How it Works
Brocade Communications Systems
Loading...
ADX 12.4.00a
User Manual
226 pgs1.73 Mb0
Table of contents
Loading...

Brocade Communications Systems ADX 12.4.00a User Manual

53-1002440-03
®
June 2012
ServerIron ADX
Security Guide
Supporting Brocade ServerIron ADX version 12.4.00a
© 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain "open source" software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit
http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 E-mail: info@brocade.com
European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
ServerIron ADX Security Guide 53-1002440-01 New document January, 2012
ServerIron ADX Security Guide 53-1002440-02 Corrections made to ACL
chapter
ServerIron ADX Security Guide 53-1002440-03 Updates made to
documentation.
April, 2012
June, 2012

Contents

About This Document
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Notes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . . . xiv
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Chapter 1 Network Security
TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
IP TCP syn-proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Granular application of syn-proxy feature . . . . . . . . . . . . . . . . . . . . . . 2
Syn-def . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
show server traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SYN-def-dont-send-ack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
show server debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
No response to non-SYN first packet of a TCP flow . . . . . . . . . . . . . . 4
Prioritizing management traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Protection against attack in hardware . . . . . . . . . . . . . . . . . . . . . 6
Peak BP utilization with TRAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Show CPU-utilization command enhancement . . . . . . . . . . . . . . 6
BP utilization threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
MP utilization threshold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
ServerIron ADX Security Guide v 53-1002440-03
Transaction Rate Limit (TRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding transaction rate limit . . . . . . . . . . . . . . . . . . . . . . 7
Configuring transaction rate limit . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuring the maximum number of rules . . . . . . . . . . . . . . . .12
Saving a TRL configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Transaction rate limit command reference . . . . . . . . . . . . . . . .13
Global TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
TRL plus security ACL-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
security acl-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Transaction rate limit hold-down value. . . . . . . . . . . . . . . . . . . .15
Displaying TRL rules statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Displaying TRL rules in a policy. . . . . . . . . . . . . . . . . . . . . . . . . . 15
Displaying IP address with held down traffic . . . . . . . . . . . . . . . 16
Refusing new connections from a specified IP address . . . . . .16
HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Overview of HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
HTTP TRL features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Configuring HTTP TRL client . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Configuring HTTP TRL defaults . . . . . . . . . . . . . . . . . . . . . . . . . .19
Sample HTTP TRL configuration . . . . . . . . . . . . . . . . . . . . . . . . .20
Displaying HTTP TRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Display all HTTP TRL policies. . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Display HTTP TRL policy from index . . . . . . . . . . . . . . . . . . . . . .22
Display HTTP TRL policy client. . . . . . . . . . . . . . . . . . . . . . . . . . .23
Display HTTP TRL policy starting from index . . . . . . . . . . . . . . .23
Display HTTP TRL policy matching a regular expression. . . . . . 24
Display HTTP TRL policy client index (MP) . . . . . . . . . . . . . . . . .24
Display HTTP TRL policy client index (BP). . . . . . . . . . . . . . . . . .25
Display HTTP TRL policy for all client entries (BP) . . . . . . . . . . .26
Downloading an HTTP TRL policy through TFTP . . . . . . . . . . . . . . . .26
HTTP TRL policy commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Client-name <client-name> monitor-interval . . . . . . . . . . . . . . .27
Client-name <client-name> max-conn . . . . . . . . . . . . . . . . . . . . 27
Client-name <client-name> exceed-action . . . . . . . . . . . . . . . .28
Default monitor-interval. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Default max-conn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Default exceed-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Logging for DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Configuration commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
show server conn-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Maximum connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
clear statistics dos-attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Maximum concurrent connection limit per client . . . . . . . . . . . . . . .32
Limiting the number of concurrent connections per client. . . . 32
vi ServerIron ADX Security Guide
53-1002440-03
Firewall load balancing enhancements. . . . . . . . . . . . . . . . . . . . . . .34
Enabling firewall strict forwarding. . . . . . . . . . . . . . . . . . . . . . . .34
Enabling firewall VRRPE priority . . . . . . . . . . . . . . . . . . . . . . . . .34
Enabling track firewall group. . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Enabling firewall session sync delay. . . . . . . . . . . . . . . . . . . . . .35
Syn-cookie threshhold trap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Service port attack protection in hardware. . . . . . . . . . . . . . . . . . . .35
Traffic segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
VLAN bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Considerations when configuring VLAN bridging . . . . . . . . . . . .38
Configuring VLAN bridging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Displaying VLAN bridge information . . . . . . . . . . . . . . . . . . . . . .39
Traffic segmentation using the use-session-for-vip-mac command41
DNS attack protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Notes: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Configuring DNS attack protection . . . . . . . . . . . . . . . . . . . . . . .43
Displaying DNS attack protection information. . . . . . . . . . . . . .46
Chapter 2 Access Control List
How ServerIron processes ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Prior to release 12.3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Beginning with release 12.3.01 and later . . . . . . . . . . . . . . . . .49
Rule-based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
How fragmented packets are processed . . . . . . . . . . . . . . . . . .51
Default ACL action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Types of IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
ACL IDs and entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
ACL entries and the Layer 4 CAM. . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Aging out of entries in the Layer 4 CAM . . . . . . . . . . . . . . . . . . .53
Displaying the number of Layer 4 CAM entries . . . . . . . . . . . . .53
Specifying the maximum number of CAM entries for rule-based ACLs 54
Configuring numbered and named ACLs. . . . . . . . . . . . . . . . . . . . . .54
Configuring standard numbered ACLs . . . . . . . . . . . . . . . . . . . .55
Configuring extended numbered ACLs . . . . . . . . . . . . . . . . . . . .56
Extended ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Configuring standard or extended named ACLs . . . . . . . . . . . . 62
Displaying ACL definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Displaying ACLs using keywords . . . . . . . . . . . . . . . . . . . . . . . . .64
Modifying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Displaying a list of ACL entries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Applying an ACLs to interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Reapplying modified ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
ServerIron ADX Security Guide vii 53-1002440-03
ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Displaying ACL log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Displaying ACL statistics for flow-based ACLs . . . . . . . . . . . . . .72
Clearing flow-based ACL statistics . . . . . . . . . . . . . . . . . . . . . . .72
Dropping all fragments that exactly match a flow-based ACL . . . . . 72
Clearing the ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Enabling ACL filtering of fragmented packets. . . . . . . . . . . . . . . . . .73
Filtering fragmented packets for rule-based ACLs. . . . . . . . . . .73
Enabling hardware filtering for packets denied by flow-based ACLs75
Enabling strict TCP or UDP mode for flow-based ACLs. . . . . . . . . . . 76
Enabling strict TCP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enabling strict UDP mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Configuring ACL packet and flow counters. . . . . . . . . . . . . . . . .78
ACLs and ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Using flow-based ACLs to filter ICMP packets based on the IP packet
length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
ICMP filtering with flow-based ACLs . . . . . . . . . . . . . . . . . . . . . .79
Using ACLs and NAT on the same interface (flow-based ACLs) . . . .82
Displaying ACL bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Troubleshooting rule-based ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . .83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Chapter 3 IPv6 Access Control Lists
IACL overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Configuration Notes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Processing of IPv6 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Applying an IPv6 ACL to an interface . . . . . . . . . . . . . . . . . . . . .93
Displaying ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Displaying ACLs bound to an interface. . . . . . . . . . . . . . . . . . . .94
Using an ACL to Restrict SSH Access. . . . . . . . . . . . . . . . . . . . . . . . .94
Using an ACL to Restrict Telnet Access . . . . . . . . . . . . . . . . . . . . . . .95
Logging IPv6 ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Chapter 4 Network Address Translation
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configuring dynamic NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
NAT configuration examples . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Forwarding packets without NAT translation. . . . . . . . . . . . . . . . . .103
viii ServerIron ADX Security Guide
53-1002440-03
Translation timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Configuring the NAT translation aging timer . . . . . . . . . . . . . .104
Stateless static IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Enabling IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Enabling static NAT redundancy . . . . . . . . . . . . . . . . . . . . . . . .106
Enabling dynamic NAT redundancy . . . . . . . . . . . . . . . . . . . . .107
Displaying NAT information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Displaying NAT statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Displaying NAT translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Displaying NAT redundancy information. . . . . . . . . . . . . . . . . .111
Displaying VRRPE information . . . . . . . . . . . . . . . . . . . . . . . . .112
Clearing NAT entries from the table. . . . . . . . . . . . . . . . . . . . . . . . .112
Chapter 5 Syn-Proxy and DoS Protection
Understanding Syn-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Syn-Proxy auto control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Difference between ServerIron ADX and JetCore Syn-Proxy Behavior 113
Configuring Syn-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Setting a minimum MSS value for SYN-ACK packets . . . . . . . 117
Configuring Syn-Proxy auto control . . . . . . . . . . . . . . . . . . . . . .120
Displaying Syn-Proxy Commands . . . . . . . . . . . . . . . . . . . . . . .121
DDoS protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Configuring a security filter . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Configuring a Generic Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Configuring a rule for common attack types. . . . . . . . . . . . . .127
Configuring a rule for ip-option attack types . . . . . . . . . . . . . .129
Configuring a rule for icmp-type options . . . . . . . . . . . . . . . . .130
Configuring a rule for IPv6 ICMP types. . . . . . . . . . . . . . . . . . .131
Configuring a rule for IPv6 ext header types . . . . . . . . . . . . . .132
Binding the filter to an interface. . . . . . . . . . . . . . . . . . . . . . . .133
Clearing DOS attack statistics. . . . . . . . . . . . . . . . . . . . . . . . . .133
Clearing all DDOS Filter & Attack Counters . . . . . . . . . . . . . . .133
Logging for DoS attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Displaying security filter statistics . . . . . . . . . . . . . . . . . . . . . .134
Address-sweep and port-scan logging . . . . . . . . . . . . . . . . . . .134
ServerIron ADX Security Guide ix 53-1002440-03
Chapter 6 Secure Socket Layer (SSL) Acceleration
SSL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . .135
Asymmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . .136
Cipher suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Digital certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Digital signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Key pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Public key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SSL acceleration on the ServerIron ADX . . . . . . . . . . . . . . . . . . . . .137
SSL Termination Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
SSL Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
ServerIron ADX SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configuring SSL on a ServerIron ADX . . . . . . . . . . . . . . . . . . . . . . .140
Obtaining a ServerIron ADX keypair file . . . . . . . . . . . . . . . . . .140
Certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Converting certificate formats. . . . . . . . . . . . . . . . . . . . . . . . . .147
Importing keys and certificates. . . . . . . . . . . . . . . . . . . . . . . . .148
Support for SSL renegotiation. . . . . . . . . . . . . . . . . . . . . . . . . .164
Basic SSL profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Specifying a keypair file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Specifying a cipher suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Specifying a certificate file . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Advanced SSL profile configuration. . . . . . . . . . . . . . . . . . . . . . . . .166
Configuring client authentication . . . . . . . . . . . . . . . . . . . . . . .166
Enabling session caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Configuring session cache size. . . . . . . . . . . . . . . . . . . . . . . . .170
Configuring a session cache timeout . . . . . . . . . . . . . . . . . . . . 171
Enabling SSL Version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Enabling close notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Disabling certificate verification . . . . . . . . . . . . . . . . . . . . . . . . 171
Enabling a ServerIron ADX SSL to respond with renegotiation
headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode 172
Configuring Real and Virtual Servers for SSL Termination Mode173 Configuring Real and Virtual Servers for SSL Proxy Mode . . . 174
Configuration Examples for SSL Termination and Proxy Modes . . 176
Configuring SSL Termination Mode . . . . . . . . . . . . . . . . . . . . . 176
Configuring SSL Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . .177
TCP configuration issues with SSL Terminate and SSL Proxy.178
Other protocols supported for SSL . . . . . . . . . . . . . . . . . . . . . .184
Configuring the system max values . . . . . . . . . . . . . . . . . . . . .185
x ServerIron ADX Security Guide
53-1002440-03
SSL debug and troubleshooting commands. . . . . . . . . . . . . . . . . .187
Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Displaying SSL information . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Displaying the status of a CRL record . . . . . . . . . . . . . . . . . . .191
Displaying socket information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Displaying SSL Statistics information. . . . . . . . . . . . . . . . . . . .201
Displaying TCP IP information . . . . . . . . . . . . . . . . . . . . . . . . . .205
ASM SSL dump commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .209
ServerIron ADX Security Guide xi 53-1002440-03
xii ServerIron ADX Security Guide
53-1002440-03

About This Document

Audience

This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing.
If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP.

Supported hardware and software

Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for 12.3 documenting all possible configurations and scenarios is beyond the scope of this document.
The following hardware platforms are supported by this release of this guide:
ServerIron ADX 1000
ServerIron ADX 4000
ServerIron ADX 8000
ServerIron ADX 10000

Document conventions

This section describes text formatting conventions and important notice formats used in this document.

Text formatting

The narrative-text formatting conventions that are used are as follows:
ServerIron ADX Security Guide xiii 53-1002440-03
NOTE
CAUTION
DANGER
bold text Identifies command names
Identifies the names of user-manipulated GUI elements
Identifies keywords
Identifies text to enter at the GUI or CLI
italic text Provides emphasis
Identifies variables
Identifies document titles
code text Identifies CLI output
For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.

Notes, cautions, and danger notices

The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.
A note provides a tip, guidance or advice, emphasizes important information, or provides a reference to related information.
A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

Notice to the reader

This document may contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.
These references are made for informational purposes only.
Corporation Referenced Trademarks and Products
Sun Microsystems Solaris
xiv ServerIron ADX Security Guide
53-1002440-03
Corporation Referenced Trademarks and Products
Microsoft Corporation Windows NT, Windows 2000
The Open Group Linux

Related publications

The following Brocade documents supplement the information in this guide:
Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.00
ServerIron ADX Graphical User Interface
ServerIron ADX Server Load Balancing Guide
ServerIron ADX Advanced Server Load Balancing Guide
ServerIron ADX Global Server Load Balancing Guide
ServerIron ADX Security Guide
ServerIron ADX Administration Guide
ServerIron ADX Switching and Routing Guide
ServerIron ADX Firewall Load Balancing Guide
ServerIron ADX Chassis Hardware Installation Guide
Ironware MIB Reference Manual

Getting technical help

To contact Technical Support, got to http://www.brocade.com/services-support/index.page for the latest e-mail and telephone contact information..
ServerIron ADX Security Guide xv 53-1002440-03
xvi ServerIron ADX Security Guide
53-1002440-03
Chapter
NOTE

Network Security

TCP SYN attacks

ServerIron software contains many intrusion detection and prevention capabilities. The ServerIron can be configured to defend against a variety of TCP SYN attacks, Denial of Service (DoS) attacks, and Smurf attacks.
TCP SYN attacks disrupt normal traffic flow by exploiting the way TCP connections are established.
When a normal TCP connection occurs, the connecting host first sends a TCP SYN packet to the destination host. The destination host (actually the ServerIron, acting as an intermediary between the source and destination hosts) responds with a SYN ACK packet. The connecting host then returns an ACK packet. This process, known as a “TCP three-way handshake”, establishes the TCP connection.
A TCP SYN attack floods a host with TCP SYN packets. For each of these TCP SYN packets, the ServerIron responds with a SYN ACK packet and adds an entry to its session table. However, no ACK packet is actually sent back, so the connection is incomplete. If the attacker sends enough TCP SYN packets, the session table fills up with incomplete connections, and service can be denied to legitimate TCP connections.
syn-proxy
1

IP TCP syn-proxy

Configure the ip tcp syn-proxy command as shown in the following.
1. Configure syn-proxy in the global mode.
ServerIronADX(config)# ip tcp syn-proxy
Syntax: ip tcp syn-proxy
You must configure ip tcp syn-proxy command only at the global level, to turn on and off the global syn-proxy flag.
2. Enable syn-proxy on each interface handling inbound SYN requests (no change here).
ServerIronADX(config)#interface e 3/1 ServerIronADX(config-if-3/1)# ip tcp syn-proxy in
Usage guidelines:
The default value for a valid ACK time is 32 seconds and is not user configurable.
If you enter a value, it is ignored. The command remains in the config file the way you enter it,
in case you need to downgrade to the previous release.
ServerIron ADX Security Guide 1 53-1002440-03

Granular application of syn-proxy feature

NOTE
1
ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy
algorithm, but it does not accept the ACK after 64 seconds.
If you enter a value for the ip tcp syn-proxy <value> command from the CLI or upgrade from an
older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy <value> command in the config file, you receive the following warning message.
Warning: The value 10 is being ignored. Default ACK validate time of 32 seconds will be used. To change the MSL value, issue 'server msl <value>'.
Granular application of syn-proxy feature
This feature applies to ServerIron ADX Syn-Proxy. When this feature is enabled, traffic destined to a virtual server IP is denied if the destination port is not defined under any of the virtual server definitions.
This feature prevents ServerIron ADX from responding with TCP SYN-ACK to TCP SYN for ports not defined under VIP.
Use the following command to validate traffic against a configured virtual port.
ServerIronADX(config)# server syn-cookie-check-vport

Syn-def

Syntax: [no] server syn-cookie-check-vport

Introduction

Use SYN-def (also known as SYN-Defense) to protect the hosts behind the ServerIron (not the ServerIron itself) by the ServerIron to complete the TCP three-way handshake on behalf of a connecting client. There is no SYN-cookie functionality with SYN-def.
SYN-Defense is recommened for only where Direct Server Return (DSR) is used. DSR is not supported with SYN-proxy and is supported with SYN-def. For non DSR scenarios, use Syn-Proxy only.

show server traffic

Use the show server traffic command to display information about the number of times the incomplete connection threshold was reached.
2 ServerIron ADX Security Guide
53-1002440-03
Syn-def
ServerIronADX# show server traffic Client->Server = 0 Server->Client = 0 Drops = 0 Aged = 0 Fw_drops = 0 Rev_drops = 0 FIN_or_RST = 0 old-conn = 0 Disable_drop = 0 Exceed_drop = 0 Stale_drop = 0 Unsuccessful = 0
TCP SYN-DEF RST = 0 Server Resets = 0
Out of Memory = 0 Out of Memory = 0
The last line contains information relevant to the incomplete connection threshold. The TCP SYN-DEF RST field displays the number of times the incomplete connection threshold was reached. The Server Resets field displays the number of times the ServerIron sent a TCP RESET packet to the destination real server.
1

SYN-def-dont-send-ack

The SYN-def feature allows the ServerIron to complete the TCP three-way handshake on behalf of a connecting client. When a connecting client sends a TCP SYN to a server, the ServerIron forwards the SYN to the real server, then forwards the SYN ACK from the server to the client. Next, the ServerIron sends an ACK to the real server, completing the three-way handshake on behalf of the connecting client. This action allows the real server to move the connection from its pending connection queue to its established (and much larger) connection queue.
Use the server syn-def-dont-send-ack command to prevent the ServerIron from sending the ACK to the real server to complete the three-way handshake.
Example
ServerIronADX(config)#server syn-def-dont-send-ack

show server debug

Use the show server debug command to display information about the configuration, as shown in the following example.
ServerIron ADX Security Guide 3 53-1002440-03

No response to non-SYN first packet of a TCP flow

SLB-chassis1/1#show server debug
Generic Deug Info BP Distribution = Enabled JetCore = No No of BPs = 3 No of Partner BPs = 0 Partner Chassis MAC = 0000.0000.0000 Partner BP1 MAC = 0000.0000.0000 Partner BP2 MAC = 0000.0000.0000 Partner BP3 MAC = 0000.0000.0000 Partner BP4 MAC = 0000.0000.0000 Partner BP5 MAC = 0000.0000.0000 Partner BP6 MAC = 0000.0000.0000
Server Load Balancing Debug Info Total Get = 3 Total Free = 0 Get Fails = 0 Get Buffer failure = 0 Forward Sp = 0 Reverse Sp = 0 Bad creates = 0 TCP Resets = 0 Fw resets = 0 Rev Resets = 0 Double Free = 0 Error = 0 Free inv Sess Idx = 0 Free list Idx inv = 0 Cache-Reassigns = 0 Trans-Denied = 0 Multi Path Fwd Use = 0 Multi Path Rev Use = 0 Bad non-owner = 0 Select Fwall = 0 FTP-trans-error = 0 Cache track-error = 0 Fw tcp inside move = 0 Fw udp inside move = 0 Fw SYNC delayed = 0 ownership contention = 0 FW stale to conns = 0 FW stale to delq con = 0 FW stale from conns = 0 FW stale from delq c = 0 FW stale from nuke c = 0 Sac frwds = 0
Unxpectd udata = 0 Unxpectd udata(def) = 0 Client->Server = 0 Server->Client = 0 Drops = 0 Aged = 0 Fw_drops = 0 Rev_drops = 0 FIN_or_RST = 0 old-conn = 0 Disable_drop = 0 Exceed_drop = 0 Stale_drop = 0 Unsuccessful = 0 SYN def/proxy RST = 0 Server Resets = 0 Out of Memory = 0 Out of Memory = 0 last conn rate = 0 max conn rate = 0 last TCP attack rate = 0 max TCP attack rate = 0 fast vport found = 0 fast vport n found = 0 Fwd to non-static FI = 0 Dup stale SYN = 0
TCP forward FIN = 0 TCP reverse FIN = 0 Fast path FWD FIN = 0 Fast path REV FIN = 0 Fast path SLB SYN = 0 Dup SYN after FIN = 0 Duplicate SYN = 0 Duplicate sessions = 0 TCP ttl FIN recvd = 0 TCP ttl reset recvd = 0 Sessions in DEL_Q = 0 Sess force deleted = 0 Fwd sess not found = 0 sess already in delQ = 0 Sess rmvd from delQ = 0 Fragment buf full er = 0 Incoming TCP cksum e = 0 New sess sync sent = 0 New sess sync recvd = 0 L4 msg sent = 0 L4 msg recvd = 0 foundry packet sent = 0 ipc packet sent = 2818942 TCP SYN received = 0 TCP SYN dropped = 0 TCP SYN to MP = 0 TCP SYN ACK to MP = 0 TCP SYN ACK received = 0 TCP SYN ACK dropped = 0 TCP pkt received = 0 TCP pkt dropped = 0 TCP pkt to MP = 0 PBSLB tftp status = In progres
Avail. Sessions = 1999996 Total Sessions = 2000000 Hash size = 200001
Total C->S Conn = 0 Total S->C Conn = 0 Total Reassign = 0 Unsuccessful Conn = 0 Server State - 0: diasbled, 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Real Server St CurrConn TotConn TotRevConn CurrSess PeakConn
R1 1 0/0/0 0 0 0 0 rs1 1 0/0/0 0 0 0 0
1
No response to non-SYN first packet of a TCP flow
ServerIron can remain passive for non-SYN packet in the beginning of the flow. The default behavior is to send TCP RESET to client when a non-SYN packet is received in the beginning.
4 ServerIron ADX Security Guide
53-1002440-03
By default, when ServerIron ADX receives TCP packet that is destined to VIP and there is no session
NOTE
match then it sends TCP reset to the sender. However, if one desires to remain passive then the above feature can be enabled.
To not send the reset packet, use the following command.
ServerIronADX(config)# server reset-on-syn-only
To remove the configuration, use the following command.
ServerIronADX(config)# no server reset-on-syn-only
Syntax: [no] server reset-on-syn-only

Prioritizing management traffic

ServerIron ADX software allows the system to prioritize traffic destined to the management IP address in order to facilitate uninterrupted access to the ServerIron switch even under heavy load conditions. This feature allows you to prioritize management traffic based on the following.
1. Client IP address/subnet
2. Protocol (TCP/UDP/IP) and
Prioritizing management traffic
1
3. TCP or UDP port number
With this feature turned on, the specified traffic is directly forwarded to the Management Module in hardware. In the following example, traffic from the source subnet 1.1.1.1 and destined to management IP 10.45.16.104 for TCP port 22 (SSH) is prioritized.
ServerIronADX(config)# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0
10.45.16.104 6 22
Syntax: server prioritize-mgmt-traffic <source ip> <mask> <destination ip> [<protocol>] [<port>]
The <source ip> variable specifies the Source IP address.
The <mask> variable specifies the Mask for the source IP address.
The <destination ip> variable specifies the Destination management IP address. The destination IP address must already be configured on the ServerIron ADX. If the IP address is not configured, the command is rejected.
The <protocol> variable specifies any protocol.
The <port> variable specifies a TCP or UDP port.
It is also possible to prioritize management traffic from any source ip as shown in the example below.
ServerIronADX(config)# server prioritize-mgmt-traffic any 10.45.16.104 6 22
Syntax: [no] server prioritize-mgmt-traffic any <destination ip> [<protocol>] [<port>]
The prioritizing management traffic feature should not be enabled for a ServerIron ADX router VE address if this interface is used for source-NAT as that would break the SLB traffic flow.
Refer to the following examples.
Prioritization of TCP port 80 traffic to management IP 200.1.1.1
ServerIron ADX Security Guide 5 53-1002440-03

Peak BP utilization with TRAP

NOTE
1
ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 6 80
Prioritization of TCP port 80 traffic to management IP 200.1.1.1 from any source IP address
ServerIronADX# server prioritize-mgmt-traffic any 200.1.1.1 6 80
Prioritization of UDP port 2222 traffic to management IP 200.1.1.1
ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 17 2222
Prioritization of IP protocol 89 (OSPF) traffic to management IP 200.1.1.1
ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 89

Protection against attack in hardware

ServerIron ADX allows for protection against attack in hardware without impacting MP or BP CPU utilization. Configure the server the drop-all-mgmt-access command to drop all traffic destined to a specified management IP address.
The following command drops all traffic destined to the management IP address 10.45.16.104.
ServerIronADX(config)# server drop-all-mgmt-access 10.45.16.104
Syntax: [no] server drop-all-mgmt-access <destination ip>
For a router, the destination IP address is the physical or ve interface IP address For a switch, the destination IP address is the management IP address.
The server drop-all-mgmt-access feature when used in combination with the server prioritize-mgmt-traffic feature allows you to prioritize valid traffic while blocking unwanted traffic destined to the management IP address.
For example, with the following configuration, only ssh, telnet and http traffic destined to management IP address 10.45.16.104 will be prioritized and all other traffic destined to
10.45.16.104 will be dropped.
ServerIronADX(config)#server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0
10.45.16.104 6 22 ServerIronADX(config)#server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0
10.45.16.104 6 23 ServerIronADX(config)#server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0
10.45.16.104 6 80 ServerIronADX(config)#server drop-all-mgmt-access 10.45.16.104
Peak BP utilization with TRAP

Show CPU-utilization command enhancement

The show cpu-utilization command displays CPU utilization peaks since the system boot or the last reset of counters (using the clear cpu utilization command).
The command, clear cpu-utilization, on both the MP and the BP is used to reset the counter.
6 ServerIron ADX Security Guide
53-1002440-03

Transaction Rate Limit (TRL)

BP utilization threshold

The bp-utilization-threshold command allows you to specify a threshold for BP CPU utilization. Define this command under the global configuration mode.
When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one per two minutes.
The command takes a percentage string as parameter.
Example
ServerIronADX(config)# bp-utilization-threshold 80.5%
Syntax: bp-utilization-threshold <percentage>

MP utilization threshold

The mp-utilization-threshold command specifies a threshold for BP CPU utilization. Define this command under the global configuration mode.
When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one every two minutes.
1
The command takes a percentage string as parameter.
Example
ServerIronADX(config)# mp-utilization-threshold 80.5%
Syntax: mp-utilization-threshold <percentage>
Transaction Rate Limit (TRL)
Transaction Rate Limit, allows the ServerIron ADX to monitor and limit traffic from any one IP address.

Understanding transaction rate limit

Transaction Rate Limit counts the number of transactions received from any one IP address. If the transaction count exceeds a specified threshold value, traffic from that IP address is held and not processed for a specified number of minutes.
Transaction rate limit provides the flexibility to specify different configurations for different clients, based on the client IP address/prefix.
Transaction rate limit provides the following benefits:
Ability to apply a default transaction rate limit value to all clients, while maintaining an
exception list.
Ability to apply a different transaction rate limit rate per client IP or prefix.
Ability to exclude specific IP addresses or prefixes from transaction rate limit and maintain an
exclude list.
Ability to apply transaction rate limit to traffic coming to a specific VIP only.
ServerIron ADX Security Guide 7 53-1002440-03
Transaction Rate Limit (TRL)
1
Ability to operate on a per VIP basis, whereby a different rate limit can be applied to traffic

Configuring transaction rate limit

To enable transaction rate limit, you must configure parameters for each client address/prefix and apply the transaction rate limit configuration to a specific VIP.
Prerequisites
Before you can configure transaction rate limit, you must configure a virtual server. The following example shows how to configure a virtual server.
ServerIronADX> enable ServerIronADX# config terminal ServerIronADX(config)# server virtual-name-or-ip bwVIP 1.1.1.33
Syntax: [no] server virtual-name-or-ip <vip-name-or-address> <ip address>
Configure transaction rate limit rule set
coming to a different VIP.
The transaction rate limit parameters are grouped into a set and each set is associated with a name. To create a set of transaction rate limit rules, follow these steps.
1. Enable privileged EXEC mode.
ServerIronADX> enable
2. Enter global configuration mode.
ServerIronADX# configure terminal
3. Configure name of a transaction rate limit rule set and enter client transaction rate limit configuration mode.
ServerIronADX(config)#client-trans-rate-limit tcp TRL1
Syntax: [no] client-trans-rate-limit tcp | udp | icmp <name>
4. Specify the trl keyword for client subnet and set connection rate.
For IPv4:
ServerIronADX(config-client-trl-trl1)# trl 100.1.1.0 255.255.255.0 monitor-interval 3 conn-rate 10 hold-down-time 1
For IPv6:
ServerIronADX(config-client-trl-trl1)# trl 100::1/128 monitor-interval 3 conn-rate 10 hold-down-time 1
Syntax: [no] trl { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } monitor-interval
<mon-value> conn-rate <con-value> hold-down-time <hold-down-value>
Configure transaction rate limit to exclude a client
You can configure a client address/prefix to be excluded from transaction rate limiting within a transaction rate limit configuration group.
To exclude a client from transaction rate limit, follow these steps.
8 ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
1. Enable privileged EXEC mode.
ServerIronADX> enable
2. Enter global configuration mode.
ServerIronADX# configure terminal
3. Specify the name of the transaction rate limit rule set and enter client transaction rate limit configuration mode.
ServerIronADX(config)# client-trans-rate-limit tcp TRL1
Syntax: [no] client-trans-rate-limit tcp | udp | icmp <name>
4. Specify the trl parameter for the client subnet and the exclude keyword.
For IPv4:
ServerIronADX(config-client-trl-TRL1)# trl 100.1.1.0 255.255.255.0 exclude
For IPv6:
ServerIronADX(config-client-trl-TRL1)# trl 300::1/128 exclude
Syntax: [no] trl { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } exclude
1
Configure a transaction rate limit default
You can specify a default transaction rate limit configuration for all other clients that are not explicitly configured. To create a transaction rate limit default for a group, follow these steps.
1. Enable privileged EXEC mode.
ServerIronADX> enable
2. Enter global configuration mode.
ServerIronADX# configure terminal
3. Specify name of transaction rate limit rule set and enter client transaction rate limit configuration mode.
ServerIronADX(config)# client-trans-rate-limit tcp TRL1
Syntax: [no] client-trans-rate-limit tcp | udp | icmp <name>
4. Specify the default trl parameter for this group.
ServerIronADX(config-client-trl)# trl default monitor-interval 3 conn-rate 10 hold-down-time 1
Syntax: [no] trl default monitor-interval <mon-value> conn-rate <con-value> hold-down-time
<hold-down-value>
ServerIron ADX Security Guide 9 53-1002440-03
Transaction Rate Limit (TRL)
1
Configure transaction rate limit for pass through traffic
You can configure transaction rate limit for traffic that is not going to a virtual server. You can configure only one group for pass through traffic.
To create a transaction rate limit group for pass through traffic, follow these steps.
1. Enable privileged EXEC mode.
2. Enter global configuration mode.
3. Specify name of BW rule set and enter client bandwidth configuration mode.
4. Specify the trl parameter for the client subnet and set a connection rate.
ServerIronADX> enable
ServerIronADX# configure terminal
ServerIronADX(config)# client-trans-rate-limit tcp default
Syntax: [no] client-trans-rate-limit tcp | udp | icmp default
For IPv4:
ServerIronADX(config-client-trl)#trl 100.1.1.0 255.255.255.0 monitor-interval 3 conn-rate 10 hold-down-time 1
For IPv6:
ServerIronADX(config-client-trl)#trl 300:11/128 monitor-interval 3 conn-rate 10 hold-down-time 1
Syntax: [no] trl { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } monitor-interval
<mon-value> conn-rate <con-value> hold-down-time <hold-down-value>
5. The transaction rate limit policy pertaining to the protocol and the port must be applied to either the physical or the virtual interface for pass through traffic. This will ensure that the traffic is brought to the application processor (BP) for rate-limitation.
Applying policy on physical interface
ServerIronADX(config) # interface eth 1/1 ServerIronADX(config-if-1/1) # ip tcp trans-rate 80
Applying policy on virtual interface
ServerIronADX(config) # interface ve 20 ServerIronADX(config-vif-20) # ip udp trans-rate 53
Syntax: [no} ip tcp | udp trans-rate <ports>
Syntax: [no} ip icmp trans-rate
The <ports> parameter specifies one or more TCP or UDP ports to monitor. You can monitor up to four ports.
Apply transaction rate limit to a VIP
After configuring transaction rate limit, you must bind transaction rate limit to a VIP. To enable transaction rate limit, follow these steps.
1. Enable privileged EXEC mode.
ServerIronADX> enable
10 ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
NOTE
1
2. Enter global configuration mode.
ServerIronADX# configure terminal
3. Specify server virtual-name-or-ip command and VIP name to enter virtual server configuration mode.
ServerIronADX(config)# server virtual-name-or-ip bwVIP
Syntax: [no] server virtual-name-or-ip <name-or-address>
4. Specify the BW parameter and BW rule set.
ServerIronADX(config-vs-bwVIP)# client-trans-rate-limit trl
Syntax: [no] client-trans-rate-limit <name>
5. The transaction rate limit policy pertaining to the protocol and the port must be applied to either the physical or the virtual interface for traffic hitting to Virtual IP.
Applying policy on physical interface
ServerIronADX(config) # interface eth 1/1 ServerIronADX(config-if-1/1) # ip tcp trans-rate 80
Applying policy on virtual interface
ServerIronADX(config) # interface ve 20 ServerIronADX(config-vif-20) # ip udp trans-rate 53
Syntax: [no} ip tcp | udp trans-rate <ports>
Syntax: [no} ip icmp trans-rate
The <ports> parameter specifies one or more TCP or UDP ports to monitor. You can monitor up to four ports.
Deleting all TRL rules in a policy
You can delete all TRL rules in a policy as shown.
ServerIronADX(config)# client-trans-rate-limit tcp trl1 ServerIronADX(config-client-trl-trl1)# trl delete-all-rules
Syntax: trl delete-all-rules
Download transaction rate limit configuration from a TFTP server. (optional)
When a Transaction Rate Limit configuration becomes very large, you can download the configuration from a TFTP server.
A TRL configuration file can have IPv4 as well as IPv6 rules.
The following example shows how to download a Transaction Rate Limit configuration from a TFTP server.
ServerIronADX(config)# server trl tftp 100.1.1.1 test.trl 2
Syntax: server trl tftp <ip-address> <trl_config_file_name> <retry_count>
Specify the following values.
ServerIron ADX Security Guide 11 53-1002440-03
Transaction Rate Limit (TRL)
NOTE
1
<ip_address> —IP address of the TFTP server.
<trl_config_file_name> —File name of Transaction Rate Limit configuration.
<retry_count> —Retry number for the download.
Verify that the Transaction Rate Limit configuration file is in the following format.
client-trans-rate-limit tcp trl101 trl 10.2.24.0/24 monitor-interval 50 conn-rate 100 hold-down-time 60 trl 10.2.24.10/32 exclude
This is the same format as the show running-configuration command generates.

Configuring the maximum number of rules

By default a TRL a policy can have up to 2500 IPv4 rules and 2500 IPv6 rules. A maximum of 15,000 IPv4 and 15,000 IPv6 rules are supported on a ServerIron ADX for all policies. While the maximum number of rules cannot be increased over the 15,000 maximum, these limits can be changed globally or locally per-policy.
Changing the maximum number of rules globally.
You can change the maximum number of TRL rules globally on a ServerIron ADX for all policies as shown.
ServerIronADX(config)# client-trans-rate-limit max-ipv4-rules 2000
Syntax: [no] client-trans-rate-limit { max-ipv4-rules | max-ipv6-rules } <rules-count>
The max-ipv4-rules parameter specifies that the rules limit is being set for IPv4 rules.
The max-ipv6-rules parameter specifies that the rules limit is being set for IPv6 rules.
The <rules-count> variable specifies the number of rules that will be supported globally. The maximum values (also the default) are: 15,000 for IPv4 and 15,000 for IPv6.
Changing the maximum number of rules locally per-policy.
You can change the maximum number of TRL rules for an individual policy on a ServerIron ADX for as shown.
ServerIronADX(config)# client-trans-rate-limit tcp trl1 ServerIronADX(config-client-trl-trl1)# trl max-ipv4-rules 2000
Syntax: [no] trl { max-ipv4-rules | max-ipv6-rules } <rules-count>
The max-ipv4-rules parameter specifies that the rules limit is being set for IPv4 rules for the specified policy.
The max-ipv6-rules parameter specifies that the rules limit is being set for IPv6 rules for the specified policy.
The <rules-count> variable specifies the number of rules that will be supported for the specified policy that this command is being configured under. The default values are: 2500 for IPv4 and 2500 for IPv6. The value for each (IPv4 and IPv6) can be set to any number as long as the global limits are observed.
12 ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
NOTE
1

Saving a TRL configuration

The following applies to saving a TRL config:
the startup-config cannot store 15,000 IPv4 and 15,000 IPv6 rules.
If the total number of IPv4 and IPv6 rules exceeds 2500, issuing the write mem command
stores the TRL rules in the “trl_conf.txt” file on the internal USB drive.
the policy config and global/local maximum rule count config is always stored in the
startup-config.
Disabling the storage of TRL rules on the internal USB drive
By default, storage of TRL rules on the internal USB drive of a ServerIron ADX is enabled. You can disable the storage of TRL rules on the internal USB drive of a ServerIron ADX as shown.
ServerIronADX(config)# no client-trans-rate-limit usb-config-gen
Syntax: no client-trans-rate-limit usb-config-gen
Where the storage of TRL rules on the internal USB drive of a ServerIron ADX is disabled and the total rules exceeds 2500, only 2500 rules would be saved in startup-config.

Transaction rate limit command reference

This section describes the syntax, semantics, and usage for each transaction rate limit command. This section contains the following sections:
“client-trans-rate-limit”
“trl”
client-trans-rate-limit
Use the client-trans-rate-limit command in the global configuration mode to configure a transaction rate limit rule name and traffic type.
Syntax: client-trans-rate-limit {icmp <name> | default} | {tcp <name> | default} |
{udp <name> | default}
icmp - Specifies ICMP transaction rate limit for client subnet.
tcp - Specifies TCP transaction rate limit for client subnet.
udp - Specifies UDP transaction rate limit for client subnet.
<name> - Specifies the name for this configuration.
default - Specifies default.
trl
Use the trl command in the global configuration client-trl mode to configure transaction rate limit rules.
ServerIron ADX Security Guide 13 53-1002440-03
Transaction Rate Limit (TRL)
1
Syntax: trl {default | { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } {exclude |
default - Specifies default transaction rate limit parameter.
<client-IPv4> - Specifies IPv4 client subnet and <client-mask> - Specifies the IPv4 client mask.
<client-IPv6> - Specifies IPv6 client subnet and <prefix> - Specifies the IPv6 client mask bits.
exclude - Specifies to exclude the prefix from transaction rate limit.
monitor-interval - Specifies time interval for monitoring in 100ms.
<monitor-value> - Specifies value of time interval for monitoring.
conn-rate - Specifies connection rate.
<connection-value> - Specifies value of connection rate for client.
hold-down-time - Specifies time for holding down source.
<hold-down-value> - Specifies hold down time in minutes.
Command modes Global configuration mode.
monitor-interval <monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}}

Global TRL

If TRL per client subnet is not needed, Global TRL can be used to create a configuration to apply to all the incoming traffic.
Use ip [tcp | udp | icmp] trans-rate to enable TRL on the ServerIron for TCP, UDP, or ICMP traffic. If any more than a specified number packets per second come from the same IP address over a specified interval, then all traffic from that IP address is held down for a specified number of minutes.
Syntax: [no] ip [tcp | udp | icmp] trans-rate monitor-interval <interval> conn-rate <rate>
hold-down-time <minutes>
monitor-interval <interval> Amount of time used to measure incoming traffic. This parameter is specified in increments of 100ms. For example, to measure traffic over a 1 second interval, you would specify 10 for this.
conn-rate <rate> Threshold for the number of connections per second from any one IP address. Traffic exceeding this rate over the specified interval is subject to hold down.
hold-down-time <minutes> Number of minutes that traffic from an IP address that has sent packets at rate higher than the configured threshold is to be held down.
Example
ServerIronADX(config)# ip tcp trans-rate monitor-interval 600 conn-rate 100 hold-down-time 5
This command configures the ServerIron to monitor incoming TCP traffic. If more than 100 TCP connections per second arrive from the same IP address over a 60-second interval (600 X 100ms), then all TCP traffic from that IP address is held down for 5 minutes.
To apply TRL to TCP traffic coming into port 80 on interface 1/1.
14 ServerIron ADX Security Guide
53-1002440-03
Transaction Rate Limit (TRL)
NOTE
ServerIronADX#show client-trl rules-stat Policy-Name default-rule ipv4-rules-alloted ipv4-rules-added ipv6-rules-alloted ipv6-rules-added trl1 0 2500 0 2500 0 trl2 0 2500 0 2500 0 trl3 0 2500 0 2500 0 Global ipv4 rule num: 2500, total-alloted-ipv4-rules: 7500 Global ipv6 rule num: 2500, total-alloted-ipv6-rules: 7500
ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-1/1)# ip tcp trans-rate 80
where <ports> sets one or more TCP or UDP ports to monitor. With TRL, the ServerIron can monitor up to 4 specific ports. The ServerIron can also monitor traffic to all the ports by configuring the default port.
1

TRL plus security ACL-ID

Even though TRL is applied to an interface and effects all traffic received on this interface, with the security acl-id <acl-num> command TRL can be applied only to specific traffic coming in on that interface.Refer to “security acl-id” on page 15.

security acl-id

The security global command accepts acl-id <acl-num> as a parameter.
Syntax: [no] security acl-id <id>
Example
ServerIronADX(config)# security acl-id 4
Once security acl-id <acl-num> is configured, only packets matching the configured ACL will be subject to the L4 security rules configured on the system. (Specifically, TRL and manual hold down will take effect only for packets matching this configured ACL). If you want specific traffic to bypass the L4 security features, then do not include those IP addresses in the access list.
The security acl-id takes precedence over all TRL configuration.

Transaction rate limit hold-down value

if you configure "hold down 0," the incoming request is not held down. Instead it generates a log.

Displaying TRL rules statistics

You can display statistics for TRL rules as shown.
Syntax: show client-trl rules-stat

Displaying TRL rules in a policy

You can display TRL rules in a policy as shown.
ServerIron ADX Security Guide 15 53-1002440-03
Transaction Rate Limit (TRL)
ServerIronADX#show client-trl trl-policy1 ipv6 40 Max Count: 2500 Total Count: 2
IP address/Mask interval attempts holddown
--------------- -------- -------- -------­300::3a95/128 1 67 93 300::3a96/128 66 38 34
ServerIronADX# rconsole 2 1 ServerIronADX2/1 #show security holddown
source destination vers attempt start last HD time
192.168.2.30 Any tcp 0 000ab6ae 00000000 Y 9
192.168.2.40 Any tcp 0 000ab6ea 00000000 Y 9
1
Syntax: show client-trl <policy-name> { ipv4 | ipv6} <index>
The <policy-name> variable specifies the TRL policy that you want to display rules for.
The show client-trl command displays entries in the TRL policy list, starting from the point specified with the <index> parameter.

Displaying IP address with held down traffic

To display a list of IPv4 and IPv6 addresses whose traffic has been held down, enter commands such as the following.
Syntax: rconsole <slotnum> <cpunum>
Syntax: show security holddown
The following table lists the output from the show security holddown command.
TABLE 1 Output from the show security holddown command
Field Description
source Source IPv4 or IPv6 address that is currently being held down
destination TCP, UDP, or ICMP depending on the type of traffic sent by the client.
vers Used by Brocade Technical Support.
attempt Number of connection attempts made by the client during the current monitoring interval.
start Time stamp representing the start of the monitoring interval.
last Time stamp representing the last time the ServerIron received a connection request from
the client.
HD Whether the IP address is currently being held down. Y indicates that the address is being
held down. N indicates that it is not.
time Time remaining for this IP address to be held down, if the HD field contains Y.

Refusing new connections from a specified IP address

Use the security hold-source-ip command to refuse new connections from a specified IP address for a specified amount of time. This feature applies to all TCP, UDP, and ICMP traffic originating from the specified IP address.
16 ServerIron ADX Security Guide
Syntax: [no] security hold-source-ip <ip-address> <minutes>
53-1002440-03
Loading...
+ 196 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use