Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 117
53-1002440-03
Configuring Syn-Proxy
5
Limiting syn-proxy feature to defined VIPs
With this feature enabled, the syn packets are dropped if a virtual server IP port is not defined
under a VIP configuration. This feature is enabled with the following command.
ServerIronADX(config)# server syn-cookie-check-vport
Syntax: [no] server syn-cookie-check-vport
Setting the source MAC address
With this feature enabled, the SYN-ACK reply packets will have their source MAC address set to the
MAC address of the ServerIron ADX. This can be helpful to avoid flooding in the case of a SYN to
unknown uncast or broadcast address. This feature is enabled with the following command.
ServerIronADX(config)# server syn-cookie-set-sa
Syntax: [no] server syn-cookie-set-sa
Limiting the syn-proxy feature to VIP traffic only
This feature directs the ServerIron ADX to apply the Syn-Proxy feature to VIP traffic only (not to
pass-through traffic). This feature is enabled with the following command.
ServerIronADX(config)# server security-on-vip-only
Syntax: [no] server security-on-vip-only
Dropping ACK packets with no data
This feature applies where Syn-Proxy is enabled. Configuring this feature causes ACK packets with
no data to be dropped after the ServerIron ADX responds witha SYN-ACK to the client SYN. An ACK
packet with data is forwarded to the BP and processed by the BP.
This feature is enabled with the following command.
ServerIronADX(config)# server virtual-name-or-ip www.altergo.com 207.95.55.1
ServerIronADX(config-vs-www.alterego.com)# port http drop-ack-with-no-data
Syntax: [no] port <tcp/udp-port > drop-ack-with-no-data
This feature is helpful in the event of a real SYN attack with a valid ACK packet sent but with no
data packets afterwards
Setting a minimum MSS value for SYN-ACK packets
The default condition of the ServerIron ADX is to generate SYN-ACK packets with a Maximum
Segment Size (MSS) that is equal or nearly equal to the client’s MSS value. This process disregards
the MSS value of the server. This can result in dropped packets or other unexpected behavior in
situations where the MSS value of the server is smaller than the MSS value of the client.
This feature allows you to set the MSS value for SYN-ACK packets generated by the ServerIron ADX
regardless of the client’s MSS value. A minimum MSS value can be enabled in any of the following
configurations:
• Global level – configures the TCP MSS value at the global level