Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
172 ServerIron ADX Security Guide
53-1002440-03
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
6
Enabling a ServerIron ADX SSL to respond with renegotiation headers
Some SSL application clients use renegotiation as a way within SSL protocols to change cipher
specifications and redo the handshake. It has been reported that unsecure renegotiation is
susceptible to Man-in-the-Middle attack. ServerIron ADX does not support renegotiation. This
means that ServerIron ADX is not susceptible to these attacks.
A problem occurs however where some Web browsers using OpenSSL send renegotiation related
headers and expect a response. If a ServerIron ADX does not respond with an appropriate header
for renegotiation, these web browers miss-intreprete the ServerIron ADX to be vulnerable to
renegotiation attacks.
With release 12.4.00, an option has been added to configure a ServerIron ADX to respond with
renegotiation headers that tell the browers that the ServerIron ADX handles the renegotaiton
message correctly and stops them from sending the false message that the ServerIron ADX is
vulnerable to renegotiation attacks.
Configuring this command as shown in the following does not enable renegotiation on the
ServerIron ADX but prevents the problem with false reporting.
ServerIronADX# server ssl respond-with-renegotiation-info
Syntax: [no] server ssl respond-with-renegotiation-info
NOTE
The ServerIron ADX will still not support renegotiation. If the client attempts to renegotiate, the
ServerIron ADX will immediately terminate the handshake with the "NO_Renegotiation" handshake
message. However since the ServerIron ADX is now responding to the renegotiation headers,
OpenSSL clients that did not have any problem with ServerIron ADX NOT supporting renegotiation
might now be mislead to believe that ServerIron ADX has started supporting renegotiation. If this
occurs you may need to turn off this feature using the no option.
Configuring Real and Virtual Servers for SSL Termination and Proxy
Mode
When configuring a ServerIron ADX for SSL Termination and Proxy mode, the Real and Virtual
Servers need to be configured to support these features. the following sections describe the
procedures and commands required. For a description of SSL Termination Mode, see “SSL
Termination Mode” on page 137. For a description of SSL Proxy Mode, see “SSL Proxy Mode” on
page 138. For a detailed example of how to configure the examples shown in those sections, see
“Configuration Examples for SSL Termination and Proxy Modes” on page 176.
NOTE
SSL Termination and Proxy mode can be configured for setups where an IPv4 real server is bound
to an IPv4 virtual server or where an IPv6 real server is bound to an IPv6 virtual server. They are not
supported for setups that use IPv4 and IPv6 together in the same configuration.