HP ProCurve 6200yl Series Access Security Manual page 60

Hide thumbs Also See for ProCurve 6200yl Series:
Table of Contents

Advertisement

Virus Throttling
Introduction
Note
A
B
C
D
Figure 3-1. Example of Protecting a Network from Agents Using a High IP Connection Rate To Propagate
3-4
deployed to hosts, the network remains functional and the overall
distribution of the malicious code is limited.
Connection-Rate filtering is a countermeasure tool you can use in your inci­
dent-management program to help detect an manage worm-type IT security
threats received in inbound routed traffic. Major benefits of this tool include:
Behavior-based operation that does not require identifying details
unique to the code exhibiting the worm-like operation.
Handles unknown worms.
Needs no signature updates.
Protects network infrastructure by slowing or stopping routed traffic
from hosts exhibiting high connection-rate behavior.
Allows network and individual switches to continue to operate, even
when under attack.
Provides Event Log and SNMP trap warnings when worm-like
behavior is detected
Gives IT staff more time to react before the threat escalates to a crisis.
When configured on a port, connection-rate filtering is triggered by routed
IPv4 traffic received inbound with a relatively high rate of IP connection
attempts. (Connection-Rate filtering is not triggered by such traffic when
both the SA and DA are in the same VLAN—that is, switched traffic). Note
that connection-rate filtering applies only to routed traffic. Switched traffic
from a blocked or throttled host is not blocked or throttled.
VLAN 1
VLAN 2
5400zl with Routing
Configured
VLAN 3
Devices on VLAN 3 Infected
with Worm-Like Malicious Code
Configuring connection-rate filtering
Networked
Servers
on the switch protects the devices
on VLANs 1 and 2 from the high
connection-rate traffic
(characteristic of worm attacks) that
is being routed from VLAN 3.
Internet

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents