Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
168 ServerIron ADX Security Guide
53-1002440-03
Advanced SSL profile configuration
6
• A certificate issued by a CA that is trusted by the server
• A key-pair for the certificate
The certificate and the key can be obtained from the CA in either PKCS or PEM format. For
client-authentication to work, these items must be uploaded to the ServerIronADX and then added
to the server profile.
For example, if you use si_client_cert.pem as the certificate and si_client_key.pem as the key for
the client certificate, you can add them to the profile using the following commands:
ServerIronADX(config)# ssl profile serverProfile
ServerIronADX(config-ssl-profile-serverProfile)# keypair-file si_client_key.pem
ServerIronADX(config-ssl-profile-serverProfile)# certificate-file
si_client_cert.pem
Configuring a CA certificate file
If you have enabled client certificate verification, you must configure a CA certificate under the SSL
profile. CA certificates are used by the ServerIronADX to verify the validity of certificates presented
by incoming clients.
CA certificates are typically imported from outside using SCP, in PEM format and are stored in the
flash memory, just like regular certificate files.
Up to four CA certificate files can be specified under each SSL profile. Each CA certificate file can
contain multiple CA certificates (although to keep configurations simple, We recommend that
different CA certificates be stored in different files).
You can include up to 32 DN names for all root or intermediate CA certificates. This allows clients to
select appropriate CA and intermediate CA certificates for communication with a ServerIronADX.
Unlike regular certificates, there is no need to load the corresponding key pair into the profile
before configuring a CA certificate since the CA certificate belongs to the Certificate Signing
Authority, meaning the key pair is private and not be publicly available. The following example
specifies the CA certificate file named "certfile1" for SSL profile "profile1".
ServerIronADX(config)# ssl profile profile1
ServerIronADX(config-ssl-profile-profile1)# ca-cert-file certfile1
Syntax: ca-cert-file <ca-certificate-filename>
The <ca-certificate-filename> variable specifies the name of the certificate file where a CA
certificate is stored.
NOTE
You can optionally disable certificate verification as described in “Disabling certificate verification”
on page 171.
Creating a certificate revocation list
Certificate revocation lists contain the list of certificates that have been revoked by a CA. A
certificate can be revoked by a CA for many reasons. A common reason is that the key pair that
corresponds to the issued certificate has been compromised.
Certificate revocation lists are typically maintained on the CA Web site and may be downloaded
using HTTP. The format of the list is usually DER or PEM.