Page 1 53-1002440-03 ® June 2012 ServerIron ADX Security Guide Supporting Brocade ServerIron ADX version 12.4.00a...
Page 2 Export of technical data contained in this document may require an export license from the United States government. The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
Page 3: Table Of Contents
Contents About This Document Audience ..........xiii Supported hardware and software .
Page 4 Transaction Rate Limit (TRL) ....... . 7 Understanding transaction rate limit ..... . 7 Configuring transaction rate limit .
Page 5 Firewall load balancing enhancements ..... . . 34 Enabling firewall strict forwarding......34 Enabling firewall VRRPE priority .
Page 6 ACL logging ..........70 Displaying ACL log entries .
Page 7 Translation timeouts ........104 Configuring the NAT translation aging timer ....104 Stateless static IP NAT .
Page 8 Chapter 6 Secure Socket Layer (SSL) Acceleration SSL overview ......... . .135 Public Key Infrastructure (PKI) .
Page 9 SSL debug and troubleshooting commands ....187 Diagnostics.........187 Displaying SSL information .
Page 10 ServerIron ADX Security Guide 53-1002440-03...
Page 11: About This Document
Supported hardware and software Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for 12.3 documenting all possible configurations and scenarios is beyond the scope of this document. The following hardware platforms are supported by this release of this guide: •...
Page 12: Notes, Cautions, And Danger Notices
bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles text Identifies CLI output code For readability, command names in the narrative portions of this guide are presented in bold: for example, show version.
Page 13: Related Publications
Corporation Referenced Trademarks and Products Microsoft Corporation Windows NT, Windows 2000 The Open Group Linux Related publications The following Brocade documents supplement the information in this guide: • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.00 • ServerIron ADX Graphical User Interface •...
Page 14 ServerIron ADX Security Guide 53-1002440-03...
Page 15: Network Security
Chapter Network Security TCP SYN attacks ServerIron software contains many intrusion detection and prevention capabilities. The ServerIron can be configured to defend against a variety of TCP SYN attacks, Denial of Service (DoS) attacks, and Smurf attacks. TCP SYN attacks disrupt normal traffic flow by exploiting the way TCP connections are established. When a normal TCP connection occurs, the connecting host first sends a TCP SYN packet to the destination host.
Page 16: Granular Application Of Syn-Proxy Feature
Granular application of syn-proxy feature • ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy algorithm, but it does not accept the ACK after 64 seconds. • If you enter a value for the ip tcp syn-proxy <value> command from the CLI or upgrade from an older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy <value>...
Page 17: Syn-Def-Dont-Send-Ack
Syn-def ServerIronADX# show server traffic Client->Server Server->Client Drops Aged Fw_drops Rev_drops FIN_or_RST old-conn Disable_drop Exceed_drop Stale_drop Unsuccessful TCP SYN-DEF RST Server Resets Out of Memory Out of Memory The last line contains information relevant to the incomplete connection threshold. The TCP SYN-DEF RST field displays the number of times the incomplete connection threshold was reached.
Page 18: No Response To Non-Syn First Packet Of A Tcp Flow
No response to non-SYN first packet of a TCP flow SLB-chassis1/1#show server debug Generic Deug Info BP Distribution Enabled JetCore No of BPs No of Partner BPs Partner Chassis MAC 0000.0000.0000 Partner BP1 MAC 0000.0000.0000 Partner BP2 MAC 0000.0000.0000 Partner BP3 MAC 0000.0000.0000 Partner BP4 MAC 0000.0000.0000...
Page 19: Prioritizing Management Traffic
Prioritizing management traffic By default, when ServerIron ADX receives TCP packet that is destined to VIP and there is no session match then it sends TCP reset to the sender. However, if one desires to remain passive then the above feature can be enabled. To not send the reset packet, use the following command.
Page 20: Protection Against Attack In Hardware
Peak BP utilization with TRAP ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 6 Prioritization of TCP port 80 traffic to management IP 200.1.1.1 from any source IP address ServerIronADX# server prioritize-mgmt-traffic any 200.1.1.1 6 80 Prioritization of UDP port 2222 traffic to management IP 200.1.1.1 ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 17 2222 Prioritization of IP protocol 89 (OSPF) traffic to management IP 200.1.1.1...
Page 21: Bp Utilization Threshold
Transaction Rate Limit (TRL) BP utilization threshold The bp-utilization-threshold command allows you to specify a threshold for BP CPU utilization. Define this command under the global configuration mode. When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one per two minutes.
Page 22: Configuring Transaction Rate Limit
Transaction Rate Limit (TRL) • Ability to operate on a per VIP basis, whereby a different rate limit can be applied to traffic coming to a different VIP. Configuring transaction rate limit To enable transaction rate limit, you must configure parameters for each client address/prefix and apply the transaction rate limit configuration to a specific VIP.
Page 23 Transaction Rate Limit (TRL) 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify the name of the transaction rate limit rule set and enter client transaction rate limit configuration mode. ServerIronADX(config)# client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp | udp | icmp <name>...
Page 24 Transaction Rate Limit (TRL) Configure transaction rate limit for pass through traffic You can configure transaction rate limit for traffic that is not going to a virtual server. You can configure only one group for pass through traffic. To create a transaction rate limit group for pass through traffic, follow these steps. Enable privileged EXEC mode.
Page 25 Transaction Rate Limit (TRL) 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify server virtual-name-or-ip command and VIP name to enter virtual server configuration mode. ServerIronADX(config)# server virtual-name-or-ip bwVIP Syntax: [no] server virtual-name-or-ip <name-or-address> 4. Specify the BW parameter and BW rule set. ServerIronADX(config-vs-bwVIP)# client-trans-rate-limit trl Syntax: [no] client-trans-rate-limit <name>...
Page 26: Configuring The Maximum Number Of Rules
Transaction Rate Limit (TRL) <ip_address> —IP address of the TFTP server. <trl_config_file_name> —File name of Transaction Rate Limit configuration. <retry_count> —Retry number for the download. Verify that the Transaction Rate Limit configuration file is in the following format. client-trans-rate-limit tcp trl101 trl 10.2.24.0/24 monitor-interval 50 conn-rate 100 hold-down-time 60 trl 10.2.24.10/32 exclude NOTE...
Page 27: Saving A Trl Configuration
Transaction Rate Limit (TRL) Saving a TRL configuration The following applies to saving a TRL config: • the startup-config cannot store 15,000 IPv4 and 15,000 IPv6 rules. • If the total number of IPv4 and IPv6 rules exceeds 2500, issuing the write mem command stores the TRL rules in the “trl_conf.txt”...
Page 28: Global Trl
Transaction Rate Limit (TRL) Syntax: trl {default | { <client-IPv4> <client-mask> | <client-IPv6> <prefix> } {exclude | monitor-interval <monitor-value> conn-rate <connection-value> hold-down-time <hold-down-value>}} default - Specifies default transaction rate limit parameter. <client-IPv4> - Specifies IPv4 client subnet and <client-mask> - Specifies the IPv4 client mask. <client-IPv6>...
Page 29: Trl Plus Security Acl-Id
Transaction Rate Limit (TRL) ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-1/1)# ip tcp trans-rate 80 where <ports> sets one or more TCP or UDP ports to monitor. With TRL, the ServerIron can monitor up to 4 specific ports. The ServerIron can also monitor traffic to all the ports by configuring the default port.
Page 30: Displaying Ip Address With Held Down Traffic
Transaction Rate Limit (TRL) ServerIronADX#show client-trl trl-policy1 ipv6 40 Max Count: 2500 Total Count: 2 IP address/Mask interval attempts holddown --------------- -------- -------- -------- 300::3a95/128 300::3a96/128 Syntax: show client-trl <policy-name> { ipv4 | ipv6} <index> The <policy-name> variable specifies the TRL policy that you want to display rules for. The show client-trl command displays entries in the TRL policy list, starting from the point specified with the <index>...
Page 31: Http Trl
HTTP TRL Example To configure the ServerIron to refuse connections from 192.168.9.210 for 20 minutes, enter. ServerIronADX(config)# security hold-source-ip 192.168.9.210 20 To display the IP addresses from which connections are currently being refused. ServerIronADX# rconsole 2 1 ServerIronADX2/1 # show security holddown source destination vers attempt start...
Page 32: Configuring Http Trl
Configuring HTTP TRL • Rate-limiting functionality must support rate over time and total connections, based on customer ID. • Max-conn currently works only for HTTP1.0. • This feature supports http redirect, or drop client response actions once rate-limit has been exceeded.
Page 33: Configuring Http Trl Defaults
Configuring HTTP TRL Syntax: [no] http-trl-policy <policy-name> 2. Configure an HTTP TRL client maximum connection. ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 Syntax: [no] client-name <client-name> max-conn <max-conn-value> <max-conn-value>—specifies maximum number of connection client can setup. 3. Configure the action to take if a client exceeds the configured maximum connections (optional).
Page 34: Sample Http Trl Configuration
Configuring HTTP TRL Syntax: [no] default exceed-action reset Sample HTTP TRL configuration This section describes how to configure a sample HTTP TRL configuration. This scenario describes all the required steps for configuring HTTP TRL, with notes the optional steps. This configuration consists of four parts: •...
Page 35: Displaying Http Trl
Displaying HTTP TRL Syntax: port http ServerIronADX(config-rs-web2)# exit Syntax: exit 5. Define a virtual server with an IP address. ServerIronADX(config)# server virtual-name-or-ip csw-vip 1.1.1.100 Syntax: server virtual-name-or-ip <vip-name-or-ip-address> <ip-address> 6. Define a virtual HTTP port on the virtual server. ServerIronADX(config-vs-csw-vip)#port http Syntax: port http Bind HTTP ports on real servers web1 and web2 to the virtual port HTTP.
Page 36: Display All Http Trl Policies
Displaying HTTP TRL Display all HTTP TRL policies To show all running configurations for HTTP TRL policies, use the following command. ServerIronADX# show run http-trl-policy all Syntax: show run http-trl-policy all Example ServerIronADX# show run http-trl all !Building configuration... !Current configuration : 124813 bytes http-trl-policy "my-http-trl-policy-104"...
Page 37: Display Http Trl Policy Client
Displaying HTTP TRL client-name "root17" max-conn 1 client-name "root17" exceed-action reset client-name "root18" max-conn 1 client-name "root18" exceed-action reset client-name "root19" max-conn 1 client-name "root19" exceed-action reset client-name "root2" max-conn 1 client-name "root2" exceed-action reset client-name "root20" max-conn 1... Display HTTP TRL policy client To show a running configuration for an HTTP TRL policy client, enter the following command.
Page 38: Display Http Trl Policy Matching A Regular Expression
Displaying HTTP TRL client-name "root18" exceed-action reset client-name "root19" max-conn 1 client-name "root19" exceed-action reset client-name "root2" max-conn 1... Display HTTP TRL policy matching a regular expression To show a running configuration for an HTTP TRL policy matching a specific regular expression (regex), enter the following command.
Page 39: Display Http Trl Policy Client Index (Bp)
Displaying HTTP TRL Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 10 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 1 Client name TDSWS/LoadRunner monitor-interval 1 warning rate 10 shutdown rate 20 holddown interval 0 exceed action: drop dynamic No max-conn track session 0 trl track session 0 Syntax: show http-trl policy <policy-name>...
Page 40: Display Http Trl Policy For All Client Entries (Bp)
Downloading an HTTP TRL policy through TFTP Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 100 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 2 Client name V E'Vææ\ max-conn 50 dynamic Yes max-conn track session 1 trl track session 0 HTTP_TRL_HIT 3278 HTTP_TRL_PASS...
Page 41: Http Trl Policy Commands
HTTP TRL policy commands Syntax: tftp <tftp-server-addr> <config-file-name> NOTE You can save this command with write memory to automatically initiate a download for this policy after you reload. If you configure more than one policy for TFTP download, and a policy fails the download, the ServerIron does NOT retry, and the subsequent policy does not initiate a download.
Page 42: Client-Name Exceed-Action
HTTP TRL policy commands <max-conn-value>—specifies maximum number of connections client can setup. Example ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 NOTE You must set the client HTTP max-conn configuration before you configure the client exceed-action. NOTE Max-conn currently supports only HTTP/1.0. Client-name <client-name> exceed-action Use the client-name <client-name>...
Page 43: Default Max-Conn
HTTP TRL policy commands • <holddown-interval>—specifies the length of hold down period, if client exceeds rate limit in term of minutes. NOTE Value 0 means do not hold down. Hold down holds all traffic. Example ServerIronADX(config-http-trl-p1)# default monitor-interval 1 10 20 0 Default max-conn Use the default max-conn option in the http-trl-policy configuration mode to set default maximum connection parameters.
Page 44: Logging For Dos Attacks
Logging for DoS Attacks Logging for DoS Attacks The following sections describe how to enable logging of DoS attacks. Configuration commands Use the following commands to enable logging of TCP connection rate and attack rate. Syntax: [no] ip tcp conn-rate <rate> attack-rate <rate> Syntax: [no] ip tcp conn-rate-change <percentage>...
Page 45: Show Server Conn-Rate
Maximum connections show server conn-rate Use show server conn-rate to display the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command reports global connection rate information for the ServerIron as well as for each real server. ServerIronADX# show server conn-rate Avail.
Page 46: Maximum Concurrent Connection Limit Per Client
Maximum concurrent connection limit per client Maximum concurrent connection limit per client This feature restricts each client to a specified number of connections, based on the client’s subnet, to prevent any one client from using all available connections. Limiting the number of concurrent connections per client This feature restricts each client to a specified number of concurrent connections, based on the client’s subnet, to prevent any one client from using all available connections.
Page 47 Maximum concurrent connection limit per client ServerIronADX(config)# client-connection-limit max-conn1 ServerIronADX(config-client-max-conn)# max-conn default 10 In this example, all clients not specified in any max connection group will have a maximum of 10 connections. Syntax: [no] max-conn [<client-ip-address> <client-subnet-mask> default <max-connections> Enter a default maximum number of connections for <max-connections> Excluding clients from maximum connection policy If you want certain clients to be excluded from any maximum connection policies, enter a command such as the following.
Page 48: Firewall Load Balancing Enhancements
Firewall load balancing enhancements Syntax: [no] client-max-conn-limit <name> Enter the name of the max connection policy for <name>. NOTE When the policy is bound to a VIP, the policy limits the number of connections that a client can have on any real server on the network. Firewall load balancing enhancements This section contains the following sections: •...
Page 49: Enabling Track Firewall Group
Syn-cookie threshhold trap Enabling track firewall group To enable track-fw-group to track the firewall group state, use the following commands. ServerIronADX(config)#int ve 1 ServerIronADX(config-vif-1)# ip vrrp-e vrid 1 ServerIronADX(config-vif-1-vrid-1)# track-fw-group Syntax: track-fw-group <group-num> Use the track-fw-group command under the VRRPE config level. <group-num> is the firewall group that needs to be tracked for this VRRPE.
Page 50: Traffic Segmentation
Traffic segmentation NOTE VIP protection works for IPv4 VIPs alone and cannot be enabled for IPv6 VIPs. You can enable this feature globally by entering the following command. ServerIronADX(config)# server vip-protection Syntax: [no] server vip-protection Once enabled, the VIP protection applies to all existing and new VIP configurations. If you want to enable the feature on individual VIPs, enter the following command.
Page 51 Traffic segmentation When used for creating Layer-2 segmentation among SLB domains, this feature ensures that traffic from one SLB domain destined to another SLB domain goes through the upstream gateway and is not switched locally. This ensures that every packet between a client and server has to go through the ServerIron ADX for load-balancing.
Page 52: Considerations When Configuring Vlan Bridging
Traffic segmentation Gateway Vlans 12, 13, 14 ServerIron ADX Layer-2 Vlans ServerIron ADX Vlans 2, 3, 4, 12, 13, 14 (active) 2, 3, 4, 12, 13, 14 Switch (standby) Vlan -Bridging Vlan -Bridging 2-12, 3-13, 4-14 2-12, 3-13, 4-14 Vlan 2 Vlan 3 Vlan 4 Domain3...
Page 53: Displaying Vlan Bridge Information
Traffic segmentation NOTE Once a bridge is created between two VLANs, the VLAN configuration mode for those VLANs is disabled. You must remove a VLAN bridge if you want to make any changes to a VLAN contained within the VLAN bridge. Example The following example configures two VLANs with each containing the same ports and a VLAN bridge configured between them.
Page 54 Traffic segmentation The contents of the display are defined in the following table. TABLE 2 Display from show vlan command This field... Displays... PORT-VLAN The VLAN ID of the PORT VLAN configured. Bridge VLAN The VLAN ID of the associated bridge VLAN. Name The name of the VLAN as configured.
Page 55: Traffic Segmentation Using The Use-Session-For-Vip-Mac Command41
Traffic segmentation Traffic segmentation using the use-session-for-vip-mac command By default, as long as there is a session match, packets with a destination IP address of a VIP are processed regardless of whether the destination MAC is addressed to the ServerIron ADX or not. With the server use-session-for-vip-mac command configured, only packets with a destination MAC address of the ServerIron ADX are processed.
Page 56: Dns Attack Protection
DNS attack protection DNS attack protection The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This protection is provided by performing a deep packet scan and then classifying DNS requests based on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header. Based on this classification, the following actions can be taken either individually or in combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS traffic from the identified client.
Page 57: Configuring Dns Attack Protection
DNS attack protection Configuring DNS attack protection Configuring DNS attack protection involves the following steps: 1. Create DNS DPI rules. In this step you specify the filtering parameters under a rule. A packet must match all of the filtering parameters defined under a rule to match the rule. 2.
Page 58 DNS attack protection The off parameter is matched if the RD flag is not set in the packet. Syntax: query-dnssec-ok { on | off} The on parameter is matched if the DNSSEC bit is set in the packet. The off parameter is matched if the DNSSEC bit is not set in the packet. Order of Rule matching Matching on the query-name is first attempted in the order of the length of the query-name.
Page 59 DNS attack protection Once a packet matches a configured filter, the following actions can be specified: • drop • Redirect to a server or server group • rate-limit • log (log is a secondary action and cannot be specified by itself) The actions are configured within the DNS DPI policy as shown in the following.
Page 60: Displaying Dns Attack Protection Information
DNS attack protection This command enables DNS content switching. Configuring global commands for DNS attack protection You can optionally configure the following to apply to all DNS attack protection configurations: • Dropping all DNS packets that are fragmented • Dropping all DNS packets with multiple queries •...
Page 61 DNS attack protection ServerIron# show csw-dns-policy p1 Rule Name Action Hit Count Rate Limit Held Down redirect drop rate-limit default drop You can display the DNS DPI policy counters for all DNS policies as shown. ServerIron# show csw-dns-policy Total Policies:3 Total Rules:6 Total Rule Actions:6 Policy Name...
Page 62 DNS attack protection ServerIron ADX Security Guide 53-1002440-03...
Page 63: Access Control List
Chapter Access Control List How ServerIron processes ACLs This chapter describes the Access Control List (ACL) feature. ACLs allow you to filter traffic based on the information in the IP packet header. Depending on the Brocade device, the device may also support Layer 2 ACLs, which filter traffic based on Lay 2 MAC header fields.
Page 64: Rule-Based Acls
How ServerIron processes ACLs Backwards compatibility option: You can use the ip flow-based-acl-enable command to provide backwards compatibility for IPv4 ACL processing. If this command is configured, Layer 4 - 7 traffic, packets are processed in hardware and then forwarded to the BPs where the BPs also process the ACLs. This command is configured as shown in the following.
Page 65: How Fragmented Packets Are Processed
Default ACL action How fragmented packets are processed The descriptions for rule-based ACLs above apply to non-fragmented packets. The default processing of fragments by rule-based ACLs is as follows: • The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination application port numbers.
Page 66: Types Of Ip Acls
Types of IP ACLs • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL.
Page 67: Acl Entries And The Layer 4 Cam
ACL entries and the Layer 4 CAM 1. The system-max for Ip-filter-sys value must be set to 4096. ServerIronADX(config)# system-max ip-filter-sys 4096 2. The Ip access-group max-l4-cam parameter must be set to 4096 on the interface that the ACL will be applied ServerIronADX(config)# interface ethernet 1 ServerIronADX(config-if-e1000-1)# ip access-group max-l4-cam 4096 3.
Page 68: Configuring Numbered And Named Acls
Configuring numbered and named ACLs Specifying the maximum number of CAM entries for rule-based ACLs For rule-based ACLs, you can adjust the allocation of Layer 4 CAM space for use by ACLs, on an IPC or IGC basis and on 10 Gigabit Ethernet modules. The new allocation applies to all the ports managed by the IPC or IGC or 10 Gigabit Ethernet module.
Page 69: Configuring Standard Numbered Acls
Configuring numbered and named ACLs Configuring standard numbered ACLs This section describes how to configure standard numbered ACLs with numeric IDs: • For configuration information on named ACLs, refer to “Configuring standard or extended named ACLs” on page 62. • For configuration information on extended ACLs, refer to “Configuring extended numbered ACLs”...
Page 70: Configuring Extended Numbered Acls
Configuring numbered and named ACLs The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Page 71 Configuring numbered and named ACLs The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • Internet Control Message Protocol (ICMP) • Internet Group Management Protocol (IGMP) • Internet Gateway Routing Protocol (IGRP) •...
Page 72: Extended Acl Syntax
Configuring numbered and named ACLs ServerIronADX(config)# int eth 1/2 ServerIronADX(config-if-1/2)# ip access-group 102 in ServerIronADX(config-if-1/2)# exit ServerIronADX(config)# int eth 4/3 ServerIronADX(config-if-4/3)# ip access-group 102 in ServerIronADX(config)# write memory Here is another example of an extended ACL. ServerIronADX(config)# access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 ServerIronADX(config)# access-list 103 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24 ServerIronADX(config)# access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24 lt...
Page 73 Configuring numbered and named ACLs The <num> parameter indicates the ACL number and be from 100 – 199 for an extended ACL. The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255.
Page 74 Configuring numbered and named ACLs • echo-reply • information-request • • mask-reply • mask-request • parameter-problem • redirect • source-quench • time-exceeded • timestamp-reply • timestamp-request • unreachable • <num> The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol.
Page 75 Configuring numbered and named ACLs NOTE The out option is not supported in the rule-based ACL mode. The precedence <name> | <num> parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header.
Page 76: Configuring Standard Or Extended Named Acls
Configuring numbered and named ACLs NOTE This parameter applies only if you specified icmp as the <ip-protocol> value. The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL. You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use.
Page 77: Displaying Acl Definitions
Configuring numbered and named ACLs The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”).
Page 78: Displaying Acls Using Keywords
Configuring numbered and named ACLs ServerIronADX(config)# show access-list 99 3 Standard IP access-list 99 deny 10.10.10.1 deny 192.168.1.13 permit any Syntax: show access-list <acl-number> [<line-number>] Enter the ACL’ number for the <acl-number> parameter. Determine from which line you want the displayed information to begin and enter that number for the <line-number>...
Page 79: Named Acls
Configuring numbered and named ACLs ServerIronADX(config)#show access-list 99 | include 5 Standard IP access-list 99 permit host 5.6.7.8 permit host 5.10.11.12 The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list. If you want to exclude ACL entries that contain a keyword from the show access-list display, enter the following command.
Page 80 Configuring numbered and named ACLs ServerIronADX(config)# show access-list melon | include 5 Standard IP access-list melon permit host 5.6.7.8 permit host 5.10.11.12 The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list.
Page 81: Modifying Acls
Modifying ACLs Modifying ACLs When you use the Brocade device’s CLI to configure any ACL, the software places the ACL entries in the ACL in the order you enter them. For example, if you enter the following entries in the order shown below, the software always applies the entries to traffic in the same order.
Page 82: Displaying A List Of Acl Entries
Displaying a list of ACL entries access-list 1 deny host 209.157.22.26 log access-list 1 deny 209.157.22.0 0.0.0.255 log access-list 1 permit any access-list 101 deny tcp any any eq http log The software will apply the entries in ACL 1 in the order shown and stop at the first match. Thus, if a packet is denied by one of the first three entries, the packet will not be permitted by the fourth entry, even if the packet matches the comparison values in this entry.
Page 83: Applying An Acls To Interfaces
Applying an ACLs to interfaces Named ACLs To display the contents of named ACLs, enter a command such as the following. ServerIronADX# show ip access-list melon Standard IP access list melon deny host 1.2.4.5 deny host 5.6.7.8 permit any Syntax: show ip access-list <acl-num> | <acl-name> Applying an ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs”...
Page 84: Acl Logging
ACL logging ACL logging You may want the software to log entries for ACLs in the syslog. This section present the how logging is processed by rule-based ACLs. Rule-based ACLs do not support the log option. Even when rule-based ACLs are enabled, if an ACL entry has the log option, traffic that matches that ACL is sent to the CPU for processing.
Page 85: Displaying Acl Log Entries
ACL logging NOTE The software requires that an ACL has already been applied to the interface. When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches the ACL is not forwarded. Displaying ACL log entries The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap.
Page 86: Displaying Acl Statistics For Flow-Based Acls
Dropping all fragments that exactly match a flow-based ACL You can also configure the maximum number of ACL-related log entries that can be added to the system log over a one-minute period. For example, to limit the device to 100 ACL-related syslog entries per minute.
Page 87: Clearing The Acl Statistics
Enabling ACL filtering of fragmented packets On an individual interface basis, you can configure an IronCore device to automatically drop a fragment whose source and destination IP addresses exactly match an ACL entry that has Layer 4 information, even if that ACL entry’s action is permit. To do so, enter the following command at the configuration level for an interface.
Page 88 Enabling ACL filtering of fragmented packets Syntax: [no] ip access-group frag inspect | deny The inspect | deny parameter specifies whether you want fragments to be sent to the CPU or dropped: • inspect – This option sends all fragments to the CPU. •...
Page 89: Enabling Hardware Filtering For Packets Denied By Flow-Based Acls75
Enabling hardware filtering for packets denied by flow-based ACLs The <num> parameter specifies the maximum number of fragments the device or an individual interface can receive and send to the CPU in a one-second interval. • frag-rate-on-system – Sets the threshold for the entire device. The device can send to the CPU only the number of fragments you specify per second, regardless of which interfaces the fragments come in on.
Page 90: Enabling Strict Tcp Or Udp Mode For Flow-Based Acls
Enabling strict TCP or UDP mode for flow-based ACLs Syntax: [no] hw-drop-acl-denied-packet Enabling strict TCP or UDP mode for flow-based ACLs By default, when you use ACLs to filter TCP or UDP traffic, the Brocade device does not compare all TCP or UDP packets against the ACLs.
Page 91: Enabling Strict Udp Mode
Enabling strict TCP or UDP mode for flow-based ACLs NOTE Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs before creating a session entry for forwarding the traffic. NOTE If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.
Page 92: Configuring Acl Packet And Flow Counters
Enabling strict TCP or UDP mode for flow-based ACLs Syntax: [no] ip strict-acl-udp This command configures the device to compare all UDP packets against the configured ACLs before forwarding them. To disable the strict ACL mode and return to the default ACL behavior, enter the following command.
Page 93: Acls And Icmp
ACLs and ICMP ServerIronADX# show access-list 100 Extended IP access list 100 (Total flows: 432, Total packets: 42000) permit tcp 1.1.1.0 0.0.0.255 any (Flows: 80, Packets: 12900) deny udp 1.1.1.0 0.0.0.255 any (Flows: 121, Packets: 20100) permit ip 2.2.2.0 0.0.0.255 any (Flows: 231, Packets: 9000) Syntax: show access-list <acl-num>...
Page 94 ACLs and ICMP • <num> Also, to create ACL policies that filter ICMP message types, you can either enter the description of the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images. Numbered ACLs For example, to deny the echo message type in a numbered ACL, enter commands such as the following when configuring a numbered ACL.
Page 95 ACLs and ICMP The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. You can either use the <icmp-type> and enter the name of the message type or use the <icmp-type-number> <icmp-ode-number> parameter and enter the type number and code number of the message.
Page 96: Using Acls And Nat On The Same Interface (Flow-Based Acls)
Using ACLs and NAT on the same interface (flow-based ACLs) TABLE 5 ICMP message types and codes ICMP message type Type Code protocol-unreachable reassembly-timeout redirect NOTE: This includes all redirects. router-advertisement router-solicitation source-host-isolated source-quench source-route-failed time-exceeded timestamp-reply timestamp-request ttl-exceeded unreachable NOTE: This includes all unreachable messages Using ACLs and NAT on the same interface (flow-based ACLs) You can use ACLs and NAT on the same interface, as long as you follow these guidelines:...
Page 97: Displaying Acl Bindings
Displaying ACL bindings ServerIronADX(config)# ip strict-acl-tcp ServerIronADX(config)# access-list 1 permit 10.10.200.0 0.0.0.255 ServerIronADX(config)# access-list 2 deny 209.157.2.184 The following commands configure global NAT parameters. ServerIronADX(config)# ip nat inside source list 1 pool outadds overload ServerIronADX(config)# ip nat pool outadds 204.168.2.1 204.168.2.254 netmask 255.255.255.0 The following commands configure the inside and outside NAT interfaces.
Page 98 • To view the types of packets being received on an interface, enable ACL statistics using the enable-acl-counter command, reapply the ACLs by entering the ip rebind-acl all command, then display the statistics by entering the show ip acl-traffic command. •...
Page 99: Ipv6 Access Control Lists
Chapter IPv6 Access Control Lists IACL overview ServerIron ADX supports IPv6 Access Control Lists (ACLs) in hardware. The maximum number of ACL entries you can configure is a system-wide parameter and depends on the device you are configuring. You can configure up to the maximum number of 1024 entries in any combination in different ACLs.
Page 100: Configuration Notes
IACL overview • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) NOTE TCP and UDP filters will be matched only if they are listed as the first option in the extension header. For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.
Page 101: Configuring An Ipv6 Acl
IACL overview For deny actions: All deny packets are dropped in hardware. For permit actions: For all traffic, packets are processed in hardware and then forwarded to the BPs. The BPs do not take any action on the ACLs. Backwards compatibility option: You can use the ipv6 flow-based-acl-enable command to provide backwards compatibility for IPv6 ACL processing.
Page 102: Default And Implicit Ipv6 Acl Action
IACL overview The fourth condition permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming IPv6 traffic on the ports to which you assigned the ACL. The following commands apply the ACL "netw" to the incoming traffic on port 1/2 and to the incoming traffic on port 4/3.
Page 103 IACL overview • If you want to tightly control access, configure ACLs consisting of permit entries for the access you want to permit. The ACLs implicitly deny all other access. • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL.
Page 104 IACL overview • The following ICMPv6 Message Types are not supported: DECIMAL <0-255> ICMP message type beyond-scope Destination Unreachable ICMP message, Beyond Scope destination-unreachable Destination Unreachable ICMP messages dscp Match dscp value in IPv6 packet echo-reply Echo Reply ICMP message echo-request Echo Request ICMP message header...
Page 105 IACL overview Syntax: permit | deny <protocol> <ipv6-source-prefix/prefix-length> | any | host <source-ipv6_address> <ipv6-destination-prefix/prefix-length> | any | host <ipv6-destination-address> [ipv6-operator [<value>]] [log] For ICMP Syntax: [no] ipv6 access-list <acl-name> Syntax: permit | deny icmp <ipv6-source-prefix/prefix-length> | any | host <source-ipv6_address> <ipv6-destination-prefix/prefix-length>...
Page 106 IACL overview TABLE 6 Syntax Descriptions Arguments... Description... <ipv6-source-prefix>/<prefix-length The <ipv6-source-prefix>/<prefix-length> parameter specify a source prefix > and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the <ipv6-source-prefix> parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373.
Page 107: Applying An Ipv6 Acl To An Interface
IACL overview TABLE 6 Syntax Descriptions Arguments... Description... tcp-udp-operator The <tcp-udp-operator> parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq. gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
Page 108: Displaying Acls
Using an ACL to Restrict SSH Access Displaying ACLs To display the ACLs configured on a device, enter the show ipv6 access-list command. Here is an example: ServerIronADX# show ipv6 access-list ipv6 access-list v6-acl1: 1 entries deny ipv6 any any ipv6 access-list v6-acl2: 1 entries permit ipv6 any any ipv6 access-list v6-acl3: 2 entries...
Page 109: Using An Acl To Restrict Telnet Access
Using an ACL to Restrict Telnet Access ServerIronADX(config)# ipv6 access-list test2 ServerIronADX(config-ipv6-access-list test2)# deny ipv6 host 2000:1::1 any log ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:1::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:2::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 host 2000:3::1 any ServerIronADX(config-ipv6-access-list test2)# exit ServerIronADX(config)# ssh access-group ipv6 test2 Syntax: [no] ssh access-group ipv6 <acl-name>...
Page 110 ServerIron ADX Security Guide 53-1002440-03...
Page 111: Network Address Translation
Chapter Network Address Translation Introduction Network Address Translation (NAT) translates one IP address into another. For example, it translates an internal private IP address (nonregistered) into an external unique IP address (registered) used on the Internet. FIGURE 5 Mapping an internal address to an external address Internal External Internet or...
Page 112: Configuring Static Nat
Configuring NAT • Dynamic NAT — Maps private addresses to Internet addresses. The Internet addresses come from a pool of addresses that you configure. For example, you can dynamically translate the global pool 150.1.1.10 - 19 to private pool 10.1.1.1 - 254. In Figure 6, the pool is the range of addresses from 209.157.1.2/24 –...
Page 113: Nat Configuration Examples
Configuring NAT Configuring an address pool Use the ip nat pool command to configure the address pool. For an example, refer to “Dynamic NAT configuration example 1” on page 100. Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> | prefix-length <length>...
Page 114 Configuring NAT Dynamic NAT configuration example 1 This section describes the Dynamic NAT configuration shown in Figure FIGURE 6 Minimum required commands Internet ip address 10.10.1.2 255.255.255.0 ip default-gateway 10.10.1.1 ip nat inside Remote Server ip nat inside source list 10 pool out_pool 63.253.63.50 ip nat pool out_pool 209.157.1.2 209.157.1.30 prefix-len interface ethernet 2...
Page 115 Configuring NAT ServerIronADX(config-ve-2)#ip nat inside ServerIronADX(config-ve-3)#ip nat outside 3. Configure a numbered ACL and permit the IP addresses on the inside. Then define the global address pool and enable dynamic NAT. ServerIronADX(config)# access-list 101 permit ip 10.10.1.0/24 any ServerIronADX(config)# ip nat pool global_pool 209.157.1.2 209.157.1.254 prefix-length 24 Make sure you specify permit in the ACL, rather than deny.
Page 116: Static Nat Configuration Example
Configuring NAT ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command creates a pool of IP NAT addresses from 15.15.15.15 to 15.15.15.25 named p1. ServerIronADX(config)# ip nat pool p1 15.15.15.15 15.15.15.25 prefix-len 24 An ACL is created to permit traffic from inside hosts in the 20.20.0.0 network as shown.
Page 117: Pat
ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command configures the ServerIron ADX to translate IP packets with a local IP address of 20.20.5.6 to the global IP address 15.15.15.15. ServerIronADX(config)# ip nat inside source static 20.20.5.6 15.15.15.15 Configured for outside to inside translation To configure the network shown in Figure 8...
Page 118: Translation Timeouts
Translation timeouts ServerIronADX(config)# nat-forward-no-session Syntax: [no] nat-forward-no-session Translation timeouts The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is one the ServerIron ADX creates for a private address when the client at that address sends traffic.
Page 119: Stateless Static Ip Nat
Stateless static IP NAT The finrst-timeout keyword identifies TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds. This timer is not related to tcp-timeout, which applies to packets to or from a host address that is mapped to an global IP address and a TCP port number (PAT feature).
Page 120: Enabling Ip Nat
Redundancy The new protocol is similar to the symmetric VIP protocol and uses any L2 link to exchange the NAT PDUs. Both ServerIronADXs will run a “symmetric VIP like” protocol to report and receive ownership (similar to the VLAN AD protocol in symmetric SLB). When one ServerIron ADX goes down, the peer ServerIron ADX will become the master for that NAT IP (in case of static NAT) or NAT pool (in case of dynamic NAT).
Page 121: Enabling Dynamic Nat Redundancy
Displaying NAT information The <priority-value> can be 1 or 2. 2 is the higher priority, and will be the owner of the NAT IP as long as the system is up. Enabling dynamic NAT redundancy To enable dynamic NAT redundancy, enter commands such as the following. ServerIronADX(config)# ip nat pool foo 63.23.1.2 63.23.1.4 prefix 24 ServerIronADX(config)# ip nat pool foo port-pool-range 2 Syntax: ip nat pool <pool-name>...
Page 122: Displaying Nat Statistics
Displaying NAT information Displaying NAT statistics To display NAT statistics, enter commands such as the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1#ServerIronADX_Lower1/1# show ip nat stat Debug counters: TCP FWD: send nat unreachable tcp fwd) =0 nat tcp no ports avl = 2867811 nat tcp status zero = 0 nat tcp ip status zero = 0 nat tcp usr index null = 0 TCP REV:...
Page 123 Displaying NAT information Syntax: show ip nat statistics TABLE 7 Display fields for show ip nat statistics This field... Displays... send nat unreachable (tcp fwd) Indicates the number of times that a “port unreachable” message was generated for NAT TCP forward traffic. nat tcp no ports avl Indicates the number of times that a “port unreachable”...
Page 124: Displaying Nat Translation
Displaying NAT information TABLE 7 Display fields for show ip nat statistics (Continued) This field... Displays... nat udp rev ip status zero Indicates the number of times that an error in NAT translation for UDP reverse traffic has occurred. nat udp rev usr index null Indicates the number of times that a “port unreachable”...
Page 125: Displaying Nat Redundancy Information
Displaying NAT information TABLE 8 Display fields for show ip nat translation This field... Displays... When PAT is enabled, this field indicates the protocol NAT is using to uniquely identify the host. NAT can map the same IP address to multiple hosts and use the protocol port to distinguish among the hosts.
Page 126: Displaying Vrrpe Information
Clearing NAT entries from the table ServerIronADX# show ip nat redundancy (on standby) NAT Pool Start IP: 10.1.1.150 Mac address: 020c.db01.0196 State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.91 Mac address: 020c.db01.015b State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.92 Mac address: 020c.db01.015c...
Page 127: Syn-Proxy And Dos Protection
Chapter Syn-Proxy and DoS Protection This chapter describes how to configure Syn-Proxy and DOS protection features on the ServerIron ADX Traffic Managers. Understanding Syn-Proxy Syn-Proxy™ allows TCP connections to be terminated on the ServerIron ADX. When Syn-Proxy is enabled, the ServerIron ADX completes the three-way handshake with a connecting client. Only when the three-way handshake is completed does the ServerIron ADX establish a connection with the destination server and forward packets from the client to the server.
Page 128: Configuring Syn-Proxy
Configuring Syn-Proxy If you want your ServerIron ADX to behave more like a JetCore-based ServerIron device, you can use any of the following three workarounds: 1. Enable syn-proxy on the server interface 2. Enable ip nat 3. Enable "server security-on-vip-only". Configuring Syn-Proxy This section contains the following sections: •...
Page 129 Configuring Syn-Proxy ServerIronADX(config)# interface ethernet 2/1 ServerIronADX(config-if-e1000-2/1)# ip tcp syn-proxy in Syntax: interface ethernet <slot number/port number> Syntax: ip tcp syn-proxy in The ip tcp syn-proxy command can be configured for either a physical interface (as shown) or a ve interface. Setting Attack-Rate-Threshold A DoS attack threshold specifies the number of SYNs, without corresponding ACKs, the ServerIron ADX accepts before writing a warning message to the system log (every 60 seconds for the duration...
Page 130 Configuring Syn-Proxy ServerIronADX(config)#ip tcp syn-proxy reset-using-client-mac Syntax: [no] ip tcp syn-proxy reset-using-client-mac This command is useful only when the client cannot be reached using the ServerIron ADX default gateway and the default gateway of the server is different than the default gateway of the ServerIron ADX.
Page 131: Setting A Minimum Mss Value For Syn-Ack Packets
Configuring Syn-Proxy Limiting syn-proxy feature to defined VIPs With this feature enabled, the syn packets are dropped if a virtual server IP port is not defined under a VIP configuration. This feature is enabled with the following command. ServerIronADX(config)# server syn-cookie-check-vport Syntax: [no] server syn-cookie-check-vport Setting the source MAC address With this feature enabled, the SYN-ACK reply packets will have their source MAC address set to the...
Page 132 Configuring Syn-Proxy • Virtual server lever – configures the TCP MSS value for all virtual ports under a specified virtual server • Virtual port level – configures the TCP MSS value for a specified virtual port • Destination IP – configures the TCP MSS value for pass-through traffic to a specified destination IP address NOTE tcp-mss will work when syn-proxy is enabled.
Page 133 Configuring Syn-Proxy The <mss-value> variable specifies MSS value for all SYN-ACK packets generated by the ServerIron ADX for this virtual server regardless of the client’s MSS value. This value can be from 64 to 9216. Make sure that the IP MTU of the interfaces is always greater than the MSS value. Setting the MSS value at the virtual port level To set the MSS value for a specific virtual port on a ServerIron ADX, use the following command: ServerIronADX(config)# server virtual-name-or-ip v1...
Page 134: Configuring Syn-Proxy Auto Control
Configuring Syn-Proxy TABLE 9 MSS values for IPv4, IPv6 and IPv4 jumbo MSS value IPv6 64, 236, 516, 946, 1004, 1420, 1432, 1440 IPv4 Jumbo 256, 536, 966, 1024, 1452, 1460, 4038, 8960 Configuring Syn-Proxy auto control Syn-proxy auto control operates the same as the normal Syn-proxy feature except that it is enabled and disabled based-on the arrival rate of TCP SYN packets on the ServerIron ADX.
Page 135: Displaying Syn-Proxy Commands
Configuring Syn-Proxy The on-threshold-value variable is used with the on-threshold parameter and specifies the number of TCP SYN packets received per-second. When this value is exceeded for an interval time defined by the server syn-attack-detection-interval command, Syn Proxy is enabled on the ServerIron ADX.
Page 136 Configuring Syn-Proxy Displaying TCP Attack Information The show server tcp-attack command displays attack information for connection rates counters. ServerIronADX# show server tcp-attack Connection counters: Current conn rate = Max conn rate = Attack counters: Current attack rate = Max attack rate = Client-side counters: SYN rcvd = SYN-ACK sent =...
Page 137 Configuring Syn-Proxy Syntax: show server traffic TABLE 10 Field Descriptions for show L4-traffic Field Description last conn rate Rate of TCP traffic per second. This includes all TCP traffic, including TCP SYN DoS attacks max conn rate Peak rate of TCP traffic (per second) encountered on this device. last TCP attack rate Rate of TCP Dos attacks per second.
Page 138: Ddos Protection
DDoS protection TABLE 11 Output Descriptions for show server syn-cookie Field Description CPU SYNs rcvd AXP SYNs rcvd Number of SYNs received on ServerIron ADX ports that have the Syn-Proxy feature enabled. CPU SYN-ACKs sent AXP SYN-ACKs sent Number of SYN ACKs sent from the ServerIron ADX to the client CPU Valid ACKs rcvd AXP Valid ACKs rcvd Number of valid ACKs received from the client.
Page 139: Configuring A Security Filter
DDoS protection Configuring a security filter Configuring a a security filter requires you to define it by name and configure rules within it as shown in the following. ServerIronADX(config)# security filter filter1 ServerIronADX(config-sec-filter1)#rule xmas-tree drop Syntax: security filter <filter-name> The <filter-name> variable specifies the filter being defined that will then be bound to a port. The rule command defines the attack method that is being filtered for.
Page 140 DDoS protection less-than lteq less-than-or-equals not-equals The configured generic rule will have to be bound to a filter, to take effect. ServerIronADX(config)# security filter filter1 ServerIronADX(config-sec-filter1)# rule generic gen1 drop Syntax: {no} rule generic <generic-rule-name> [log | no-log] [drop | no-drop] The <generic-rule-name>...
Page 141: Configuring A Rule For Common Attack Types
DDoS protection Configuring a rule for common attack types As described in “Configuring a Generic Rule” on page 125, you can create a custom rule to manage DDoS attacks. In addition, ServerIron ADX has built-in rules to manage common attack types. In this case, the rule command is used with a <rule-name>...
Page 142 DDoS protection TABLE 13 Rules for common attack types and descriptions fin-with-no-ack TCP packets with a FIN flag normally have an ACK bit set. Use fin-with-no-ack to drop TCP packet where FIN flag is set, but the ACK bit is not set. large icmp ICMP packets greater than 1500 bytes.
Page 143: Configuring A Rule For Ip-Option Attack Types
DDoS protection Configuring a rule for ip-option attack types ServerIron ADX has a set of built-in rules to manage ip-option attack types. In this case, the rule command is used with a <ip-option-attack> variable specified in Table 14. The following example configures the "filter2" security filter with a rule to drop packets that are associated with a ip-option record-route attack.
Page 144: Configuring A Rule For Icmp-Type Options
DDoS protection Configuring a rule for icmp-type options ServerIron ADX has a set of built-in rules to manage icmp-type options. In this case, the rule-icmp-type command is used with a <icmp-option-attack> variable specified in Table 15. The following example configures the "filter3" security filter with a rule to drop packets that contain the icmp-type echo-reply type.
Page 145: Configuring A Rule For Ipv6 Icmp Types
DDoS protection TABLE 15 icmp option types and descriptions icmp-type router-advertisement icmp type 9: router-advertisement icmp-type r outer-selection icmp type 10: router-selection icmp-type source-quench icmp type 4: source-quench icmp-type time icmp type 11: time-exceeded icmp-type timestamp icmp type 13: timestamp icmp-type timestamp-reply icmp type 14: timestamp-reply Configuring a rule for IPv6 ICMP types...
Page 146: Configuring A Rule For Ipv6 Ext Header Types
DDoS protection TABLE 16 ICMPv6 types and descriptions reserved ICMP type 255: reserved for expansion router-advertisement ICMP type 134: router-advertisement router-solicitation ICMP type 133: router-solicitation Configuring a rule for IPv6 ext header types ServerIron ADX has a set of built-in rules to manage IPv6 header types. In this case, the rule command is used with a <ipv6-ext-header-type >...
Page 147: Binding The Filter To An Interface
DDoS protection Binding the filter to an interface To implement a filter, it must be bound to an interface. It will then be applied globally to all interfaces on the ServerIron ADX. To bind a filter to an interface, use the following command: ServerIronADX(config-if-e1000-1/2)# security apply-filter filter1 Syntax: security apply-filter <filter-name>...
Page 148: Displaying Security Filter Statistics
DDoS protection Displaying security filter statistics You can display security filter statistics as shown. ServerIronADX# show security filter-statistics Filter |Type |Log Cnt |Drop Cnt dos-filter |icmp-type Cumulative Statistics attack-type = log-count, drop-count ip-options = 0, 0 icmp-type = 0, 0 address-sweep = 0, 0 port-scan...
Page 149: Secure Socket Layer (Ssl) Acceleration
Chapter Secure Socket Layer (SSL) Acceleration ServerIron ADX supports integrated hardware-based SSL acceleration. This chapter describes how to configure a ServerIron ADX for SSL acceleration in SSL Termination or SSL Proxy mode. SSL support on the ServerIron ADX includes support for SSLv2, SSLv3, and TLS1.0. SSL overview The Secure Sockets Layer (SSL) protocol was developed by Netscape to provide security and privacy between client and server over the Internet.
Page 150: Asymmetric Cryptography
SSL overview Asymmetric cryptography This method alters information so that the key used for encryption is different from the key used for decryption. Encrypted information is unintelligible to unauthorized parties. Certificate Authority (CA) The certificate authority (CA) issues and manages security credentials and public keys for message encryption within a network.
Page 151: Public Key
SSL acceleration on the ServerIron ADX Public key The other half of a key pair, a public key is held in a digital certificate. Public keys are usually published in a directory. Any public key can encrypt information; however, data encrypted with a specific public key can only be decrypted by the corresponding private key.
Page 152: Ssl Proxy Mode
SSL acceleration on the ServerIron ADX Real Server Client rs10 (10.1.1.20) HTTP SSL Termination on: Traffic Traffic vip 10 (10.1.1.100 (encrypted) (unencrypted) SSL Proxy Mode In full SSL proxy mode, a ServerIronADX maintains encrypted data channels with the client and server.
Page 153 SSL acceleration on the ServerIron ADX ServerIron ADX keypair file The keypair file specifies the location for retrieving the SSL asymmetric key pair, during an SSL handshake. You can create a keypair file by generating a key pair locally on the ServerIron ADX or import a pre-existing key pair, using secure copy (SCP).The key pair is stored in the flash memory and is not deleted during a power cycle.
Page 154: Configuring Ssl On A Serveriron Adx
Configuring SSL on a ServerIron ADX Configuring SSL on a ServerIron ADX When configuring a ServerIron ADX for either SSL Termination mode or SSL Proxy mode, you must perform each of the following configuration tasks: • Obtain a Keypair File – This section describes how to obtain an SSL asymmetic key pair. You can generate an RSA key pair or import an existing key pair.
Page 155: Certificate Management
Configuring SSL on a ServerIron ADX Once a key pair is generated it can be saved for backup on your server by exporting it as described “Importing keys and certificates” on page 148. Also, you can import a keypair file (instead of generating it) as described in “Importing keys and certificates”...
Page 156 Configuring SSL on a ServerIron ADX NOTE To export a certificate off of a ServerIron ADX you need the key-pair-file and password configured here. NOTE To generate a self signed certificate, the certkey and sign key must be the same. Using CA-signed certificates Before generating a CA-signed certificate, you must obtain an RSA key pair as described in “Obtaining a ServerIron ADX keypair file”...
Page 157 Configuring SSL on a ServerIron ADX MIIDKTCCApKgAwIBAgIRAJoKUHAGHghM4kW84LNXP1wwDQYJKoZIhvcNAQEFBQAw ZDETMBEGCgmSJomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCGpvbmRhdmlz MQ0wCwYDVQQKEwRUQU1VMREwDwYDVQQLEwhTZWN1cml0eTERMA8GA1UEAxMIVW5k ZXJ0b3cwHhcNMDQwOTAyMTc1ODE3WhcNMDcwNzIzMTc1NzQxWjBkMRMwEQYKCZIm iZPyLGQBGRYDb3JnMRgwFgYKCZImiZPyLGQBGRYIam9uZGF2aXMxDTALBgNVBAoT BFRBTVUxETAPBgNVBAsTCFNlY3VyaXR5MREwDwYDVQQDEwhVbmRlcnRvdzCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyk4jxC526rUPrkYC1pL+VobYp4B8yLEq rzbYyL4G6g8OlQ5ZozfP8WHF0T9a7dr/2FmvzWNBka3mHgIUQQxVZcVe/4ALCSLU tfHKaAWsgwzN+/86BFO6+/2ht2X0Yzo3laY69iGJAW1cNH/7DFE2sF42/EDk0VDb mRU3cE4afOMCAwEAAaOB2jCB1zB3BgNVHR8EcDBuMGygaqBohwSsEAEFpDIwMDEu MCwGA1UEAxMlb3U9U2VjdXJpdHksbz1UQU1VLGRjPWpvbmRhdmlzLGRjPW9yZ4Ys aHR0cDovL3Njb3JwaW8uam9uZGF2aXMub3JnOjQ0Ny9VbmRlcnRvdy5jcmwwDgYD VR0PAQH/BAQDAgGGMAwGA1UdEwQFMAMBAf8wHwYDVR0jBBgwFoAUnGfclktn1nNL ICknzxZsbFThFoEwHQYDVR0OBBYEFJxn3JZLZ9ZzSyApJ88WbGxU4RaBMA0GCSqG SIb3DQEBBQUAA4GBAIg8VKUyiGCrQ4Rn6fRKQs4S1Paf6SPot5AQ1cHK5IlFHkFF nUYMwFdQZcBrfXMLLPZb1ih0MtfEogLSbS82atF8VfkhzUAKl4ke7lKA35jr22Us KhYtqbwzWkjBu4z/ph10L21CDSSghW1ea75+6IVEa/ZyuvOaINL2wQYNlmps -----END CERTIFICATE----- Syntax: ssl gencsr <key-name> The <key-name> variable is the key name that you want to use for the certificate request. Exporting Web Server Certificates You can export a Web Server Certificate from a Web server and install it on a ServerIronADX.
Page 158 Configuring SSL on a ServerIron ADX 8. Continue to follow steps in the wizard, and enter a password for the certificate backup file when prompted. Using a strong password is highly recommended to ensure that the private key is well protected. 9.
Page 159 Configuring SSL on a ServerIron ADX 11. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK. The resulting file contents will resemble the following: 1.3.6.1.4.1.311.17.2: <No Values>...
Page 160 Configuring SSL on a ServerIron ADX Bag Attributes: <Empty Attributes> subject=/DC=org/DC=test/O=root/OU=Security/CN=root issuer=/DC=org/DC=test/O=root/OU=Security/CN=root -----BEGIN CERTIFICATE----- MIIC1TCCAj6gAwIBAgIQJhB5wR9FdbXPEWcLp/1MAjANBgkqhkiG9w0BAQUFADBm MRMwEQYKCZImiZPyLGQBGRYDb3JnMRgwFgYKCZImiZPyLGQBGRYIam9uZGF2aXMx EDAOBgNVBAoTB1Rla2VsZWMxETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQDEwdU ZWtlbGVjMB4XDTA1MDQxOTAxMTk1OFoXDTA3MDgwNzE3NDM1OFowZjETMBEGCgmS JomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCGpvbmRhdmlzMRAwDgYDVQQK EwdUZWtlbGVjMREwDwYDVQQLEwhTZWN1cml0eTEQMA4GA1UEAxMHVGVrZWxlYzCB nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAq36AVcI33Pp9tPjuN2Dx81BIiUTx ZENHS/0ZL4RREj+BfZG3/J94cE0i5F6l0X9W6jJpUM8sqUVqpounwB6ZeoXHJsQJ Hvzp1YR77ABS1gR//b9N3TiIXGyb8oaoXdT4xahzfwMTTjOGAGl3xYHC/QdXi3x6 ff+X02AddhIvhaMCAwEAAaOBgzCBgDAMBgNVHRMEBTADAQH/MCAGA1UdJQEB/wQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCAQYwHwYDVR0jBBgw FoAUVu5XQurF4Y0JQy/kr4y4eHzhucEwHQYDVR0OBBYEFFbuV0LqxeGNCUMv5K+M uHh84bnBMA0GCSqGSIb3DQEBBQUAA4GBAFCldN7DHtztK2hdiUp1KO1LtO9Ics9g mjVH869i6qxVOj+YzGfBlz7PvNdW+Nv0TCrrXTLXgZpd1aAW/lTajBfLgFs21Xkf xSquYFYEcZjz4Uu3gMuuAiS963Xissy+MIyNJpkRP1NpYY75lXAf05sLopzcmdVc C2es4LOJQbhZ -----END CERTIFICATE----- 12. You can now begin copying the certificates and the key pair files to the ServerIronADX (in the following order): scp ./server-key.pem admin@192.168.1.1:sslkeypair:server-key:foundry:pem scp ./server-cert.cer admin@192.168.1.1:sslcert:certchain1:pem...
Page 161: Converting Certificate Formats
Configuring SSL on a ServerIron ADX Converting certificate formats The ServerIronADX accepts server certificates in the PEM or PKCS12 format. The following sections describe how to convert between the two formats and from PFX to the two formats using OpenSSL. You can download a Win32 distribution of OpenSSL at the following location: http://gnuwin32.sourceforge.net/packages/openssl.htm Converting PEM to PKCS12...
Page 162: Importing Keys And Certificates
Configuring SSL on a ServerIron ADX Converting a PFX file to a P12 file To convert a PFX file to a P12 file on a Windows machine, change the extension from .PFX to .P12 Converting a PFX file to a PEM file To convert a PFX file to a PEM file on a Windows machine, follow these steps: 1.
Page 163 Configuring SSL on a ServerIron ADX Windows Users GUI-based SCP tools do not work in the current environment when you use SCP to transfer the certificate files to the ServerIronADX. Windows users should have PSCP, a free SCP utility based on putty SSH client.
Page 164 Configuring SSL on a ServerIron ADX c:\ scp myrsakeys.pem admin@<ip_addr>:sslkeypair:myrsakeys:brocade:pem After uploading the keypair file, the same file can be downloaded to a client with the following command: c:\ scp admin@<ip_addr>:sslkeypair:myrsakeys:foundry:pem myrsakeys.pem NOTE The downloaded file includes the following additional block of text at the end. ----BEGIN RSA PUBLIC KEY----- MIGJAoGBANY8/gNKT42GTweT+/c34CRxRwmaUvQQbTMgxYhHdLbo1g+6sdDcrohH IlXVOWJH4pjt9JB1zFaM/rSBnvKGkJ67HbT7dvszQnLNtg9aZnX3i5vPjFhjm9mj...
Page 165 Configuring SSL on a ServerIron ADX After transferring the file, it can be used both as a key and a certificate. To add the certificate file and keys to the profile, use the following commands: ServerIronADX(config-ssl-profile-mysslprofile)# keypair-file mypkcsfile ServerIronADX(config-ssl-profile-mysslprofile)# certificate-file mypkcsfile The show ssl cert command can be used to display a pkcs file.
Page 166 Configuring SSL on a ServerIron ADX Certificate Verification Every certificate has two very important fields: issuer (issued-by) and subject (issued-to). A CA’s certificate has the same value in both fields, because the authority has issued a certificate to itself. However, when the authority issues a certificate to a server, the issuer field contains the CA's name, but the subject contains the server's name.
Page 167 Configuring SSL on a ServerIron ADX Chained Certificate Verification When the server certificate is not signed directly by the root CA, but signed by an intermediate CA, as shown in the following example, there are two possible scenarios. • CA ----> intermediate CA ----> server certificate Client Already Has Intermediate CA's Certificate In the first scenario, there are NO additional requirements.
Page 168 Configuring SSL on a ServerIron ADX FIGURE 12 Certificate Fields There are two steps that will ensure that the chain is correct. 1. Verify that the issuer of the server certificate matches the subject of the intermediate CA's certificate. 2. Verify that the issuer of the intermediate CA's certificate has an entry in the client's trusted certificates.
Page 169 Configuring SSL on a ServerIron ADX Serial Number: 70:2b:a7:4b:07:ea:29:99:5a:dc:3f:6f:74:da:39:6d Signature Algorithm: sha1WithRSAEncryption Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Validity Not Before: Nov 2 00:00:00 2005 GMT Not After : Nov 2 23:59:59 2006 GMT Subject: C=US, ST=California, L=San Jose, O=Brocade Inc, OU=Engineering, OU=Terms of use at www.verisign.com/rpa (c)05, CN=L47.brocade.com...
Page 170 Configuring SSL on a ServerIron ADX Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Apr 17 00:00:00 1997 GMT Not After : Oct 24 23:59:59 2011 GMT Subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref.
Page 171 Configuring SSL on a ServerIron ADX Find and match this certificate in the list of trusted root certificates from the client browser. Figure 13 shows the issuer certificate authority window. FIGURE 13 Issuer Certificate Authority Now the certificate chain is complete and the client browser will able to interpret it correctly. Let’s consider another example with four level chain.
Page 172 Configuring SSL on a ServerIron ADX The certificate hierarchy is shown as under: Level 0 (root) issuer : CN=OS Level_0 CA Subject : CN=OS Level_0 CA Level 1 (first intermediary: Issuer : CN=OS Level_0 CA Subject : CN=OS Level_1 CA Level 2 (Second intermediary:Issuer : CN=OS Level_1 CA Subject: CN=OS Level_2 CA Level 3 (Server Certificate)Issuer: CN=OS Level_2 CA...
Page 173 Configuring SSL on a ServerIron ADX *sX509v3 Certificate Policies: *sPolicy: 1.1.1.1.1 *sCPS: *sUser Notice: *sExplicit Text: *sX509v3 Issuer Alternative Name: *semail:root@s1.l47qa.com, URI:http://sq.l47qa.com *sX509v3 Subject Alternative Name: *s<EMPTY> Signature Algorithm: sha1WithRSAEncryption 8f:e0:08:8b:ea:69:9e:6b:45:d1:ef:e1:d0:ae:f5:74:9f:b7: 98:1a:83:fa:95:72:bf:d9:0c:91:b0:c4:e9:0a:e6:08:20:eb: 88:d9:b1:79:92:85:ce:26:6a:d5:31:d2:40:39:94:f0:58:6e: 29:24:ba:c8:f1:b0:dc:d9:80:c9:25:42:68:fa:e1:04:5b:e0: c4:98:c9:61:97:2b:49:a8:74:ea:31:ee:7b:ec:ae:f0:8f:20: 32:b5:27:35:e0:dc:71:61:ed:ca:eb:31:bc:f4:27:46:78:a7: 41:00:ed:bc:9e:5c:e8:bc:fe:48:e2:77:3a:71:38:ea:b2:28: 3b:a3:44:54:f2:c5:f7:b3:f8:87:f7:5f:5e:3b:17:ce:97:9c: d3:c6:52:26:1d:b0:98:4f:a3:ce:a8:17:d9:fb:da:22:6e:e5: ee:8d:04:df:2c:bb:9f:3d:89:af:7f:07:aa:c2:82:89:a0:b1: f0:42:a2:76:eb:d8:0c:9d:25:63:0f:46:f8:88:31:f8:a8:00: 00:96:10:df:5e:4f:f3:f4:49:a6:e6:85:97:96:ca:41:fd:c1: 55:26:e6:e8:df:ba:f6:63:01:85:36:3b:12:c9:e9:97:fc:fa:...
Page 174 Configuring SSL on a ServerIron ADX Exponent: lu IÕ8~0xlx) *sX509v3 Basic Constraints: critical *sCA:TRUE *sX509v3 Key Usage: critical *sCertificate Sign, CRL Sign *sNetscape Cert Type: *sSSL CA, S/MIME CA, Object Signing CA *sNetscape CA Revocation Url: *sX509v3 Subject Key Identifier: *sX509v3 Authority Key Identifier: *skeyid:D6:D5:03:E1:B4:F0:0D:82:E9:AB:F0:4C:B2:FC:84:1B:82:18:8A:76 *sDirName:/CN=OS Level_0 CA...
Page 175 Configuring SSL on a ServerIron ADX RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a2:a9:48:46:79:dd:98:6b:9f:e9:77:b0:c7:eb: 37:ea:0a:7b:71:0d:5e:02:e6:d4:f7:1e:f2:9b:4f: 2d:f4:17:98:52:bc:13:5c:3b:83:84:f1:58:65:5b: db:73:1b:38:96:c9:11:11:ca:6e:92:3c:80:9b:25: 3d:5a:78:15:93:00:a9:b8:82:9e:35:d3:13:1e:55: 9f:4f:87:03:d6:63:df:41:bd:51:85:5d:ef:b3:aa: 08:d9:80:43:9d:40:05:ae:10:f4:a1:0d:2c:32:b0: d8:c5:50:59:65:01:a8:87:79:6e:f8:bf:6d:2a:90: a0:06:f4:72:2a:26:6a:84:53:5a:0f:92:6e:07:1f: d0:d6:6b:f9:2b:a3:3f:bb:e3:fe:bc:90:8d:fc:db: 6f:73:1b:41:40:78:b9:a3:8f:65:57:e9:11:74:a3: 55:3d:3b:c3:8e:fb:10:b2:03:0c:bc:cc:e4:d3:04: 9c:39:eb:b7:34:1b:a4:47:f4:88:2a:a2:23:61:d0: f0:28:fe:ce:f5:b8:8f:a0:f0:de:1b:44:95:40:91: 55:c7:ee:14:45:b5:c7:48:28:8e:c0:4a:00:c1:23: ac:9f:4e:00:b3:57:79:e6:12:d6:d7:e1:66:a2:62: de:7f:13:b4:1f:17:1e:5a:22:ec:32:87:1a:87:a7: 73:cf Exponent: lu IÕ8~0xlx) *sX509v3 Basic Constraints: critical *sCA:TRUE *sX509v3 Key Usage: critical *sCertificate Sign, CRL Sign *sNetscape Cert Type:...
Page 176 Configuring SSL on a ServerIron ADX d3:c2:64:4d:24:41:5a:2c:17:3d:34:27:8b:0c:25:60:6b:3a: 86:f6:54:fc:8d:31:08:3b:dd:4c:cb:46:fb:47:a3:e4:23:3d: 82:33:84:d2:fb:81:05:61:95:09:98:a4:25:f0:55:eb:80:0c: 32:69:48:cf:41:7c:36:2d:d7:c0:02:79:a1:7b:4d:28:4c:84: 64:68:3c:8a:af:28:5f:f6:78:1e:31:d4:5a:2c:60:20:12:99: 5c:e3:df:59:01:79:7c:20:c8:f5:ab:75:e6:ab:db:de:2a:e7: be:4d:a1:9d:d5:5a:7c:9a:22:14:ca:7b:31:9d:48:d8:62:3a: ab:97:15:6b:4f:13:3e:35:c0:fb:82:57:20:e7:08:03:33:28: 19:20:16:24:28:98:d4:f7:cf:0b:4b:0c:7e:6a:88:54:b0:06: 2e:df:b3:6e:ea:8e:4a:a0:60:78:73:40:a7:75:80:ef:96:cb: f1:03:96:83:cf:1a:38:a7:33:82:d5:2e:e7:51:93:06:59:b5: 95:16:a4:34:d4:63:e7:9f:6e:7b:aa:30:13:ed:3e:47:a1:b9: f8:56:d6:11 Figure 14 shows the certificate hierarchy. FIGURE 14 Certificate Hierarchy The root CA certificate "OS level 0 CA" was not included in the chain because it was already trusted by the client, and the client accepted the chain, as shown in Figure 14.
Page 177 Configuring SSL on a ServerIron ADX Solution: To verify that the certificate chain is properly uploaded on ServerIronADX, connect to the BP console and enter the show ssl certificate <cert-name> command. Make sure that all of the intermediate CA certificates are included. •...
Page 178: Support For Ssl Renegotiation
Basic SSL profile configuration To enable the ServerIronADX to send the entire certificate chain configure the enable-certificate-chaining command within an SSL profile as described in “Enabling a certificate chain” on page 169. Support for SSL renegotiation Some SSL application clients use renegotiation as a way within SSL protocols to change cipher specifications and redo the handshake.
Page 179: Specifying A Keypair File
Basic SSL profile configuration Specifying a keypair file Each SSL profile must be associated with an RSA key-pair file that was previously defined using the genrsa command. The following example uses the keypair-file command to associate the key pair file named "rsakey" with the "profile1" SSL profile. ServerIronADX(config)# ssl profile profile1 ServerIronADX(config-ssl-profile-profile1)# keypair-file rsakey Syntax: keypair-file <keypair-file-name>...
Page 180: Specifying A Certificate File
Advanced SSL profile configuration To configure this feature, use commands such as the following: ServerIronADX(config)#ssl profile sp1 ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-aes-128-sha ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-rc4-128-md5 ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-rc4-128-sha Specifying a certificate file Each SSL profile must be associated with a certificate file that was either imported or self generated as described in “Chained certificates”...
Page 181 Advanced SSL profile configuration Enabling certificate verification The ServerIronADX can be optionally configured to enforce client certificate verification. When client certificate verification is configured, the ServerIronADX requires all clients to present their signed certificates. The certificates are compared against trusted CAs and a connection is allowed or denied.
Page 182 Advanced SSL profile configuration • A certificate issued by a CA that is trusted by the server • A key-pair for the certificate The certificate and the key can be obtained from the CA in either PKCS or PEM format. For client-authentication to work, these items must be uploaded to the ServerIronADX and then added to the server profile.
Page 183 Advanced SSL profile configuration The ServerIronADX supports configuration of up to ten CRL records. For each CRL record, the size is up to 255K. Syntax: ssl crl-record <local-name> <url> der | pem <refresh-interval-in-hours> The <local-name> variable specifies a name for the CRL entry. The value of this entry is an ASCII string.
Page 184: Enabling Session Caching
Advanced SSL profile configuration NOTE All intermediate CA certificates need to be uploaded to the ServerIronADX. Configuring certificate chain depth You can configure certificate chain depth up to which certificate verification can be done by a ServerIronADX. The default value is 4 and it can be configured up to 10 as shown in the following. ServerIronADX(config)#ssl profile profile1 ServerIronADX(config-ssl-profile-ssl-profile1)# verify-cert-depth 10 Syntax: [no] verify-cert-depth <chain-depth>...
Page 185: Configuring A Session Cache Timeout
Advanced SSL profile configuration Configuring a session cache timeout By default, SSL sessions are held in the cache for 30 seconds. You can change the time period a session is in cache, as shown in the following. ServerIronADX(config)# ssl profile profile1 ServerIronADX(config-ssl-profile-profile1)# session-cache-timeout Syntax: [no] session-cache-timeout <timeout-in-seconds>...
Page 186: Enabling A Serveriron Adx Ssl To Respond With Renegotiation
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Enabling a ServerIron ADX SSL to respond with renegotiation headers Some SSL application clients use renegotiation as a way within SSL protocols to change cipher specifications and redo the handshake. It has been reported that unsecure renegotiation is susceptible to Man-in-the-Middle attack.
Page 187: Configuring Real And Virtual Servers For Ssl Termination Mode173
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Configuring Real and Virtual Servers for SSL Termination Mode Real and Virtual Server configuration is described in detail in the Brocade ServerIron ADX Server Load Balancing Guide. When configuring a Real or Virtual Server for SSL Termination Mode, you need to do the following: •...
Page 188: Configuring Real And Virtual Servers For Ssl Proxy Mode
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Configuring Real and Virtual Servers for SSL Proxy Mode Real and Virtual Server configuration is described in detail in the ServerIron ADX Server Load Balancing Guide. When configuring a Real or Virtual Server for SSL Proxy Mode, you need to do the following: •...
Page 189 Configuring Real and Virtual Servers for SSL Termination and Proxy Mode The <ssl-profile-name-1> and <ssl-profile-name-2> variables specify the name of the SSL profiles that you want to bind to the SSL port, proxy mode configuration. The first profile is used for the client to ServerIron ADX side and the second profile is used for the ServerIron ADX to the Real Server side.
Page 190: Configuration Examples For Ssl Termination And Proxy Modes
Configuration Examples for SSL Termination and Proxy Modes Configuration Examples for SSL Termination and Proxy Modes This section describes the procedures required to perform the configurations described in “SSL Termination Mode” on page 137 and “SSL Proxy Mode” on page 138. As shown in the examples there, SSL Termination mode provides for an SSL connection between clients to the ServerIron ADX.
Page 191: Configuring Ssl Proxy Mode
Configuration Examples for SSL Termination and Proxy Modes Create SSL profile with required settings ServerIronADX(config)# ssl profile myprofile ServerIronADX(config-ssl-profile-myprofile)# keypair-file rsakey-file ServerIronADX(config-ssl-profile-myprofile)# certificate-file mycert ServerIronADX(config-ssl-profile-myprofile)# cipher-suite all ServerIronADX(config-ssl-profile-myprofile)# exit Define HTTP ports on real servers ServerIronADX(config)# server real rs1 10.1.1.1 ServerIronADX(config-rs-rs1)# port http ServerIronADX(config-rs-rs1)# exit ServerIronADX(config)# server real rs2 10.1.1.2...
Page 192: Tcp Configuration Issues With Ssl Terminate And Ssl Proxy
Configuration Examples for SSL Termination and Proxy Modes Example Create Client Side SSL profile with required settings ServerIronADX(config)# ssl profile clientprofile ServerIronADX(config-ssl-profile-clientprofile)# keypair-file rsakey-file ServerIronADX(config-ssl-profile-clientprofile)# certificate-file mycert ServerIronADX(config-ssl-profile-clientprofile)# cipher-suite all ServerIronADX(config-ssl-profile-clientprofile)# exit Create server side SSL profile with required settings ServerIronADX(config)# ssl profile serverprofile ServerIronADX(config-ssl-profile-serverprofile)# ca-cert-file ca.cert ServerIronADX(config-ssl-profile-clientprofile)# cipher-suite all...
Page 193 Configuration Examples for SSL Termination and Proxy Modes FIGURE 15 Client Capture ServerIron ADX Security Guide 53-1002440-03...
Page 194 Configuration Examples for SSL Termination and Proxy Modes FIGURE 16 Server Capture In these examples, the HTTP GET requests are intentionally broken down into multiple parts. In real life, you may not see GET requests divided over multiple packets. These trace results indicate that there is degradation of performance when the ServerIronADX is configured for SSL terminate.
Page 195 Configuration Examples for SSL Termination and Proxy Modes Resolution There two possible approaches to this problem. • Turn OFF delayed ACK on the server. To see how to modify or turn off delayed ACK on Windows 2003 servers, go to the following location: http://support.microsoft.com/default.aspx?scid=kb;en-us;823764 NOTE This method might not be the most satisfactory, as it involves changing the registry on the...
Page 196 Configuration Examples for SSL Termination and Proxy Modes Disabling Nagle’s Algorithm You can disable Nagle’s algorithm within a TCP profile as shown in the following example. ServerIronADX(config)# tcp profile tcpprofile1 ServerIronADX(config-tcp-profile-tcpprofile1)# nagle off Syntax: [no] nagle off Disabling the delayed ACK algorithm You can disable the delayed ACK algorithm within a TCP profile as shown in the following example.
Page 197 Configuration Examples for SSL Termination and Proxy Modes You can also apply the TCP profile to the SSL profile. In the following example, the TCP profile "nagleoff" is applied to the SSL profile: "myprofile" and then "myprofile" is applied to the port ssl ssl-terminate command in ServerIronADX(config)# ssl profile myprofile ServerIronADX(config-ssl-profile-myprofile)# tcp-profile nagleoff...
Page 198: Other Protocols Supported For Ssl
Configuration Examples for SSL Termination and Proxy Modes Define client Iinsertion mode and prefix The client certificate insertion mode and prefix can be optionally configured within a CSW policy as described in the following. To configure the client insertion mode, use the default rewrite request-insert command as shown.
Page 199: Configuring The System Max Values
Configuration Examples for SSL Termination and Proxy Modes ServerIronADX(config)# server real rs1 ServerIronADX(config-rs-rs1)# port pop3 ServerIronADX(config-rs-rs1)# port imap4 ServerIronADX(config-rs-rs1)# port ldap ServerIronADX(config-rs-rs1)# exit ServerIronADX(config)# ServerIronADX(config)# server real rs2 ServerIronADX(config-rs-rs2)# port pop3 ServerIronADX(config-rs-rs2)# port imap4 ServerIronADX(config-rs-rs2)# port ldap ServerIronADX(config-rs-rs2)# exit ServerIronADX(config)# ServerIronADX(config)# server virtual-name-or-ip vip1 ServerIronADX(config-vs-vip1)# port pop3s ServerIronADX(config-vs-vip1)# port pop3s ssl-terminate sslprof...
Page 200 Configuration Examples for SSL Termination and Proxy Modes NOTE Please note that the connection count for the SSLv2 rate includes both client-side (Terminate / Proxy) and server-side (Proxy) connections. Configuring memory limit for SSL hardware buffers You can configure the maximum memory allocated for the buffers accessed by the SSL hardware, as shown in the following example.
Page 201: Ssl Debug And Troubleshooting Commands
SSL debug and troubleshooting commands SSL debug and troubleshooting commands This section describes SSL debug and troubleshooting commands. Diagnostics You can run diagnostic tests on the SSL hardware devices to verify proper functionality. Please note that the diagnostic tests should not be run while SSL traffic is being processed. Also, the system should be reloaded after running the diagnostic test-suite.
Page 202: Displaying Ssl Information
SSL debug and troubleshooting commands soft-reset Soft Reset Test Detailed information is logged on the BP console when these tests are run. Displaying SSL information The following SSL Statistics information is available from the BP console within the rconsole mode: •...
Page 203 SSL debug and troubleshooting commands Displaying proxy statistics Use the show cp statistics command in the rconsole mode to display connection proxy statistics, as shown in the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show cp statistics Client-side counters: SSL conn established : 24190 SSL handshake done : 17630...
Page 204 SSL debug and troubleshooting commands Displaying locally stored SSL certificates Use the show ssl certificate command to display locally stored SSL certificates, as shown in the following. ServerIronADX# show ssl certificate * certificate files: : cert3003.pem : cert2112.pem : cert2031.pem : cert4030.pem : cert3301.pem : cert3220.pem...
Page 205: Displaying The Status Of A Crl Record
SSL debug and troubleshooting commands Displaying SSL connection information Use the show ssl con command in rconsole mode to display SSL connection information as shown in the following. ServerIronADX1/1# show ssl con SOCK_ID STATE FLAGS SSL ptr CB_FLAGS CP_RXQ SSLRXQ 00000000 5 00000000 00000000 00002000 00000000 00000000 00000002...
Page 206 SSL debug and troubleshooting commands ServerIronADX(config)# ssl crl crl1 http://192.168.5.16/temp.crl pem 1 ServerIronADX#show ssl crl <crl-name> (on MP) Output : URL : /temp.crl IP address : 192.168.5.16 CRL state : Download complete CRL size : 2029 bytes Expiry time : 1 hour Next download : After 1 hour and 9 minutes ServerIronADX3/1#show ssl crl <crl-name>...
Page 207 SSL debug and troubleshooting commands Displaying SSL debug counters Use the show ssl debug command in the rconsole mode to display debug counters, as shown in the following. ServerIronADX1/1 #show ssl debug Library [code] Description [code]: count SSL [ certificate verify failed [ 137]: 90219 SSL [ uninitialized [ 301]:...
Page 208 SSL debug and troubleshooting commands The following example provides information about a specified key: "rsakey". ServerIronADX# show ssl key rsakey modulus: 00:d6:41:66:47:98:e2:56:9d:4f:7d:e2:da:88:2e: eb:72:39:c9:3c:3a:be:65:73:01:a1:fc:38:c5:c0: bb:18:d6:65:70:ec:d5:11:57:61:2e:72:84:d4:e1: 67:bf:87:50:50:c2:73:f3:9a:bb:41:e1:d0:d8:a0: d5:9a:30:15:a5:0a:7d:67:53:4a:eb:19:04:a8:82: 72:75:74:3b:2f:d4:a5:19:09:6d:ac:1f:05:d5:c0: 94:e5:34:93:19:f6:a8:43:7d:1b:59:44:c8:c7:6e: 80:c2:37:d0:30:e6:66:91:ea:f3:93:88:f4:5d:29: c4:78:39:4e:a7:34:52:9e:63 publicExponent: lu A¹8~0xlx) privateExponent: 00:d4:a5:a2:32:cb:5d:51:23:de:a2:8d:c5:e1:45: d8:2e:cd:85:99:be:9f:fb:a6:72:67:68:22:9c:ba: d5:b7:28:0b:14:52:2a:82:84:9c:12:72:5c:bd:c0: 5d:ad:2d:4a:9c:6c:f2:92:43:ef:38:cb:3b:f1:d5: 67:4b:1a:10:4f:a5:24:c9:af:b2:5d:b3:59:68:b9: 0b:e9:0b:e4:25:3c:d7:62:6d:e0:c3:d6:89:9f:3c: 63:3f:f2:17:6b:e5:26:fe:26:f1:90:03:3f:3b:60: 8b:3d:8e:c2:7a:bd:6a:78:95:3c:1b:25:82:a6:55: 40:a1:6e:53:38:fe:2d:6b:e1...
Page 209 SSL debug and troubleshooting commands The * parameter displays a list of all locally stored SSL keys. Displaying an SSL Profile The show ssl profile command allows you to display the configuration of a particular SSL profile or all configured SSL profiles. The following example displays all configured SSL profiles on a ServerIron ADX.
Page 210 SSL debug and troubleshooting commands Displaying the certificate bound to an SSL profile Use the show ssl profile cert command on the rconsole, as shown in the following, to display the certificate bound to a specified profile. This is useful when checking to see if a certificate is intact on the BPs.
Page 211 SSL debug and troubleshooting commands 00:ac:6e:a1:3d:3c:0a:f3:df:e2:8d:b4:5e:d6:cb: 90:e3:96:87:2d:bc:aa:41:64:22:fa:ea:c2:86:d8: b1:bc:99:c5:c6:af:87:2d:d1:2b:89:b9:31:6f:9c: 35:03:86:9b:47:6d:82:a8:4f:88:07:dc:46:8a:87: 86:5c:cd:15:c6:3d:de:72:05:68:0b:50:b5:77:27: 9f:6c:33:a3:8b:2a:de:e6:f7:b3:f3:70:e6:b9:cc: 8d:4c:84:25:b7:2f:62:d6:76:ed:93:59:87:f7:4c: b1:99:23:f0:9f:d9:61:d3:e1:e7:40:a0:12:6a:1d: f5:20:b7:2e:2b:08:9e:80:c5 publicExponent: 00010001 (0x00010001) privateExponent: 42:81:64:e5:16:4c:6f:25:51:df:2f:cb:48:73:39: 4d:de:58:02:f6:fa:7f:c0:1c:91:c4:8c:04:b0:7d: 54:ed:c6:4f:4c:92:09:c4:dc:53:01:3f:a4:f9:8d: a4:ef:7c:e2:7e:c5:5f:1f:55:ab:1a:75:86:a6:a0: d7:18:2e:a6:26:29:96:8c:e8:7e:38:df:da:5b:c5: 90:ca:e1:3d:a3:1b:03:a7:95:e9:59:be:18:8b:dc: 28:0a:3f:8f:a1:68:c1:07:2e:9a:8f:19:9e:e0:17: 96:eb:7e:40:57:97:f6:13:05:e2:0e:0e:06:b8:02: a7:00:a3:ff:19:c2:42:9d prime1: 00:db:a6:28:e7:8e:ed:26:44:12:e5:bc:d5:05:98: d7:c2:02:f1:3c:b7:72:7e:51:7c:31:3e:9c:9a:d9: 1a:a9:93:3c:c5:a2:27:85:1f:24:89:46:6c:4c:b8: bb:d0:ef:eb:d2:0e:0b:95:d5:47:bb:27:9a:50:f6: 00:68:62:57:6b prime2: 00:c8:f8:09:b0:fe:87:4f:08:ab:00:f4:e7:ef:2d: a5:85:5a:2a:25:4f:ed:49:ba:60:55:d5:72:ce:69: fe:4b:ef:d7:c1:9a:a4:b3:42:68:aa:e7:9a:e0:d3: ee:62:99:72:df:9c:3a:1d:59:5f:74:c4:08:fe:7d: 9a:ef:76:04:8f exponent1: 47:3b:bd:ec:4a:d7:f2:1f:05:99:e8:01:95:cd:19: bb:db:c4:6c:92:79:d9:29:88:03:58:70:e5:6f:1f: 4c:7b:69:ac:16:88:86:8d:b1:05:ac:07:17:62:99:...
Page 212 SSL debug and troubleshooting commands Displaying record size information Use the show ssl record-size command in rconsole mode to display information regarding record size. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl record-size Decrypt Encrypt Count TotalBytes AvgBytes Count TotalBytes AvgBytes <...
Page 213: Displaying Socket Information
Displaying socket information Displaying socket information The following socket information is available from the BP console within the rconsole mode. • Socket detail in open status • All sockets in open status • Socket state information To access the display command that present this information, you must enter the BP console using the rconsole command as shown in “Using Rconsole”...
Page 214 Displaying socket information Displaying socket state information Use the show socket state command in the rconsole mode to display socket state information, as shown in the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show socket state Socket Layer: Total sockets : 65000 Open sockets : 10611...
Page 215: Displaying Ssl Statistics Information
Displaying socket information Displaying SSL Statistics information The following SSL Statistics information is available from the BP console within the rconsole mode: • SSL Statistics alert information • Decoded status counters of SSL alerts • SSL decoded client site status counters •...
Page 216 Displaying socket information Displaying SSL decoded client site status counters Use the show ssl statistics client command in rconsole mode to display SSL decoded client site status counters as shown. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl statistics client SSL Client statistics: *********************************************************************** SSL Connect attempts: 2627919...
Page 217 Displaying socket information Displaying SSL Statistics counters Use the show ssl statistics counters command in rconsole mode to display SSL statistical counters as shown. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl statistics counter SSL debug counters: SSL connect attempts : 16024 SSL Handshake complete : 9384...
Page 218 Displaying socket information Displaying SSL crypto engine status counters Use the show ssl statistics crypto command in rconsole mode to display SSL crypto engine status counters as shown. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl statistics crypto SSL crypto statistics: ************************************************************************** Csp1Handshake: Csp1HandshakeStart:...
Page 219: Displaying Tcp Ip Information
Displaying socket information Displaying TCP IP information The following TCP IP information is available from the BP console within the rconsole mode: • SSL, TCP, and IP buffer information • TCP and IP chain length statistics • SSL, TCP, and IP queues •...
Page 220 Displaying socket information Displaying TCP, and IP chain length statistics Use the show tcp-ip chain-statistics command in rconsole mode to display TCP and IP chain length statistics as shown. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show tcp-ip chain-statistics TCP->App App->TCP Count TotalBytes AvgBytes Count...
Page 221 Displaying socket information Displaying TCP and IP statistics Use the show tcp-ip statistics command in rconsole mode to display TCP and IP statistics as shown in the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show tcp-ip statistics Driver Layer: Rx cnt : 405603 Pkt mem alloc fail : Tx cnt :...
Page 222 Displaying socket information Show SSL memory Use the show ssl mem command in rconsole mode to display SSL memory statistics as shown in the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl mem Total SSL Buffer Usage: Size: 32B 128B 256B 512B 8.5K...
Page 223: Asm Ssl Dump Commands
Displaying socket information ASM SSL dump commands The following ASM SSL dump commands can be used for troubleshooting your ServerIron ADX system. Because these commands are performance intensive, use discretion when using them within a production system. asm dm ssldump Use the asm dm ssldump command on the BP to display all transmit and receive SSL packets.
Page 224 Displaying socket information asm dm ssldump both Use the asm dm ssldump both command on the BP to display both client and server SSL packets. ServerIronADX# rconsole 1 1 ServerIronADX1/1# asm dm ssldump both Debug both client and server packets Syntax: asm dm ssldump both asm dm ssldump client Use the asm dm ssldump client command on the BP to display client SSL packets only.
Page 225 Displaying socket information asm dm ssldump mode detail Use the asm dm ssldump mode detail command on the BP to display SSL handshake packet detail information. asm dm ssldump mode decrypt Use the asm dm ssldump mode decrypt command on the BP to display SSL decrypted received packets only.
Page 226 Displaying socket information Syntax: asm dm ssldump max <count> asm dm ssldump max Use the asm dm ssldump max <count> command to limit the number of packets logged on the console. Syntax: asm dm ssldump max <count> The default value is 50. ServerIron ADX Security Guide 53-1002440-03...

This manual is also suitable for:

Serveriron adx 1000 Serveriron adx 4000 Serveriron adx 8000 Serveriron adx 10000

Brocade Communications Systems ServerIron ADX 12.4.00a Security Manual

Chapter 1 Network Security

Chapter 2 Access Control List

Chapter 3 Ipv6 Access Control Lists

Chapter 4 Network Address Translation

Chapter 5 Syn-Proxy and Dos Protection

Chapter 6 Secure Socket Layer (SSL) Acceleration

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for Brocade Communications Systems ServerIron ADX 12.4.00a

Summary of Contents for Brocade Communications Systems ServerIron ADX 12.4.00a

This manual is also suitable for:

Table of Contents