Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 137
53-1002440-03
SSL acceleration on the ServerIron ADX
6
Public key
The other half of a key pair, a public key is held in a digital certificate. Public keys are usually
published in a directory. Any public key can encrypt information; however, data encrypted with a
specific public key can only be decrypted by the corresponding private key.
NOTE
We recommend that you always back up your SSL certificate keys. These keys may be lost in the
event of module failure.
SSL acceleration on the ServerIron ADX
The ServerIronADX SSL module provides hardware-accelerated encryption and decryption services
to clients. The ServerIronADX sits between clients and servers and all client traffic is terminated on
the switch. When traffic is decrypted, the ServerIronADX analyzes the data and selects a server
where the connection traffic can be forwarded. The ServerIronADX then opens a new connection to
the server and passes all data to this server. On the return path, the ServerIronADX receives all
data from the server, encrypts it, and forwards it to the client. For every incoming connection from
the client, the ServerIronADX maintains an additional connection to the server. Both connections
are completely separate. The ServerIron ADX essentially acts as a proxy.
SSL acceleration on the ServerIron ADX can be configured to operate in either of the following two
modes:
• SSL Termination Mode – In SSL Termination mode, an SSL connection is maintained between
a client and a ServerIron ADX. The connection between the ServerIron ADX and the server is
not encrypted.
• SSL Full Proxy Mode – In SSL Full Proxy mode, one SSL connection is maintained between a
client and a ServerIron ADX and a separate SSL connection is maintained between a
ServerIron ADX and a server. This connection allows for traffic encryption to be maintained all
the way from the client to the server and back.
For details on how to configure a ServerIronADX for SSL Termination and Proxy modes, see
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode 172 and for examples of
how to create the configurations shown in this section see Configuration Examples for SSL
Termination and Proxy Modes 176.
SSL Termination Mode
In this mode, the ServerIron ADX terminates the SSL connections, decrypts the data, and sends
clear text to the server. The ServerIron ADX offloads the encryption and decryption services from
the server CPU and performs them in hardware, thereby offloading the burden from the server.
The ServerIronADX maintains an encrypted data-channel with the client and a clear-text data
channel with the server.
Figure shows a topology that terminates SSL on the ServerIron ADX.
FIGURE 9 ServerIron ADX SSL Termination