Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
146 ServerIron ADX Security Guide
53-1002440-03
Configuring SSL on a ServerIron ADX
6
12. You can now begin copying the certificates and the key pair files to the ServerIronADX (in the
following order):
scp ./server-key.pem admin@192.168.1.1:sslkeypair:server-key:foundry:pem
scp ./server-cert.cer admin@192.168.1.1:sslcert:certchain1:pem
Unix (Apache)
The following procedure describes the procedure for determining the location of the private key and
certificate files and copying them to a ServerIronADX.
1. On the Apache server, look in the httpd.config file for the following directives; they point to the
location of the key and certificate files:
SSLCertificateFile .../path/to/mycertfile.crt
SSLCertificateKeyFile .../path/to/mykeyfile.key
NOTE
The default location of the httpd.config file is: /etc/httpd/conf/httpd.conf
2. When you have located the key and certificate files, copy them from the Linux server to the
ServerIronADX:
scp ./server-key.key admin@192.168.1.1:sslkeypair:server-key:foundry:pem
scp ./server-cert.crt admin@192.168.1.1:sslcert:certchain1:pem
scp ./root-cert.crt admin@192.168.1.1:sslcert:certchain1:pem
Make sure you upload in the same order as the CA hierarchy – only then can the chain be
established properly on the ServerIron.
NOTE
You must upload all of the chain certificates into the same file on the ServerIronADX.
Bag Attributes: <Empty Attributes>
subject=/DC=org/DC=test/O=root/OU=Security/CN=root
issuer=/DC=org/DC=test/O=root/OU=Security/CN=root
-----BEGIN CERTIFICATE-----
MIIC1TCCAj6gAwIBAgIQJhB5wR9FdbXPEWcLp/1MAjANBgkqhkiG9w0BAQUFADBm
MRMwEQYKCZImiZPyLGQBGRYDb3JnMRgwFgYKCZImiZPyLGQBGRYIam9uZGF2aXMx
EDAOBgNVBAoTB1Rla2VsZWMxETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQDEwdU
ZWtlbGVjMB4XDTA1MDQxOTAxMTk1OFoXDTA3MDgwNzE3NDM1OFowZjETMBEGCgmS
JomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCGpvbmRhdmlzMRAwDgYDVQQK
EwdUZWtlbGVjMREwDwYDVQQLEwhTZWN1cml0eTEQMA4GA1UEAxMHVGVrZWxlYzCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAq36AVcI33Pp9tPjuN2Dx81BIiUTx
ZENHS/0ZL4RREj+BfZG3/J94cE0i5F6l0X9W6jJpUM8sqUVqpounwB6ZeoXHJsQJ
Hvzp1YR77ABS1gR//b9N3TiIXGyb8oaoXdT4xahzfwMTTjOGAGl3xYHC/QdXi3x6
ff+X02AddhIvhaMCAwEAAaOBgzCBgDAMBgNVHRMEBTADAQH/MCAGA1UdJQEB/wQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgw
FoAUVu5XQurF4Y0JQy/kr4y4eHzhucEwHQYDVR0OBBYEFFbuV0LqxeGNCUMv5K+M
uHh84bnBMA0GCSqGSIb3DQEBBQUAA4GBAFCldN7DHtztK2hdiUp1KO1LtO9Ics9g
mjVH869i6qxVOj+YzGfBlz7PvNdW+Nv0TCrrXTLXgZpd1aAW/lTajBfLgFs21Xkf
xSquYFYEcZjz4Uu3gMuuAiS963Xissy+MIyNJpkRP1NpYY75lXAf05sLopzcmdVc
C2es4LOJQbhZ
-----END CERTIFICATE-----