Web Management Guide-R03
Table Of Contents
- How to Use This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- Setting A Time Range
- Showing TCAM Utilization
- Setting the ACL Name and Type
- Configuring a Standard IPv4 ACL
- Configuring an Extended IPv4 ACL
- Configuring a Standard IPv6 ACL
- Configuring an Extended IPv6 ACL
- Configuring a MAC ACL
- Configuring an ARP ACL
- Binding a Port to an Access Control List
- Configuring ACL Mirroring
- Showing ACL Hardware Counters
- ARP Inspection
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- DoS Protection
- IP Source Guard
- DHCP Snooping
- Basic Administration Protocols
- Configuring Event Logging
- Link Layer Discovery Protocol
- Power over Ethernet
- Simple Network Management Protocol
- Configuring Global Settings for SNMP
- Setting the Local Engine ID
- Specifying a Remote Engine ID
- Setting SNMPv3 Views
- Configuring SNMPv3 Groups
- Setting Community Access Strings
- Configuring Local SNMPv3 Users
- Configuring Remote SNMPv3 Users
- Specifying Trap Managers
- Creating SNMP Notification Logs
- Showing SNMP Statistics
- Remote Monitoring
- Switch Clustering
- IP Configuration
- IP Services
- Multicast Filtering
- Overview
- Layer 2 IGMP (Snooping and Query)
- Configuring IGMP Snooping and Query Parameters
- Specifying Static Interfaces for a Multicast Router
- Assigning Interfaces to Multicast Services
- Setting IGMP Snooping Status per Interface
- Filtering Multicast Data at Interfaces
- Displaying Multicast Groups Discovered by IGMP Snooping
- Displaying IGMP Snooping Statistics
- Filtering and Throttling IGMP Groups
- MLD Snooping (Snooping and Query for IPv6)
- Multicast VLAN Registration
- Basic Management Tasks
- Appendices
- Glossary
- Index
Chapter 12
| Security Measures
DoS Protection
– 338 –
no flags. If the target's TCP port is closed, the target replies with a TCP RST
(reset) packet. If the target TCP port is open, it simply discards the TCP NULL
scan.
◆ SYN/FIN Scan – Protects against SYN/FIN-scan attacks in which a TCP SYN/FIN
scan message is used to identify listening TCP ports. The scan uses a series of
strangely configured TCP packets which contain SYN (synchronize) and FIN
(finish) flags. If the target's TCP port is closed, the target replies with a TCP RST
(reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN
scan.
In these packets, SYN=1 and FIN=1.
◆ SYN/RST Scan – Protects against SYN/RST-scan attacks in which a TCP SYN/RST
scan message is used to stop an ongoing TCP session. An attacker can forge a
set of Synchronize (SYN) and Reset (RST) packets in an attempt to guess a TCP
sequence number within a narrow range (or TCP window) of values. Successful
exploitation of this issue results in a termination of the TCP session. Depending
on the targeted software or hardware, the outcome may result in a simple
denial of service, or it may leave the system in an unpredictable state, possibly
leading to data loss or additional vulnerabilities.
In these packets, SYN=1 and RST=1.
◆ SYN Flood – Protects against flooding attacks in which a perpetrator sends a
succession of TCP synchronization requests (with or without a spoofed source
IP address) to a target and never returns ACK packets. These half-open
connections will bind up resources on the target, and no new connections can
be made, resulting in denial of service. (Maximum allowed rate: 64-2048 kbits/
second)
In these packets, SYN=1.
Protection for UDP
◆ Invalid Header Length – Protects against attacks which send UDP packets
with an incorrect header length. Such packets are not allowed by the system,
but their abundant number can cause computer crashes and other system
errors.
In these packets, the UDP raw data length is less than 8 bytes.
◆ Blat Block – Protects against attacks in which a specially crafted packet is sent
to a host where the source host port is the same as the destination host port.
The system attempts to reply to itself, resulting in system lockup.
◆ Flood – Protects against flooding attacks in which a perpetrator sends a large
number of UDP packets (with or without a spoofed source IP address) to
random ports on a remote host. The target will determine that an application is
listening at that port, and reply with an ICMP “Destination Unreachable” packet.
It will be forced to send many ICMP packets, eventually leading it to be
unreachable by other clients. (Maximum allowed rate: 64-2048 kbits/second)