Enterasys Networks X-PeditionTM manual Alarm Logging, Alarms

XSR Firewall Feature Set Functionality

against the routing table. If a packet is received from an interface with a source IP address that is not routable through this interface, it is considered spoofed and dropped.

A high priority log is generated when DoS attacks are detected. These DoS attacks are covered:

•Anti-Spoofing- In response to a spoof attack, the firewall drops all packets with a source address belonging to an internal network when received from an external interface. Packets from an internal interface with a source address not in the network will also be dropped.

•ICMP Flood - In response to ICMP echo requests received from different source addresses at a very high rate, the firewall sets a rate limit of ICMP echo requests processed per second.

•Ping of Death - In response, fragmented echo requests are dropped.

•Smurf attack - In response to a smurf attack where ICMP echo requests with the directed broadcast address is the destination and the source is any host, the firewall will filter echo requests to directed broadcasts or all directed broadcast packets.

•SYN Flood - In response to a continuous TCP open packets (SYN bit set) stream targeting an address, the firewall limits the number of half-open TCP links and set a max rate of TCP links.

•Tear drop - In response to receiving IP fragments that overlap, the firewall will track fragments received for every session, detect bad offsets and drop the entire packet (all fragments).

•Christmas Tree - When a TCP packet is received with all flags set, TCP packets with any two of the SYN, FIN or RST bits set are dropped.

•LANd - In response to receiving a TCP SYNC packet with the same source and destination address, the firewall will drop any packet with same source and destination address.

Alarm Logging

The XSR supports Console and Syslog logging and provides session usage data using the allow- log/log options. If you want to enable persistent logging which preserves logs after a system reboot, you must install a CompactFlash memory card in the XSR. Logs stored in Flash are purged during a system reboot unless the XSR senses the presence of CompactFlash.

Alarms

The XSR generates firewall alarms in the following categories:

•TCP and UDP packets

–Permitted connect and disconnect

–Blocked connects and disconnects

–Blocked data packet

–Individual packet logging per user configured firewall policy (by stipulating allow_log or log)

•IP option Permit or Deny logs

•Other Protocols Permit or Deny Logs

–OSPF, ESP, RIP, GRE

–ICMP

–Broadcast, multicast

•Specific FTP, HTTP and SMTP requests logs

16-16 Configuring Security on the XSR