Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
44 ServerIron ADX Security Guide
53-1002440-03
DNS attack protection
1
The off parameter is matched if the RD flag is not set in the packet.
Syntax: query-dnssec-ok { on | off}
The on parameter is matched if the DNSSEC bit is set in the packet.
The off parameter is matched if the DNSSEC bit is not set in the packet.
Order of Rule matching
Matching on the query-name is first attempted in the order of the length of the query-name. THis is
followed by the rules without query-name (only if needed), in the order they were added to the
policy. If two rules with query-name have the same length of the string, then the alphabetical order
will take precedence. And, when two rules with query-name are exactly the same string, then the
order in which the rules are added to the policy, will take precedence.
For example, initially the order of rules in a policy is:
1. Rule to match query-name www.brocade.com
2. Rule to match query-type A & query-RDflag ON
Adding a couple of new rules to match query-name www.mywebsite.com and to match query-type
AAAA will rearrange the rules in policy as
1. Rule to match query-name www.brocade.com
2. Rule to match query-name www.mywebsite.com
3. Rule to match query-type A & query-RDflag ON
4. Rule to match query-type AAAA
The policy level configuration 'evaluate-generic-first' would reverse this default behavior by first
matching the rules not based on query-names. In that case, same rules would be ordered as
1. Rule to match query-type A & query-RDflag ON
2. Rule to match query-type AAAA
3. Rule to match query-name www.brocade.com
4. Rule to match query-name www.mywebsite.com
Creating a DNS DPI policy and bind the rules to it
A DNS DPI policy specifies the action to take when a previously defined rule is matched. A DNS DPI
policy is defined as shown.
ServerIron(config)# csw-policy DNSpolicy1 type dns-filter
Syntax: [no] csw-policy <policy-name> type dns-filter
The <policy-name> variable specifies a name for the CSW policy that must be unique across all
CSW functionality.
NOTE
A maximum of 255 DNS policies can be configured on a ServerIron ADX. Also, the total number of
rules that can be bound to a single policy is 512 and the global limit for binding rules to a policy is
2500. For example, if you bind 500 rules to each of 5 policies you will reach 2500 which is the global
limit for binding rules to a policy.