)# server real web1 1.1.1.1 Syntax: server real 2. Define a real HTTP port on the real server. ServerIronADX(config-rs-web1)# port http Syntax: port http 3. Define a real server (2) with an IP address. ServerIronADX(config-rs-web1)# server real web2 1.1.1.2 Syntax: server real 4. Define a real HTTP port on the real server and exit. ServerIronADX(config-rs-web2)# port http 20 ServerIron ADX Security Guide 53-1002440-03 Displaying HTTP TRL 1 Syntax: port http ServerIronADX(config-rs-web2)# exit Syntax: exit 5. Define a virtual server with an IP address. ServerIronADX(config)# server virtual-name-or-ip csw-vip 1.1.1.100 Syntax: server virtual-name-or-ip 6. Define a virtual HTTP port on the virtual server. ServerIronADX(config-vs-csw-vip)#port http Syntax: port http 7. Bind HTTP ports on real servers web1 and web2 to the virtual port HTTP. ServerIronADX(config-vs-csw-vip)# bind http web1 http web2 http Syntax: bind http http Creating a CSW rule and policy with HTTP TRL 1. Define a CSW rule to match a pattern in the HTTP header that contains the client name. ServerIronADX(config)# csw-rule rule1 header Authorization pattern Basic Syntax: csw-rule header pattern 2. Define a CSW policy. ServerIronADX(config)# csw-policy policy1 Syntax: csw-policy 3. Specify an action to apply HTTP TRL policy when the CSW rule is matched. ServerIronADX(config-csw-policy1)# match rule1 http-trl p1 Syntax: match http-trl Enabling Layer 7 SLB To configure Layer 7 SLB, follow these steps. 1. Bind the policy to a virtual HTTP port on the virtual server. ServerIronADX(config-vs-csw-vip)# port http csw-policy policy1 Syntax: port http csw-policy 2. Enable CSW on the virtual port. ServerIronADX(config-vs-csw-vip)# port http csw Syntax: port http csw Displaying HTTP TRL This section describes how to display HTTP TRL information. ServerIron ADX Security Guide 53-1002440-03 21 1 Displaying HTTP TRL Display all HTTP TRL policies To show all running configurations for HTTP TRL policies, use the following command. ServerIronADX# show run http-trl-policy all Syntax: show run http-trl-policy all Example ServerIronADX# show run http-trl all !Building configuration... !Current configuration : 124813 bytes ! http-trl-policy "my-http-trl-policy-104" tftp 50.50.50.105 "http-trl-policy-104.txt" client-name "root1" max-conn 1 client-name "root1" exceed-action reset client-name "root10" max-conn 1 client-name "root10" exceed-action reset client-name "root11" max-conn 1 client-name "root11" exceed-action reset client-name "root12" max-conn 1 client-name "root12" exceed-action reset client-name "root13" max-conn 1 client-name "root13" exceed-action reset client-name "root14" max-conn 1 client-name "root14" exceed-action reset client-name "root15" max-conn 1 client-name "root15" exceed-action reset client-name "root16" max-conn 1 client-name "root16" exceed-action reset client-name "root17" max-conn 1 client-name "root17" exceed-action reset... Display HTTP TRL policy from index To show a running configuration for an HTTP TRL policy starting from an index, enter the following command. ServerIronADX# show run http-trl-policy my-http-trl-policy-104 2 Syntax: show run http-trl-policy Example ServerIronADX# show run http-trl my-http-trl-policy-104 2 !Building configuration... !Current configuration : 4261 bytes client-name "root11" max-conn 1 client-name "root11" exceed-action reset client-name "root12" max-conn 1 client-name "root12" exceed-action reset client-name "root13" max-conn 1 client-name "root13" exceed-action reset client-name "root14" max-conn 1 client-name "root14" exceed-action reset client-name "root15" max-conn 1 client-name "root15" exceed-action reset client-name "root16" max-conn 1 client-name "root16" exceed-action reset 22 ServerIron ADX Security Guide 53-1002440-03 Displaying HTTP TRL client-name client-name client-name client-name client-name client-name client-name client-name client-name 1 "root17" max-conn 1 "root17" exceed-action reset "root18" max-conn 1 "root18" exceed-action reset "root19" max-conn 1 "root19" exceed-action reset "root2" max-conn 1 "root2" exceed-action reset "root20" max-conn 1... Display HTTP TRL policy client To show a running configuration for an HTTP TRL policy client, enter the following command. ServerIronADX# show run http-trl-policy my-http-trl-policy-104 root1 Syntax: show run http-trl-policy Example ServerIronADX#show run http-trl my-http-trl-policy-104 root1 !Building configuration... !Current configuration : 75 bytes client-name "root1" max-conn 1 client-name "root1" exceed-action reset Display HTTP TRL policy starting from index To show a running configuration for an HTTP TRL policy starting from index for a specific number of entries, enter the following command. ServerIronADX# show run http-trl-policy my-http-trl-policy-104 1 20 Syntax: show run http-trl-policy Example ServerIronADX# show run http-trl my-http-trl-policy-104 1 20 !Building configuration... !Current configuration : 1500 bytes client-name "root10" max-conn 1 client-name "root10" exceed-action reset client-name "root11" max-conn 1 client-name "root11" exceed-action reset client-name "root12" max-conn 1 client-name "root12" exceed-action reset client-name "root13" max-conn 1 client-name "root13" exceed-action reset client-name "root14" max-conn 1 client-name "root14" exceed-action reset client-name "root15" max-conn 1 client-name "root15" exceed-action reset client-name "root16" max-conn 1 client-name "root16" exceed-action reset client-name "root17" max-conn 1 client-name "root17" exceed-action reset client-name "root18" max-conn 1 ServerIron ADX Security Guide 53-1002440-03 23 1 Displaying HTTP TRL client-name client-name client-name client-name "root18" exceed-action reset "root19" max-conn 1 "root19" exceed-action reset "root2" max-conn 1... Display HTTP TRL policy matching a regular expression To show a running configuration for an HTTP TRL policy matching a specific regular expression (regex), enter the following command. NOTE The syntax for regex is the same as for piping. ServerIronADX# show run http-trl-policy my-http-trl-policy-109 regex ot1 Syntax: show run http-trl-policy regex < regular expression> Example ServerIronADX#show run http-trl my-http-trl-policy-104 regex ot1 !Building configuration... !Current configuration : 825 bytes client-name "root1" max-conn 1 client-name "root1" exceed-action reset client-name "root10" max-conn 1 client-name "root10" exceed-action reset client-name "root11" max-conn 1 client-name "root11" exceed-action reset client-name "root12" max-conn 1 client-name "root12" exceed-action reset client-name "root13" max-conn 1 client-name "root13" exceed-action reset client-name "root14" max-conn 1 client-name "root14" exceed-action reset client-name "root15" max-conn 1 client-name "root15" exceed-action reset client-name "root16" max-conn 1 client-name "root16" exceed-action reset client-name "root17" max-conn 1 client-name "root17" exceed-action reset client-name "root18" max-conn 1 client-name "root18" exceed-action reset client-name "root19" max-conn 1... Display HTTP TRL policy client index (MP) To show an HTTP TRL policy client with a starting and ending index, enter the following command on the MP. ServerIronADX# show http-trl policy my-http-trl-policy-103 0 10 Syntax: show http-trl policy 24 ServerIron ADX Security Guide 53-1002440-03 Displaying HTTP TRL 1 Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 10 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 1 Client name TDSWS/LoadRunner monitor-interval 1 warning rate 10 shutdown rate 20 holddown interval 0 exceed action: drop dynamic No max-conn track session 0 trl track session 0 Syntax: show http-trl policy NOTE This command entered on the MP only displays configuration information and total entry count for this policy. The same command entered on the BP provides traffic status. Display HTTP TRL policy client index (BP) To show HTTP TRL policy client with a starting and ending index, use the following command on the BP. ServerIronADX# show http-trl policy my-http-trl-policy-103 0 10 Syntax: show http-trl policy ServerIron ADX Security Guide 53-1002440-03 25 1 Downloading an HTTP TRL policy through TFTP Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 100 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 2 Client name V E'Vææ\ max-conn 50 dynamic Yes max-conn track session 1 trl track session 0 HTTP_TRL_HIT 3278 HTTP_TRL_PASS 1613 HTTP_MAX_CONN_F 1665 HTTP_TRL_DROP 1665 Client name TDSWS/LoadRunner monitor-interval 1 warning rate 10 shutdown rate 20 holddown interval 0 exceed action: drop dynamic No max-conn track session 0 trl track session 1 HTTP_TRL_HIT 66352 HTTP_TRL_PASS 39524 HTTP_TRL_FAIL 26828 HTTP_TRL_DROP 26828 ServerIronADX2/1# ServerIronADX2/1# sh http-trl session 90.90.90.103 80 my-http-trl-policy-103 HTTP-MAX: V E'Vææ\ config 50, current 50 HTTP-TRL: TDSWS/LoadRunner, config 2, attamp 3, hold 0, 1st 3089554, last 3092565 Display HTTP TRL policy for all client entries (BP) To display HTTP TRL policy information for all client entries, enter the following command on the BP. ServerIronADX2/1# show http-trl resource Example ServerIronADX2/1# show http-trl resource Maximum client entry: 35000 Free client entry: 0 Total allocated client entry: 35000 Total freed client entry: 0 Maximum allocated client entry: 35000 Maximum client entry: 35000 Double free client entry: 0 Invalid free client entry: 0 Failed allocate client entry: 0 Double allocated client entry: 0 Downloading an HTTP TRL policy through TFTP To download an HTTP TRL policy using TFTP, enter a command similar to the following. ServerIronADX(config-http-trl-p1)# tftp 100.1.1.1 http-trl-config.txt 26 ServerIron ADX Security Guide 53-1002440-03 HTTP TRL policy commands 1 Syntax: tftp NOTE You can save this command with write memory to automatically initiate a download for this policy after you reload. If you configure more than one policy for TFTP download, and a policy fails the download, the ServerIron does NOT retry, and the subsequent policy does not initiate a download. You must manually issue the command to do a TFTP download. NOTE When the total number of HTTP TRL entries exceeds 10k, the show run time config command cannot display an http trl-related configuration. You must use a text file to manage it. NOTE When any HTTP TRL policy client entry exceeds 1K, the show run time config command cannot display a detailed client entry for the HTTP TRL policy. HTTP TRL policy commands NOTE You must configure client HTTP TRL before you configure the client exceed-limit Client-name monitor-interval Use the client-name monitor-interval option in the http-trl-policy configuration mode to set client rate limiting parameters. Syntax: [no] client-name monitor-interval —specifies monitoring window in 100 ms unit. —specifies HTTP connection rate (per second) that causes a warning if exceeded. —specifies HTTP connection rate (per second) that causes a client to hold down. —specifies the length of hold down period, if client exceeds rate limit in term of minutes. NOTE Value 0 means do not hold down. Hold down holds all traffic. Example ServerIronADX(config-http-trl-p1)# client-name c1 monitor-interval 1 10 20 0 Client-name max-conn Use the client-name max-conn option in the http-trl-policy configuration mode to set client maximum connection parameters. Syntax: [no] client-name max-conn ServerIron ADX Security Guide 53-1002440-03 27 1 HTTP TRL policy commands —specifies maximum number of connections client can setup. Example ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 NOTE You must set the client HTTP max-conn configuration before you configure the client exceed-action. NOTE Max-conn currently supports only HTTP/1.0. Client-name exceed-action Use the client-name exceed-action option in the http-trl-policy configuration mode to set the action to take if a client exceeds the configured rate limit,. Syntax: [no] client-name exceed-action [reset | drop] [reset | drop] specifies client request be reset or dropped if exceeds limit. Example ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action [reset] Syntax: [no] client-name exceed-action redirect [port] and —specifies client request to be redirected to this new URL, if limit is exceeded. NOTE Use an asterisk (*) to keep the same domain or url. This does not apply if the client is using HTTP 1.0. ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action redirect * /new exceed.html http NOTE The same domain is used in the incoming packet. The optional [port] specifies the new TCP port number for the redirected URL. ServerIronADX(config-http-trl-p1)# client-name c1 exceed-action redirect www.yahoo.com exceed.html http Default monitor-interval Use the default monitor-interval option in the http-trl-policy configuration mode to set default rate limiting parameters. Syntax: [no] default monitor-interval • —specifies monitoring window in 100 ms unit. • —specifies HTTP connection rate (per second) that causes a warning if exceeded. • —specifies HTTP connection rate (per second) that causes a client to hold down. 28 ServerIron ADX Security Guide 53-1002440-03 HTTP TRL policy commands 1 • —specifies the length of hold down period, if client exceeds rate limit in term of minutes. NOTE Value 0 means do not hold down. Hold down holds all traffic. Example ServerIronADX(config-http-trl-p1)# default monitor-interval 1 10 20 0 Default max-conn Use the default max-conn option in the http-trl-policy configuration mode to set default maximum connection parameters. Syntax: [no] default max-conn —specifies maximum number of connections client can setup. Example ServerIronADX(config-http-trl-p1)# default max-conn 10 NOTE Max-conn currently supports only HTTP/1.0. Default exceed-action Use the default exceed-action option in the http-trl-policy configuration mode to set the action to take if a default exceeds the configured rate limit. Syntax: [no] default exceed-action [reset | drop] [reset | drop] specifies default request be reset or dropped if the limit is exceeded. Example ServerIronADX(config-http-trl-p1)# default exceed-action [reset | drop] Syntax: [no] default exceed-action redirect [port] and —specifies client request to be redirected to this new URL, if limit is exceeded. NOTE Use an asterisk (*) to keep the same domain or url. ServerIronADX(config-http-trl-p1)# default exceed-action redirect * /new/exceed.html http NOTE The same domain is used in the incoming packet. The optional [port] specifies the new TCP port number for the redirected URL. ServerIronADX(config-http-trl-p1)# default exceed-action redirect /exceed.html http ServerIron ADX Security Guide 53-1002440-03 www.yahoo.com 29 1 Logging for DoS Attacks Logging for DoS Attacks The following sections describe how to enable logging of DoS attacks. Configuration commands Use the following commands to enable logging of TCP connection rate and attack rate. Syntax: [no] ip tcp conn-rate attack-rate Syntax: [no] ip tcp conn-rate-change attack-rate Syntax: [no] server max-conn-trap Parameters The conn-rate parameter specifies a threshold for the number of global TCP connections per second that are expected on the ServerIron. A global TCP connection is defined as any packet that requires session processing. For example, 1 SLB, 1 TCS, and 1 SYN-Guard connection would equal 3 global TCP connections, since there are three different connections that require session processing. NOTE The ServerIron ADX counts only the new connections that remain in effect at the end of the one second interval. If a connection is opened and terminated within the interval, the ServerIron ADX does not include the connection in the total for the server. The attack-rate parameter specifies a threshold for the number of TCP SYN attack packets per second that are expected on the ServerIron. Syslog entries are generated under the following circumstances: • If the connection rate or attack rate on the ServerIron reaches 80% of the configured threshold. • If the connection rate or attack rate is still between 80% and 100% of the configured threshold 6 minutes after the last message. • If the connection rate or attack rate exceeds 100% of the configured threshold. • If the connection rate or attack rate exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage. • One minute after the last message indicating that the connection rate or attack rate still exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage. • Three minutes after the last message, if the connection rate or attack rate is still between 80% and 100% of the configured threshold, and has gone up by the configured rate change percentage. The server max-conn-trap command specifies the number of seconds that elapse between traps, where can be from 1 to 300. The default is 30. Example ServerIronADX(config)# ip tcp conn-rate 10000 attack-rate 10000 ServerIronADX(config)# ip tcp conn-rate-change 50 attack-rate 100 ServerIronADX(config)# server max-conn-trap 30 30 ServerIron ADX Security Guide 53-1002440-03 Maximum connections 1 show server conn-rate Use show server conn-rate to display the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command reports global connection rate information for the ServerIron as well as for each real server. ServerIronADX# show server conn-rate Avail. Sessions = 524286 Total Sessions = 524288 Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 last conn rate = 0 max conn rate = 0 last TCP attack rate = 0 max TCP attack rate = 0 SYN def RST = 0 SYN flood = 0 Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active Real Server rs1 State 3 CurrConn 0 TotConn 0 LastRate 0 CurrRate 0 MaxRate 0 Maximum connections Use max-conn to set the number of maximum connections on a global real server level (all ports) or a single port. All ports One port ! server real rs1 10.10.1.30 max-conn 1200 port http port http max-conn 1000 port http url "HEAD /" ! clear statistics dos-attack Use clear statistics dos-attack to reset counters for ICMP and TCP SYN packet burst thresholds, as displayed by show statistics dos-attack. Example ServerIronADX# clear statistics dos-attack ServerIronADX# show statistics dos-attack NOTE The above commands are used to reset and verify counters for ICMP and TCP SYN packet burst thresholds. The ServerIron ADX has introduced more a powerful feature to detect and block DoS attacks. Please refer to the chapter titled: “Syn-Proxy and DoS Protection” on page 113 to view details about verifying and clearing DOS-attack counters and filters. ServerIron ADX Security Guide 53-1002440-03 31 1 Maximum concurrent connection limit per client Maximum concurrent connection limit per client This feature restricts each client to a specified number of connections, based on the client’s subnet, to prevent any one client from using all available connections. Limiting the number of concurrent connections per client This feature restricts each client to a specified number of concurrent connections, based on the client’s subnet, to prevent any one client from using all available connections. You associate a configured client subnet with a maximum permissible connection value. The association is stored in the ServerIron by means of a Dynamic Prefix (DP) trie. The key stored in the DP trie is the associated maximum connection value. The choice of the DP trie for storing the client subnet allows to define different prefix lengths and subnet masks for each client subnet. Since the DP trie lookup returns the longest prefix match, it is not required that all configured client subnets should have the same subnet mask. Configuring the max connection limit per client consists of the following tasks: • Configure the maximum connections allowed per client address or prefix • Applying configured number of maximum connections to a specific VIP Configure the maximum number of connections 1. Begin by creating a policy set or group by entering commands such as the following. ServerIronADX(config)#client-connection-limit max-conn1 Syntax: [no] client-connection-limit Enter a name for the policy set or group for . Use the no form of the command to delete the policy group. After creating a name, the CLI changes to the config-client-max-conn level. 2. Next, create the policy for maximum number of connections using one of the following methods. Create a policy for the maximum number of connections for specific clients To set a maximum number of connections for a clients in a subnet, enter the a command such as the following. ServerIronADX(config)# client-connection-limit max-conn1 ServerIronADX(config-client-max-conn)# max-conn 100.1.1.0 255.255.255.0 10 In the example above, clients with IP addresses in the 100.1.1.0 subnet will be allowed only 10 connections. Syntax: [no] max-conn [ Enter the clients’ IP address and subnet mask for Enter a number from 0 to any value for . There is not default for this parameter. Specifying a maximum number of connections for clients not specified in a policy You can specify a default maximum number of connections for all clients that are not specified in any max connection group by entering a command such as the following. 32 ServerIron ADX Security Guide 53-1002440-03 Maximum concurrent connection limit per client 1 ServerIronADX(config)# client-connection-limit max-conn1 ServerIronADX(config-client-max-conn)# max-conn default 10 In this example, all clients not specified in any max connection group will have a maximum of 10 connections. Syntax: [no] max-conn [ default Enter a default maximum number of connections for Excluding clients from maximum connection policy If you want certain clients to be excluded from any maximum connection policies, enter a command such as the following. ServerIronADX(config)# client-connection-limit max-conn1 ServerIronADX(config-client-trl)# max-conn 100.1.4.0 255.255.255.0 exclude In this example, clients in the 100.1.4.0 subnet will be excluded for any maximum connection rules. Syntax: [no] max-conn [ exclude Displaying the maximum number of connections for clients that are currently connected To show the maximum number connection policy for a client that is currently connected, enter command such as the following on the barrel processor (BP) console. ServerIronADX1# show conn pass1 0 Max Count: 2500 Total Count: 55 IP address Mask config hit denied 0.0.0.0 0.0.0.0 10 0 0 120.20.1.0 255.255.255.192 12 0 0 120.20.1.16 255.255.255.240 15 0 0 120.20.1.21 255.255.255.255 exclude 120.20.1.23 255.255.255.255 exclude 120.20.1.24 255.255.255.255 15 20 5 Current connections: VIP 20.20.1.6: 15 120.20.1.25 255.255.255.255 exclude 120.20.1.27 255.255.255.255 exclude Current connections: VIP 20.20.1.6: 20 120.20.1.29 255.255.255.255 exclude 120.20.1.30 255.255.255.255 15 20 5 Current connections: VIP 20.20.1.6: 15 120.20.1.33 255.255.255.255 exclude ServerIronADX1# 0 0 0 0 0 0 20 0 0 0 20 0 Syntax: show connection-limit Enter the name of the max connection policy for . Enter the starting entry for Binding the policy to a VIP After creating a maximum connection policy, bind it to a VIP by entering commands such as the following. ServerIronADX(config)#server virtual-name-or-ip virt-2 ServerIronADX(config-vs-virt-2)#client-max-conn-limit max-conn1 ServerIron ADX Security Guide 53-1002440-03 33 1 Firewall load balancing enhancements Syntax: [no] client-max-conn-limit Enter the name of the max connection policy for . NOTE When the policy is bound to a VIP, the policy limits the number of connections that a client can have on any real server on the network. Firewall load balancing enhancements This section contains the following sections: • • • • “Enabling firewall strict forwarding” “Enabling firewall VRRPE priority” “Enabling track firewall group” “Enabling firewall session sync delay” Enabling firewall strict forwarding To enable load balancing only when traffic is going to a firewall, use the following command. ServerIronADX(config)# server fw-strict-fwd Syntax: server fw-strict-fwd Use the server fw-strict-fwd command in the global configuration mode. Without this command, when the ServerIron receives traffic that matches the firewall flow session and the traffic is not received from a firewall, then the ServerIron assumes that it needs to be load balanced to a firewall. This command checks to ensure that traffic is going to a firewall and only then does the ServerIron load balance it to a firewall. Enabling firewall VRRPE priority To configure VRRPE state to track the firewall group state, use the following command. ServerIronADX(config)# server fw-g 2 ServerIronADX(config-tc-2)#fw-vrrpe-priority ServerIronADX(config-tc-2)# Syntax: fw-vrrpe-priority Use the fw-vrrpe-priority command in the fw-group configuration mode. is the VRRPE priority associated with current firewall group state. Valid values are 1 to 255. NOTE This command can be used with the track-fw-group command below to force VRRPE state to track the firewall group state for a specific vrid. 34 ServerIron ADX Security Guide 53-1002440-03 Syn-cookie threshhold trap 1 Enabling track firewall group To enable track-fw-group to track the firewall group state, use the following commands. ServerIronADX(config)#int ve 1 ServerIronADX(config-vif-1)# ip vrrp-e vrid 1 ServerIronADX(config-vif-1-vrid-1)# track-fw-group Syntax: track-fw-group Use the track-fw-group command under the VRRPE config level. is the firewall group that needs to be tracked for this VRRPE. This command is used along with the fw-vrrpe-priority command to force VRRPE state to track the FW group state. This command works similar to the track-port command. When the firewall group state is STANDBY, then the VRRPE current priority is decremented by the fw-vrrpe-priority specified under that firewall group. It is recommended that you track only the firewall group state and no other port, because tracking firewall group state automatically tracks the router ports, firewall paths, and more. Enabling firewall session sync delay To enable server fw-sess-sync-delay, use the following command. ServerIronADX(config)#server fw-sess-sync-delay 10 Syntax: server fw-sess-sync-delay Use the server fw-sess-sync-delay command added at the global config level. is the number of seconds to delay the fast session sync after one of the ServerIrons is reloaded in HA FWLB. Valid values range from 1 to 100. This command can be useful in configurations where many real servers or firewalls are configured. Syn-cookie threshhold trap To configure the syn cookie attack rate threshold, use the following command. ServerIronADX(config)# server syn-cookie-attack-rate-threshold 10000 Syntax: syn-cookie-attack-rate-threshold The variable is a decimal number ranging from 1 to 10000000. If the current syn cookie attack rate is larger than the syn cookie attack rate threshhold, the snTrapSynCookieAttackThreshReached trap is generated. To configure the snTrapSynCookieAttackThreshReached trap interval, use the following command. ServerIronADX(config)# server max-conn-trap-interval 10 Syntax: server max-conn-trap-interval The variable is a decimal number in seconds. The default value is 60 seconds. Service port attack protection in hardware A ServerIron can be enabled to deny traffic that is destined to VIP address but to a port that is not defined under a VIP. Such traffic can be dropped in hardware without impacting the MP or BP CPUs. ServerIron ADX Security Guide 53-1002440-03 35 1 Traffic segmentation NOTE VIP protection works for IPv4 VIPs alone and cannot be enabled for IPv6 VIPs. You can enable this feature globally by entering the following command. ServerIronADX(config)# server vip-protection Syntax: [no] server vip-protection Once enabled, the VIP protection applies to all existing and new VIP configurations. If you want to enable the feature on individual VIPs, enter the following command. ServerIronADX(config)# server virtual-name-or-ip v1 ServerIronADX(config-vs-v1)# vip-protection NOTE A reload is required for VIP protection to take effect when enabled on a global level using the server vip-protection command. Syntax: [no] vip-protection VIP protection adds CAM entries for each defined virtual port associated with each VIP. An additional CAM entry is defined for ICMP traffic destined to each VIP. An entry to drop the traffic is also added in the CAM for each VIP, which makes sure that traffic destined to any destination port other than the virtual ports is dropped by hardware. NOTES: • VIP protection does not support complex protocols such as FTP, TFTP, MMS, RTSP, SIP, that establish data connections based on the information exchanged on control channel. • VIP protection cannot be enabled on a VIP that is part of a dynamic NAT address pool. • VIP protection cannot be used along with features that require binding of virtual default port to real server default port. Traffic segmentation The traffic segmentation feature allows you to create segmentation among multiple L4-7 SLB domains of a single ServerIron ADX. The purpose of this feature is to ensure that traffic from one SLB domain to another SLB domain goes through the upstream firewall and does not get switched locally. This can be accomplished using either of the following methods: • VLAN bridging • Using the server use-session-for-vip-mac These features help meet some of the security requirements for PCI compliance. VLAN bridging The VLAN bridging feature allows you to bridge together two VLANs so that packets will be layer-2 switched from one VLAN to the other. When two VLANs are bridged together, all packets received on one VLAN are translated to the other VLAN and switched. 36 ServerIron ADX Security Guide 53-1002440-03 Traffic segmentation 1 When used for creating Layer-2 segmentation among SLB domains, this feature ensures that traffic from one SLB domain destined to another SLB domain goes through the upstream gateway and is not switched locally. This ensures that every packet between a client and server has to go through the ServerIron ADX for load-balancing. Figure 1 is an example of the VLAN bridging feature deployed in a one-armed topology. In this example when traffic from “Domain1” is bound for“Domain2” it is translated from VLAN 2 to VLAN 12 at the ServerIron ADX. It is then able to reach the “Gateway” on VLAN 12. The return traffic from the “Gateway” leaves on VLAN 13 and is translated to VLAN 3 at the ServerIron ADX. It is then able to reach “Domain2” on VLAN 3. FIGURE 1 VLAN bridging in a one-armed topology Gateway Vlans 12, 13, 14 ServerIron ADX Vlans 2, 3, 4, 12, 13, 14 Layer-2 Switch Vlan -Bridging 2-12, 3-13, 4-14 Vlan 2 Domain1 Vlan 3 Domain2 Vlan 4 Domain3 The topology described in Figure 1 can be implemented in the hot-standby configuration as shown in Figure 2. FIGURE 2 ServerIron ADX Security Guide 53-1002440-03 VLAN bridging in a one-armed topology in High Availability configuration (hot-standby) 37 1 Traffic segmentation Gateway Vlans 12, 13, 14 ServerIron ADX (active) Vlans 2, 3, 4, 12, 13, 14 Layer-2 Switch Vlans 2, 3, 4, 12, 13, 14 Vlan -Bridging 2-12, 3-13, 4-14 ServerIron ADX (standby) Vlan -Bridging 2-12, 3-13, 4-14 Vlan 2 Domain1 Vlan 3 Domain2 Vlan 4 Domain3 Considerations when configuring VLAN bridging The following considerations apply when configuring VLAN bridging: • Up to 64 unique-pair VLAN bridges can be configured. • A VLAN cannot be part of two different VLAN bridges. • Two VLANs forming a bridge must have the same set of member ports on the ServerIron ADX where they are joined. • The Control VLAN (4094) and system default VLAN cannot be used for VLAN bridging. • The hot-standby scenario is the only High Availability configuration supported with VLAN bridging. In a hot-standby scenario with one-armed topology, after fail over, the existing session may not be continued if the Layer-2 Switch in the middle cannot learn the MAC address of the Gateway through the newly-active ServerIron ADX in time. • VLAN bridging is only supported with switch code. It is not supported with the ServerIron ADX router code. • VLAN bridging is not supported with the SYN-proxy feature. • All ports within a VLAN bridge must be tagged members of a VLAN and its associated bridged VLAN. • MAC learning is shared for VLANs that are bridged together. Configuring VLAN bridging The vlan-bridge command is used to configure VLAN bridging. To configure VLAN 10 and VLAN 12 for VLAN bridging, use the following command. ServerIron(config)# vlan-bridge 10 12 Syntax: [no] vlan-bridge The variables specify the pair of VLANs that you want to create VLAN bridging for. 38 ServerIron ADX Security Guide 53-1002440-03 Traffic segmentation 1 NOTE Once a bridge is created between two VLANs, the VLAN configuration mode for those VLANs is disabled. You must remove a VLAN bridge if you want to make any changes to a VLAN contained within the VLAN bridge. Example The following example configures two VLANs with each containing the same ports and a VLAN bridge configured between them. ServerIron(config)# vlan 222 by port ServerIron(config-vlan-222)# tagged ethernet 1 ethernet 4 ServerIron(config-vlan-222)# exit ServerIron(config)# vlan 333 by port ServerIron(config-vlan-333)# tagged ethernet 1 ethernet 4 ServerIron(config-vlan-333)# exit ServerIron(config)# vlan-bridge 222 333 Displaying VLAN bridge information You can display information about VLAN bridging using the show vlan and show vlan-bridge commands. Using the show vlan command, a VLAN bridge is displayed as shown in the following. ServerIron# show vlan Total PORT-VLAN entries: 3 Maximum PORT-VLAN entries: 64 PORT-VLAN 1, Name DEFAULT-VLAN, Untagged Ports: 2 3 5 6 7 Tagged Ports: None Uplink Ports: None DualMode Ports: None PORT-VLAN 222, Bridge VLAN 333, Untagged Ports: None Tagged Ports: 1 4 Uplink Ports: None DualMode Ports: None PORT-VLAN 333, Bridge VLAN 222, Untagged Ports: None Tagged Ports: 1 4 Uplink Ports: None DualMode Ports: None Priority level0, Spanning tree Off 8 9 10 Name [None], Priority level0, Spanning tree Off Name [None], Priority level0, Spanning tree Off Syntax: show vlan [ | ethernet ] Using the variable limits the display to the single VLAN whose ID is specified. Using the ethernet option limits the display to VLANs configured on the specified port. ServerIron ADX Security Guide 53-1002440-03 39 1 Traffic segmentation The contents of the display are defined in the following table. TABLE 2 Display from show vlan command This field... Displays... PORT-VLAN The VLAN ID of the PORT VLAN configured. Bridge VLAN The VLAN ID of the associated bridge VLAN. Name The name of the VLAN as configured. If no name is configured, “{None]” is displayed Priority level The QoS priority as configured. If no priority value is configured the value displayed will be “0”. Spanning tree Displays the value of spanning tree protocol on this VLAN. Values can be “On” or “Off”. Untagged Ports Displays the untagged port members of the VLAN. Tagged Ports Displays the tagged port members of the VLAN. Uplink Ports Displays the uplink port members of the VLAN. DualMode Ports Displays the port members of the VLAN that are in dual mode. You can use the show vlan-bridge command to show all of the bridged VLANs as follows. ServerIron# show vlan-bridge IN-VLAN Bridge VLAN 222 333 333 222 Syntax: show vlan-bridge The contents of the display are defined in the following table. TABLE 3 40 Display from show vlan-bridge command This field... Displays... IN-VLAN The VLAN ID of the PORT VLAN configured. Bridge VLAN The VLAN ID of the associated bridge VLAN. ServerIron ADX Security Guide 53-1002440-03 Traffic segmentation 1 Traffic segmentation using the use-session-for-vip-mac command By default, as long as there is a session match, packets with a destination IP address of a VIP are processed regardless of whether the destination MAC is addressed to the ServerIron ADX or not. With the server use-session-for-vip-mac command configured, only packets with a destination MAC address of the ServerIron ADX are processed. Packets with a destination IP address of a VIP but a destination MAC address not belonging to the ServerIron ADX are treated as pass-through traffic. This feature is useful in traffic segmentation scenarios such as that shown in Figure 3. In the example, packets entering the ServerIron ADX from rs-domain1 bound for vs-domain2 would, by default, be switched at the ServerIron ADX to go directly to rs-domain2. If the server use-session-for-vip-mac command is configured on the ServerIron ADX, the packets are sent up to the firewall where they are subject to the security settings before being sent back down to the ServerIron ADX for forwarding to the VIP. FIGURE 3 Traffic Segmentation VLAN 20 VLAN 40 Firewall e1 e2 IP: 192.168.32.1 IP: 192.168.33.1 link 2 link 1 ServerIron ADX e2 e1 link1 vs-domain1: 192.168.32.10 e4 rs-domain1: 192.168.32.11 GW: 192.168.32.1 vs-domain2: 192.168.33.10 e4 rs-domain2: 192.168.33.11 GW: 192.168.33.1 This feature is configured as shown in the following. ServerIron(config)# server use-session-for-vip-mac Syntax: [no] server use-session-for-vip-mac ServerIron ADX Security Guide 53-1002440-03 41 1 DNS attack protection DNS attack protection The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This protection is provided by performing a deep packet scan and then classifying DNS requests based on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header. Based on this classification, the following actions can be taken either individually or in combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS traffic from the identified client. Figure 4 displays a potential configuration of this feature. For this configuration, a DNS deep packet inspection with DNS filtering could be configured to perform the following actions. Block specified types of DNS queries – for example: • Block queries with the RD flag • Block queries with the DNSSEC “OK” bit set. Log specified types of DNS queries – for example: • Log the number of queries to “www.mydomain.com” Redirect specified DNS queries to a different set of DNS servers – for example: • Forward all requests with the DNSSEC “OK” bit to a separate set of servers. • Forward all queries for the “ www.mydomain.com” to a different group of servers Impose rate limiting for certain types of DNS queries per client.– for example: • Rate limit queries to “ www.mydomain.com” for each client • Rate limit the number of MX queries that a client can send. FIGURE 4 DNS attack protection DNS client A DNS Server ServerIron ADX DNS client B Internet VIP 200.200.200.1 DNS Server Notes: 1. Only DNS requests using UDP transport (port 53) is supported. 2. If an incoming request matches an existing L4 session (including sticky sessions), DNS filtering will not apply on the request 3. Query not expected across multiple packet 4. When multiple queries are in a single DNS packet, only first RR will be processed 5. There is no csw dns rule to identify DNS Root requests. 42 ServerIron ADX Security Guide 53-1002440-03 DNS attack protection 1 Configuring DNS attack protection Configuring DNS attack protection involves the following steps: 1. Create DNS DPI rules. In this step you specify the filtering parameters under a rule. A packet must match all of the filtering parameters defined under a rule to match the rule. 2. Create a DNS DPI policy and bind the rules to it. In this step you bind a rule to a policy and specify the action to be taken if a packet matches the rule. 3. Bind a DNS DPI policy to a Virtual port. In the final configuration step, you bind a policy to a virtual port. Then, all packets destined to that virtual are subject to the DNS DPI rules and policies defined in steps 1 and 2. In addition, there are global commands that you can optionally configure to apply to all DNS attack protection configurations. Defining DNS rules to filter packets The DNS rules define the parameters that the DNS packets are filtered on. Rules can be defined for the following parameters: • • • • Query-name Query type RD flag DNS Sec bit To define a rule, you must first define the rule and then define the DNS filtering rule parameters under it as shown. ServerIron(config)# csw-rule rule1 udp-content dns Syntax: [no] csw-rule udp-content dns The variable specifies a name for the rule that must be unique across all CSW functionality. A maximum of 512 DNS DPI rules can be configured. The filtering rule parameters are defined within the rule as shown. The rule parameters function as an inherent “AND” which means that all of the parameters must be met for the rule to be matched. ServerIron(config)# csw-rule rule1 udp-content dns ServerIron(config-csw-dns-rule-rule1) query-type MX ServerIron(config-csw-dns-rule-rule1) query-name abc.com ServerIron(config-csw-dns-rule-rule1) query-rd-flag on ServerIron(config-csw-dns-rule-rule1) query-dnssec-ok off Syntax: query-type The variable specifies the DNS query type to match on. Syntax: query-name