Main
Brocade Communications Systems, Incorporated
Document History
June, 2012
Title Publication number Summary of changes Date
April, 2012 ServerIron ADX Security Guide 53-1002440-03 Updates made to documentation.
Contents
About This Document
Chapter 1 Network Security
Page
Chapter 2 Access Control List
Chapter 3 IPv6 Access Control Lists
Chapter 4 Network Address Translation
Chapter 5 Syn-Proxy and DoS Protection
Chapter 6 Secure Socket Layer (SSL) Acceleration
Page
Page
About This Document
Audience
Supported hardware and software
Document conventions
Notice to the reader
Related publications
Getting technical help
Page
Network Security
TCP SYN attacks
IP TCP syn-proxy
Granular application of syn-proxy feature
Syn-def
Introduction
show server traffic
SYN-def-dont-send-ack
show server debug
4ServerIron ADX Security Guide 53-1002440-03
No response to non-SYN first packet of a TCP flow
No response to non-SYN first packet of a TCP flow
Prioritizing management traffic
Protection against attack in hardware
Peak BP utilization with TRAP
Show CPU-utilization command enhancement
BP utilization threshold
MP utilization threshold
Transaction Rate Limit (TRL)
Understanding transaction rate limit
Configuring transaction rate limit
Prerequisites
Configure transaction rate limit rule set
Configure transaction rate limit to exclude a client
Configure a transaction rate limit default
Configure transaction rate limit for pass through traffic
Apply transaction rate limit to a VIP
Deleting all TRL rules in a policy
Download transaction rate limit configuration from a TFTP server. (optional)
Configuring the maximum number of rules
Changing the maximum number of rules globally.
Changing the maximum number of rules locally per-policy.
Saving a TRL configuration
Disabling the storage of TRL rules on the internal USB drive
Transaction rate limit command reference
Global TRL
TRL plus security ACL-ID
security acl-id
Transaction rate limit hold-down value
Displaying TRL rules statistics
Displaying TRL rules in a policy
Displaying IP address with held down traffic
Refusing new connections from a specified IP address
TABLE 1
HTTP TRL
Overview of HTTP TRL
HTTP TRL features
Configuring HTTP TRL
Configuring HTTP TRL client
Configuring HTTP TRL client rate limit
Configuring HTTP TRL client maximum connection
Configuring HTTP TRL defaults
Configuring HTTP TRL default rate limit
Configuring HTTP TRL default maximum connection
Sample HTTP TRL configuration
Creating an HTTP TRL policy with client rate limit
Configuring Layer 4 SLB
Creating a CSW rule and policy with HTTP TRL
Displaying HTTP TRL
Displaying HTTP TRL
Display all HTTP TRL policies
To show all running configurations for HTTP TRL policies, use the following command.
Syntax: show run http-trl-policy all
Display HTTP TRL policy from index
Syntax: show run http-trl-policy <policy-name> <index>
Display HTTP TRL policy client
To show a running configuration for an HTTP TRL policy client, enter the following command.
Syntax: show run http-trl-policy <policy-name> <client-name>
Display HTTP TRL policy starting from index
Syntax: show run http-trl-policy <policy-name> <start-index> <number-of-entries>
Display HTTP TRL policy matching a regular expression
Syntax: show http-trl policy <policy-name> <start entry number> <end entry number>
The syntax for regex is the same as for piping.
Syntax: show run http-trl-policy <policy-name> regex < regular expression>
Display HTTP TRL policy client index (MP)
Display HTTP TRL policy client index (BP)
Downloading an HTTP TRL policy through TFTP
Display HTTP TRL policy for all client entries (BP)
Downloading an HTTP TRL policy through TFTP
To download an HTTP TRL policy using TFTP, enter a command similar to the following.
HTTP TRL policy commands
Client-name <client-name> monitor-interval
Client-name <client-name> max-conn
Client-name <client-name> exceed-action
Default monitor-interval
Default max-conn
Default exceed-action
Logging for DoS Attacks
Configuration commands
show server conn-rate
Maximum connections
clear statistics dos-attack
Maximum concurrent connection limit per client
Limiting the number of concurrent connections per client
Configure the maximum number of connections
Binding the policy to a VIP
Firewall load balancing enhancements
Enabling firewall strict forwarding
Enabling firewall VRRPE priority
Enabling track firewall group
Syn-cookie threshhold trap
Service port attack protection in hardware
Traffic segmentation
VLAN bridging
FIGURE 1
FIGURE 2
Considerations when configuring VLAN bridging
Configuring VLAN bridging
Displaying VLAN bridge information
TABLE 2
TABLE 3
Traffic segmentation using the use-session-for-vip-mac command
FIGURE 3
DNS attack protection
FIGURE 4
Notes:
Configuring DNS attack protection
Defining DNS rules to filter packets
Order of Rule matching
Creating a DNS DPI policy and bind the rules to it
Binding a DNS DPI policy to a Virtual port
Configuring global commands for DNS attack protection
Configuring the ADX to drop requests if servers in redirect actions are down
Displaying DNS attack protection information
DIsplaying DNS DPI policy counters
DIsplaying IP addresses held down by a rate limit action
Page
Access Control List
How ServerIron processes ACLs
Prior to release 12.3.01
Beginning with release 12.3.01 and later
Rule-based ACLs
Configuration guidelines for rule-based ACLs: general guidelines
How fragmented packets are processed
Default ACL action
Types of IP ACLs
ACL IDs and entries
Support for up to 4096 ACL entries
ACL entries and the Layer 4 CAM
Aging out of entries in the Layer 4 CAM
Displaying the number of Layer 4 CAM entries
Specifying the maximum number of CAM entries for rule-based ACLs
Configuring numbered and named ACLs
Configuring standard numbered ACLs
Standard ACL syntax
Configuring extended numbered ACLs
Extended ACL syntax
Page
Page
Configuring standard or extended named ACLs
Displaying ACL definitions
Displaying ACLs using keywords
Numbered ACL
Page
Page
Modifying ACLs
Displaying a list of ACL entries
Numbered ACLs
Applying an ACLs to interfaces
Reapplying modified ACLs
ACL logging
Syslog message for changed ACL mode
Copying denied traffic to a mirror port for monitoring
Displaying ACL log entries
Displaying ACL statistics for flow-based ACLs
Clearing flow-based ACL statistics
Dropping all fragments that exactly match a flow-based ACL
Clearing the ACL statistics
Enabling ACL filtering of fragmented packets
Filtering fragmented packets for rule-based ACLs
Throttling the fragment rate
Syslog messages for exceeded fragment thresholds
Enabling hardware filtering for packets denied by flow-based ACLs
TABLE 4
Enabling strict TCP or UDP mode for flow-based ACLs
Enabling strict TCP mode
Enabling strict UDP mode
Configuring ACL packet and flow counters
ACLs and ICMP
Using flow-based ACLs to filter ICMP packets based on the IP packet length
ICMP filtering with flow-based ACLs
Numbered ACLs
TABLE 5
Using ACLs and NAT on the same interface (flow-based ACLs)
TABLE 5
Displaying ACL bindings
Troubleshooting rule-based ACLs
Page
IPv6 Access Control Lists
IACL overview
Configuration Notes
Processing of IPv6 ACLs
Prior to release 12.3.01
Beginning with release 12.3.01 and later
Configuring an IPv6 ACL
Example Configurations
Default and Implicit IPv6 ACL Action
ACL Syntax
NOTES:
IACL overview
DECIMAL <0-255> ICMP message type
Page
IACL overview
Arguments... Description...
Applying an IPv6 ACL to an interface
Using an ACL to Restrict SSH Access
Displaying ACLs
Syntax: show ipv6 access-list [<access-list-name>]
Displaying ACLs bound to an interface
Using an ACL to Restrict SSH Access
Using an ACL to Restrict Telnet Access
Logging IPv6 ACLs
Page
Network Address Translation
Introduction
FIGURE 5
Configuring NAT
Configuring static NAT
Configuring dynamic NAT
Configuring an address pool
Associating a range of private addresses with a pool and enabling PAT
NAT configuration examples
Dynamic NAT configuration example 1
FIGURE 6
Dynamic NAT configuration example 2
FIGURE 7
Static NAT configuration example
FIGURE 8
PAT
Forwarding packets without NAT translation
Translation timeouts
Configuring the NAT translation aging timer
Stateless static IP NAT
Redundancy
Enabling IP NAT
Enabling IP NAT globally
Enabling IP NAT per-interface
Enabling static NAT redundancy
Enabling dynamic NAT redundancy
Displaying NAT information
Displaying NAT information
Displaying NAT statistics
To display NAT statistics, enter commands such as the following.
Displaying NAT information 4 Syntax: show ip nat statistics
TABLE 7
This field... Displays...
Displaying NAT information
Displaying NAT translation
TABLE 7
This field... Displays...
Displaying NAT redundancy information
TABLE 8
Displaying VRRPE information
Clearing NAT entries from the table
Syn-Proxy and DoS Protection
Understanding Syn-Proxy
Syn-Proxy auto control
Difference between ServerIron ADX and JetCore Syn-Proxy Behavior
Configuring Syn-Proxy
Enabling SYN-Proxy
Setting Attack-Rate-Threshold
Setting SYN-Ack-Window-Size
Setting Reset-Using-Client-MAC
Retransmitting TCP SYNs
Setting the time range for a valid ACK packet
Limiting syn-proxy feature to defined VIPs
Setting the source MAC address
Limiting the syn-proxy feature to VIP traffic only
Setting a minimum MSS value for SYN-ACK packets
Hierarchy of operation
Setting the MSS value at the global level
Setting the MSS value at the virtual server level
Setting the MSS value at the virtual port level
Setting the MSS value for pass-through traffic to a specified destination IP address
Negotiated MSS value set
TABLE 9
Configuring Syn-Proxy auto control
Considerations for configuring Syn-proxy auto control
Setting the SYN-Proxy auto control thresholds
TABLE 9
Setting the interval time for counting TCP SYN packets
Displaying Syn-Proxy Commands
Configuring Syn-Proxy
Displaying TCP Attack Information
The show server tcp-attack command displays attack information for connection rates counters.
Syntax: show server tcp-attack [debug | fast-path]
Displaying Server Traffic information
Displaying SYN Cookie Information
TABLE 10
TABLE 11
DDoS protection
Configuring a security filter
Configuring a Generic Rule
TABLE 12
Configuring a rule for common attack types
TABLE 13
DDoS protection
Configuring a rule for ip-option attack types
TABLE 14
Configuring a rule for icmp-type options
TABLE 15
Configuring a rule for IPv6 ICMP types
TABLE 15
TABLE 16
Configuring a rule for IPv6 ext header types
TABLE 16
TABLE 17
Binding the filter to an interface
Clearing DOS attack statistics
Clearing all DDOS Filter & Attack Counters
Logging for DoS attacks
Displaying security filter statistics
Address-sweep and port-scan logging
Secure Socket Layer (SSL) Acceleration
SSL overview
Public Key Infrastructure (PKI)
Page
Public key
SSL acceleration on the ServerIron ADX
FIGURE 9
SSL Termination Mode
SSL Proxy Mode
FIGURE 10
ServerIron
ServerIron ADX SSL
Real Server Client SSL Traffic
ServerIron ADX keypair file
Digital certificate
Configuring SSL on a ServerIron ADX
Obtaining a ServerIron ADX keypair file
Certificate management
Generating a Self-Signed Certificate
Using CA-signed certificates
Exporting Web Server Certificates
Page
Page
Page
Converting certificate formats
Importing keys and certificates
Page
Page
Creating a Master Password for export of SSL keys
Deleting certificate and key files
Certificate Verification
FIGURE 11
Chained Certificate Verification
FIGURE 12
Page
Page
FIGURE 13
The certificate hierarchy is shown as under:
Page
Page
a9:fe:19:9d:0e:c1:b0:f9:73:ec:66:db:38:30:39:91:92:71:
FIGURE 14
Common Mistakes
Step 1: Import Server Certificate and Intermediate CA Certificates
Step 2: Enable Certificate Chain
Support for SSL renegotiation
Basic SSL profile configuration
Specifying a keypair file
Specifying a cipher suite
Configuring Multiple Cipher Suites
Specifying a certificate file
Advanced SSL profile configuration
Configuring client authentication
Enabling certificate verification
Client certificate verification in SSL Proxy Mode
Configuring a CA certificate file
Creating a certificate revocation list
Allowing Self Signed Certificates
Enabling a certificate chain
Configuring certificate chain depth
Enabling session caching
Configuring session cache size
Configuring a session cache timeout
Enabling SSL Version 2
Enabling close notify
Disabling certificate verification
Enabling a ServerIron ADX SSL to respond with renegotiation headers
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
Configuring Real and Virtual Servers for SSL Termination Mode
Configuring Real and Virtual Servers for SSL Proxy Mode
Page
Configuration Examples for SSL Termination and Proxy Modes
Configuring SSL Termination Mode
Configuring SSL Proxy Mode
TCP configuration issues with SSL Terminate and SSL Proxy
Page
FIGURE 16
The TCP Nagle Algorithm
Delayed TCP ACK
Creating a TCP Profile
Applying the TCP profile to VIP for SSL terminate
Applying the TCP profile to VIP for SSL Proxy
Inserting a certificate in an HTTP header
Other protocols supported for SSL
TABLE 18
Configuring the system max values
Configuring SSLv2 connection rate
Configuring memory limit for SSL hardware buffers
Configuring number of ssl profiles
Configuring the maximum number of SSL concurrent connections
SSL debug and troubleshooting commands
Diagnostics
Displaying SSL information
Using Rconsole
Displaying proxy debug counters
Displaying proxy statistics
Displaying authentication statistics
Displaying locally stored SSL certificates
Displaying SSL connection information
Displaying the status of a CRL record
Page
Displaying SSL debug counters
Displaying SSL key information
The following example provides information about a specified key: "rsakey".
Displaying an SSL Profile
Displaying the session cache statistics for and SSL profile
Displaying the certificate bound to an SSL profile
Displaying the key that is bound to an SSL profile
SSL debug and troubleshooting commands 6
Displaying record size information
Use the show ssl record-size command in rconsole mode to display information regarding record size.
Displaying socket information
Displaying socket details in open status
Displaying all sockets in open status
Displaying socket state information
Syntax: show socket state
Displaying SSL Statistics information
Displaying SSL Statistics alert information
Displaying SSL decoded client site status counters
Syntax: show ssl statistics client
Displaying SSL Statistics counters
Syntax: show statistics counters
Displaying SSL crypto engine status counters
Syntax: show ssl statistics crypto
Displaying TCP IP information
Displaying SSL, TCP, and IP buffer information
Displaying TCP, and IP chain length statistics
Syntax: show tcp-ip chain-statistics
Displaying TCP and IP statistics
Syntax: show tcp-ip statistics
Show SSL memory
ASM SSL dump commands
Syntax: asm dm ssldump
asm dm ssldump
Use the asm dm ssldump command on the BP to display all transmit and receive SSL packets.
asm dm ssldump both
asm dm ssldump client
asm dm ssldump filter
asm dm ssldump mode brief
asm dm ssldump mode detail
asm dm ssldump mode decrypt
asm dm ssldump receive
asm dm ssldump send
asm dm ssldump server
asm dm ssldump max