Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 135
53-1002440-03
Chapter
6
Secure Socket Layer (SSL) Acceleration
ServerIron ADX supports integrated hardware-based SSL acceleration. This chapter describes how
to configure a ServerIron ADX for SSL acceleration in SSL Termination or SSL Proxy mode.
SSL support on the ServerIron ADX includes support for SSLv2, SSLv3, and TLS1.0.
SSL overview
The Secure Sockets Layer (SSL) protocol was developed by Netscape to provide security and
privacy between client and server over the Internet. SSL supports server and client certificate
verification, allowing protocols such as HTTP, FTP, and Telnet to be run on top of the verification
process. SSL negotiates encryption keys and authenticates the server before data is exchanged by
higher-level applications.
The SSL "handshake" is a key concept in this protocol. The handshake consists of two phases:
server authentication, and an optional client certificate verification. In server authentication, the
server sends its certificate and cipher preferences to a client that has made a request. The client
then generates a master key, encrypts it with the public key of the server, and returns the
encrypted master key to the server.
The server recovers the master key and authenticates itself to the client by returning a message
encrypted with the master key. Subsequent data is encrypted and authenticated with keys derived
from this master key. In the client certificate verification phase (which is optional), the server sends
a challenge to the client, who authenticates itself to the server by returning a digital signature with
its public-key certificate.
A variety of cryptographic algorithms are supported by SSL. During the "handshaking" process, the
DSA public-key cryptosystem is used. After the exchange of keys, a number of ciphers are used that
include RC4 and triple-DES for data encryption, and the SHA-1 and MD5 digest algorithm for
message authentication.
Public Key Infrastructure (PKI)
In cryptography, a public key infrastructure (PKI) is an arrangement that provides for trusted third
party vetting of, and vouching for, user identities. It also allows binding of public keys to users. This
is usually carried out by software at a central location, together with other coordinated software at
distributed locations. The public keys are typically in certificates.
The term PKI may mean both the certificate authority and related arrangements as well as, more
broadly (which can sometimes be confusing), the use of public key algorithms in electronic
communications. The latter meaning is erroneous since PKI methods are not required to use public
key algorithms.