Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
71727374757677787980
5. Check any hosts that exhibit relatively high connection rate behavior to determine whether
malicious code or legitimate use is the cause of the behavior.
6. Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can
trigger a connection-rate filter. Configure connection rate ACLs to create policy exceptions
for trusted hosts. (Exceptions can be configured for these criteria:
A single source host or group of source hosts
A source subnet
Either of the above with TCP or UDP criteria
For more on connection rate ACLs, see Application options” (page 66).
7. Increase the sensitivity to Medium and repeat steps 5 (page 71) and 6 (page 71).
NOTE: On networks that are relatively infection-free, sensitivity levels above Medium are
not recommended.
8. (Optional.) Enable throttle or block mode on the monitored ports.
NOTE: On a given VLAN, to unblock the hosts that have been blocked by the connection-rate
feature, use the vlan < vid > connection-rate filter unblock command.
9. Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any
sign of high connectivity-rate activity that could indicate an attack by malicious code, see
“Connection-rate log and trap messages” (page 70).
Configuring connection-rate filtering for high risk networks (Overview)
This procedure is similar to the general steps required for a relatively attack free network, except
for policies suggested for managing hosts exhibiting high connection rates. This allows better
network performance for unaffected hosts and helps to identify hosts that can require updates or
patches to eliminate malicious code.
1. Configure connection-rate filtering to throttle on all ports.
2. Set global sensitivity to medium.
3. If SNMP trap receivers are available in your network, use the snmp-server command to
configure the switch to send SNMP traps.
4. Monitor the Event Log or the available SNMP trap receivers (if configured on the switch) to
identify hosts exhibiting high connection rates.
5. Check any hosts that exhibit relatively high connection rate behavior to determine whether
malicious code or legitimate use is the cause of the behavior.
6. On hosts you identify as needing attention to remove malicious behavior:
To immediately halt an attack from a specific host, group of hosts, or a subnet, use the
per-port block mode on the appropriate port(s).
After gaining control of the situation, you can use connection-rate ACLs to more selectively
manage traffic to allow receipt of normal traffic from reliable hosts.
Overview 71