53-1002440-03 June 2012 ServerIron ADX Security Guide Supporting Brocade ServerIron ADX version 12.4.
© 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents About This Document Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Notes, cautions, and danger notices . . . . . . . . . . . . . . . . . . . . .
Transaction Rate Limit (TRL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Understanding transaction rate limit . . . . . . . . . . . . . . . . . . . . . . 7 Configuring transaction rate limit . . . . . . . . . . . . . . . . . . . . . . . . . 8 Configuring the maximum number of rules . . . . . . . . . . . . . . . . 12 Saving a TRL configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Transaction rate limit command reference . . . . . . . . . . . . . . . .
Firewall load balancing enhancements . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling firewall strict forwarding. . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling firewall VRRPE priority . . . . . . . . . . . . . . . . . . . . . . . . . 34 Enabling track firewall group. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Enabling firewall session sync delay. . . . . . . . . . . . . . . . . . . . . . 35 Syn-cookie threshhold trap. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Displaying ACL log entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Displaying ACL statistics for flow-based ACLs . . . . . . . . . . . . . . 72 Clearing flow-based ACL statistics . . . . . . . . . . . . . . . . . . . . . . . 72 Dropping all fragments that exactly match a flow-based ACL . . . . . 72 Clearing the ACL statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Translation timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Configuring the NAT translation aging timer . . . . . . . . . . . . . .104 Stateless static IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Redundancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Enabling IP NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Enabling static NAT redundancy . . . . . . . . .
Chapter 6 Secure Socket Layer (SSL) Acceleration SSL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . .135 Asymmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Certificate Authority (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Certificate Revocation List (CRL) . . . . . . . . . . . . . . . . . . . . . . .136 Cipher suite . .
SSL debug and troubleshooting commands . . . . . . . . . . . . . . . . . .187 Diagnostics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Displaying SSL information . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Displaying the status of a CRL record . . . . . . . . . . . . . . . . . . .191 Displaying socket information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199 Displaying SSL Statistics information . . . . . . . . . . . . . . . . . . . .
xii ServerIron ADX Security Guide 53-1002440-03
About This Document Audience This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing. If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network – IP, RIP, OSPF, BGP, ISIS, IGMP, PIM, DVMRP, and VRRP. Supported hardware and software Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for 12.
bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords Identifies text to enter at the GUI or CLI italic text Provides emphasis Identifies variables Identifies document titles code text Identifies CLI output For readability, command names in the narrative portions of this guide are presented in bold: for example, show version. Notes, cautions, and danger notices The following notices and statements are used in this manual.
Corporation Referenced Trademarks and Products Microsoft Corporation Windows NT, Windows 2000 The Open Group Linux Related publications The following Brocade documents supplement the information in this guide: • • • • • • • • • • • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.
xvi ServerIron ADX Security Guide 53-1002440-03
Chapter Network Security 1 TCP SYN attacks ServerIron software contains many intrusion detection and prevention capabilities. The ServerIron can be configured to defend against a variety of TCP SYN attacks, Denial of Service (DoS) attacks, and Smurf attacks. TCP SYN attacks disrupt normal traffic flow by exploiting the way TCP connections are established. When a normal TCP connection occurs, the connecting host first sends a TCP SYN packet to the destination host.
1 Granular application of syn-proxy feature • ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy algorithm, but it does not accept the ACK after 64 seconds. • If you enter a value for the ip tcp syn-proxy command from the CLI or upgrade from an older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy command in the config file, you receive the following warning message. Warning: The value 10 is being ignored.
Syn-def ServerIronADX# show server traffic Client->Server = 0 Server->Client Drops = 0 Aged Fw_drops = 0 Rev_drops FIN_or_RST = 0 old-conn Disable_drop = 0 Exceed_drop Stale_drop = 0 Unsuccessful TCP SYN-DEF RST = 0 Server Resets Out of Memory = 0 Out of Memory = = = = = = = = 1 0 0 0 0 0 0 0 0 The last line contains information relevant to the incomplete connection threshold. The TCP SYN-DEF RST field displays the number of times the incomplete connection threshold was reached.
1 No response to non-SYN first packet of a TCP flow SLB-chassis1/1#show server debug Generic Deug Info BP Distribution No of BPs Partner Chassis MAC Partner BP1 MAC Partner BP3 MAC Partner BP5 MAC = = = = = = Enabled 3 0000.0000.0000 0000.0000.0000 0000.0000.0000 0000.0000.0000 JetCore No of Partner BPs = = No 0 Partner BP2 MAC Partner BP4 MAC Partner BP6 MAC = = = 0000.0000.0000 0000.0000.0000 0000.0000.
Prioritizing management traffic 1 By default, when ServerIron ADX receives TCP packet that is destined to VIP and there is no session match then it sends TCP reset to the sender. However, if one desires to remain passive then the above feature can be enabled. To not send the reset packet, use the following command. ServerIronADX(config)# server reset-on-syn-only To remove the configuration, use the following command.
1 Peak BP utilization with TRAP ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 6 80 Prioritization of TCP port 80 traffic to management IP 200.1.1.1 from any source IP address ServerIronADX# server prioritize-mgmt-traffic any 200.1.1.1 6 80 Prioritization of UDP port 2222 traffic to management IP 200.1.1.1 ServerIronADX# server prioritize-mgmt-traffic 1.1.1.1 255.255.255.0 200.1.1.1 17 2222 Prioritization of IP protocol 89 (OSPF) traffic to management IP 200.1.1.
Transaction Rate Limit (TRL) 1 BP utilization threshold The bp-utilization-threshold command allows you to specify a threshold for BP CPU utilization. Define this command under the global configuration mode. When the threshold is exceeded, the event is logged and a trap is sent. The log and trap are rate-limited to one per two minutes. The command takes a percentage string as parameter. Example ServerIronADX(config)# bp-utilization-threshold 80.
1 Transaction Rate Limit (TRL) • Ability to operate on a per VIP basis, whereby a different rate limit can be applied to traffic coming to a different VIP. Configuring transaction rate limit To enable transaction rate limit, you must configure parameters for each client address/prefix and apply the transaction rate limit configuration to a specific VIP. Prerequisites Before you can configure transaction rate limit, you must configure a virtual server.
Transaction Rate Limit (TRL) 1 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify the name of the transaction rate limit rule set and enter client transaction rate limit configuration mode. ServerIronADX(config)# client-trans-rate-limit tcp TRL1 Syntax: [no] client-trans-rate-limit tcp | udp | icmp 4. Specify the trl parameter for the client subnet and the exclude keyword.
1 Transaction Rate Limit (TRL) Configure transaction rate limit for pass through traffic You can configure transaction rate limit for traffic that is not going to a virtual server. You can configure only one group for pass through traffic. To create a transaction rate limit group for pass through traffic, follow these steps. 1. Enable privileged EXEC mode. ServerIronADX> enable 2. Enter global configuration mode. ServerIronADX# configure terminal 3.
Transaction Rate Limit (TRL) 1 2. Enter global configuration mode. ServerIronADX# configure terminal 3. Specify server virtual-name-or-ip command and VIP name to enter virtual server configuration mode. ServerIronADX(config)# server virtual-name-or-ip bwVIP Syntax: [no] server virtual-name-or-ip 4. Specify the BW parameter and BW rule set. ServerIronADX(config-vs-bwVIP)# client-trans-rate-limit trl Syntax: [no] client-trans-rate-limit 5.
1 Transaction Rate Limit (TRL) —IP address of the TFTP server. —File name of Transaction Rate Limit configuration. —Retry number for the download. Verify that the Transaction Rate Limit configuration file is in the following format. client-trans-rate-limit tcp trl101 trl 10.2.24.0/24 monitor-interval 50 conn-rate 100 hold-down-time 60 trl 10.2.24.10/32 exclude NOTE This is the same format as the show running-configuration command generates.
Transaction Rate Limit (TRL) 1 Saving a TRL configuration The following applies to saving a TRL config: • the startup-config cannot store 15,000 IPv4 and 15,000 IPv6 rules. • If the total number of IPv4 and IPv6 rules exceeds 2500, issuing the write mem command stores the TRL rules in the “trl_conf.txt” file on the internal USB drive. • the policy config and global/local maximum rule count config is always stored in the startup-config.
1 Transaction Rate Limit (TRL) Syntax: trl {default | { | } {exclude | monitor-interval conn-rate hold-down-time }} default - Specifies default transaction rate limit parameter. - Specifies IPv4 client subnet and - Specifies the IPv4 client mask. - Specifies IPv6 client subnet and - Specifies the IPv6 client mask bits.
Transaction Rate Limit (TRL) 1 ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-1/1)# ip tcp trans-rate 80 where sets one or more TCP or UDP ports to monitor. With TRL, the ServerIron can monitor up to 4 specific ports. The ServerIron can also monitor traffic to all the ports by configuring the default port.
1 Transaction Rate Limit (TRL) ServerIronADX#show client-trl trl-policy1 ipv6 40 Max Count: 2500 Total Count: 2 IP address/Mask --------------300::3a95/128 300::3a96/128 interval -------1 66 attempts -------67 38 holddown -------93 34 Syntax: show client-trl { ipv4 | ipv6} The variable specifies the TRL policy that you want to display rules for.
HTTP TRL 1 Example To configure the ServerIron to refuse connections from 192.168.9.210 for 20 minutes, enter. ServerIronADX(config)# security hold-source-ip 192.168.9.210 20 To display the IP addresses from which connections are currently being refused. ServerIronADX# rconsole 2 1 ServerIronADX2/1 # show security holddown source 192.168.2.30 192.168.2.
1 Configuring HTTP TRL • Rate-limiting functionality must support rate over time and total connections, based on customer ID. • Max-conn currently works only for HTTP1.0. • This feature supports http redirect, or drop client response actions once rate-limit has been exceeded. • This feature provides event and threshold alert monitoring and notification, based on specific customer connection SLAs. Configuring HTTP TRL This section describes how to configure the HTTP TRL feature.
Configuring HTTP TRL 1 Syntax: [no] http-trl-policy 2. Configure an HTTP TRL client maximum connection. ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 Syntax: [no] client-name max-conn —specifies maximum number of connection client can setup. 3. Configure the action to take if a client exceeds the configured maximum connections (optional).
1 Configuring HTTP TRL Syntax: [no] default exceed-action reset Sample HTTP TRL configuration This section describes how to configure a sample HTTP TRL configuration. This scenario describes all the required steps for configuring HTTP TRL, with notes the optional steps.
Displaying HTTP TRL 1 Syntax: port http ServerIronADX(config-rs-web2)# exit Syntax: exit 5. Define a virtual server with an IP address. ServerIronADX(config)# server virtual-name-or-ip csw-vip 1.1.1.100 Syntax: server virtual-name-or-ip 6. Define a virtual HTTP port on the virtual server. ServerIronADX(config-vs-csw-vip)#port http Syntax: port http 7. Bind HTTP ports on real servers web1 and web2 to the virtual port HTTP.
1 Displaying HTTP TRL Display all HTTP TRL policies To show all running configurations for HTTP TRL policies, use the following command. ServerIronADX# show run http-trl-policy all Syntax: show run http-trl-policy all Example ServerIronADX# show run http-trl all !Building configuration... !Current configuration : 124813 bytes ! http-trl-policy "my-http-trl-policy-104" tftp 50.50.50.105 "http-trl-policy-104.
Displaying HTTP TRL client-name client-name client-name client-name client-name client-name client-name client-name client-name 1 "root17" max-conn 1 "root17" exceed-action reset "root18" max-conn 1 "root18" exceed-action reset "root19" max-conn 1 "root19" exceed-action reset "root2" max-conn 1 "root2" exceed-action reset "root20" max-conn 1... Display HTTP TRL policy client To show a running configuration for an HTTP TRL policy client, enter the following command.
1 Displaying HTTP TRL client-name client-name client-name client-name "root18" exceed-action reset "root19" max-conn 1 "root19" exceed-action reset "root2" max-conn 1... Display HTTP TRL policy matching a regular expression To show a running configuration for an HTTP TRL policy matching a specific regular expression (regex), enter the following command. NOTE The syntax for regex is the same as for piping.
Displaying HTTP TRL 1 Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 10 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 1 Client name TDSWS/LoadRunner monitor-interval 1 warning rate 10 shutdown rate 20 holddown interval 0 exceed action: drop dynamic No max-conn track session 0 trl track session 0 Syntax: show http-trl policy NOTE This command entered on the MP only displays configuration info
1 Downloading an HTTP TRL policy through TFTP Example ServerIronADX# show http-trl policy my-http-trl-policy-103 0 100 Policy Name: my-http-trl-policy-103 configured client count: 1 total client count: 2 Client name V E'Vææ\ max-conn 50 dynamic Yes max-conn track session 1 trl track session 0 HTTP_TRL_HIT 3278 HTTP_TRL_PASS 1613 HTTP_MAX_CONN_F 1665 HTTP_TRL_DROP 1665 Client name TDSWS/LoadRunner monitor-interval 1 warning rate 10 shutdown rate 20 holddown interval 0 exceed action: drop dynamic No max-con
HTTP TRL policy commands 1 Syntax: tftp NOTE You can save this command with write memory to automatically initiate a download for this policy after you reload. If you configure more than one policy for TFTP download, and a policy fails the download, the ServerIron does NOT retry, and the subsequent policy does not initiate a download. You must manually issue the command to do a TFTP download.
1 HTTP TRL policy commands —specifies maximum number of connections client can setup. Example ServerIronADX(config-http-trl-p1)# client-name c1 max-conn 10 NOTE You must set the client HTTP max-conn configuration before you configure the client exceed-action. NOTE Max-conn currently supports only HTTP/1.0.
HTTP TRL policy commands 1 • —specifies the length of hold down period, if client exceeds rate limit in term of minutes. NOTE Value 0 means do not hold down. Hold down holds all traffic. Example ServerIronADX(config-http-trl-p1)# default monitor-interval 1 10 20 0 Default max-conn Use the default max-conn option in the http-trl-policy configuration mode to set default maximum connection parameters.
1 Logging for DoS Attacks Logging for DoS Attacks The following sections describe how to enable logging of DoS attacks. Configuration commands Use the following commands to enable logging of TCP connection rate and attack rate.
Maximum connections 1 show server conn-rate Use show server conn-rate to display the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command reports global connection rate information for the ServerIron as well as for each real server. ServerIronADX# show server conn-rate Avail.
1 Maximum concurrent connection limit per client Maximum concurrent connection limit per client This feature restricts each client to a specified number of connections, based on the client’s subnet, to prevent any one client from using all available connections. Limiting the number of concurrent connections per client This feature restricts each client to a specified number of concurrent connections, based on the client’s subnet, to prevent any one client from using all available connections.
Maximum concurrent connection limit per client 1 ServerIronADX(config)# client-connection-limit max-conn1 ServerIronADX(config-client-max-conn)# max-conn default 10 In this example, all clients not specified in any max connection group will have a maximum of 10 connections.
1 Firewall load balancing enhancements Syntax: [no] client-max-conn-limit Enter the name of the max connection policy for . NOTE When the policy is bound to a VIP, the policy limits the number of connections that a client can have on any real server on the network.
Syn-cookie threshhold trap 1 Enabling track firewall group To enable track-fw-group to track the firewall group state, use the following commands. ServerIronADX(config)#int ve 1 ServerIronADX(config-vif-1)# ip vrrp-e vrid 1 ServerIronADX(config-vif-1-vrid-1)# track-fw-group Syntax: track-fw-group Use the track-fw-group command under the VRRPE config level. is the firewall group that needs to be tracked for this VRRPE.
1 Traffic segmentation NOTE VIP protection works for IPv4 VIPs alone and cannot be enabled for IPv6 VIPs. You can enable this feature globally by entering the following command. ServerIronADX(config)# server vip-protection Syntax: [no] server vip-protection Once enabled, the VIP protection applies to all existing and new VIP configurations. If you want to enable the feature on individual VIPs, enter the following command.
Traffic segmentation 1 When used for creating Layer-2 segmentation among SLB domains, this feature ensures that traffic from one SLB domain destined to another SLB domain goes through the upstream gateway and is not switched locally. This ensures that every packet between a client and server has to go through the ServerIron ADX for load-balancing. Figure 1 is an example of the VLAN bridging feature deployed in a one-armed topology.
1 Traffic segmentation Gateway Vlans 12, 13, 14 ServerIron ADX (active) Vlans 2, 3, 4, 12, 13, 14 Layer-2 Switch Vlans 2, 3, 4, 12, 13, 14 Vlan -Bridging 2-12, 3-13, 4-14 ServerIron ADX (standby) Vlan -Bridging 2-12, 3-13, 4-14 Vlan 2 Domain1 Vlan 3 Domain2 Vlan 4 Domain3 Considerations when configuring VLAN bridging The following considerations apply when configuring VLAN bridging: • Up to 64 unique-pair VLAN bridges can be configured. • A VLAN cannot be part of two different VLAN bridges.
Traffic segmentation 1 NOTE Once a bridge is created between two VLANs, the VLAN configuration mode for those VLANs is disabled. You must remove a VLAN bridge if you want to make any changes to a VLAN contained within the VLAN bridge. Example The following example configures two VLANs with each containing the same ports and a VLAN bridge configured between them.
1 Traffic segmentation The contents of the display are defined in the following table. TABLE 2 Display from show vlan command This field... Displays... PORT-VLAN The VLAN ID of the PORT VLAN configured. Bridge VLAN The VLAN ID of the associated bridge VLAN. Name The name of the VLAN as configured. If no name is configured, “{None]” is displayed Priority level The QoS priority as configured. If no priority value is configured the value displayed will be “0”.
Traffic segmentation 1 Traffic segmentation using the use-session-for-vip-mac command By default, as long as there is a session match, packets with a destination IP address of a VIP are processed regardless of whether the destination MAC is addressed to the ServerIron ADX or not. With the server use-session-for-vip-mac command configured, only packets with a destination MAC address of the ServerIron ADX are processed.
1 DNS attack protection DNS attack protection The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This protection is provided by performing a deep packet scan and then classifying DNS requests based on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header.
DNS attack protection 1 Configuring DNS attack protection Configuring DNS attack protection involves the following steps: 1. Create DNS DPI rules. In this step you specify the filtering parameters under a rule. A packet must match all of the filtering parameters defined under a rule to match the rule. 2. Create a DNS DPI policy and bind the rules to it. In this step you bind a rule to a policy and specify the action to be taken if a packet matches the rule. 3. Bind a DNS DPI policy to a Virtual port.
1 DNS attack protection The off parameter is matched if the RD flag is not set in the packet. Syntax: query-dnssec-ok { on | off} The on parameter is matched if the DNSSEC bit is set in the packet. The off parameter is matched if the DNSSEC bit is not set in the packet. Order of Rule matching Matching on the query-name is first attempted in the order of the length of the query-name. THis is followed by the rules without query-name (only if needed), in the order they were added to the policy.
DNS attack protection 1 Once a packet matches a configured filter, the following actions can be specified: • • • • drop Redirect to a server or server group rate-limit log (log is a secondary action and cannot be specified by itself) The actions are configured within the DNS DPI policy as shown in the following.
1 DNS attack protection This command enables DNS content switching. Configuring global commands for DNS attack protection You can optionally configure the following to apply to all DNS attack protection configurations: • Dropping all DNS packets that are fragmented • Dropping all DNS packets with multiple queries • Dropping all DNS packets that are malformed To configure a ServerIron ADX to drop all DNS packets that are fragmented, use the server dns-dpi drop-frag-pkts command as shown.
DNS attack protection ServerIron# show csw-dns-policy p1 Rule Name Action Hit Count d2 redirect 0 d4 drop 0 d3 rate-limit 0 default drop 0 1 Rate Limit Held Down 0 0 0 0 You can display the DNS DPI policy counters for all DNS policies as shown.
1 48 DNS attack protection ServerIron ADX Security Guide 53-1002440-03
Chapter Access Control List 2 How ServerIron processes ACLs This chapter describes the Access Control List (ACL) feature. ACLs allow you to filter traffic based on the information in the IP packet header. Depending on the Brocade device, the device may also support Layer 2 ACLs, which filter traffic based on Lay 2 MAC header fields. You can use IP ACLs to provide input to other features such as distribution lists and rate limiting.
2 How ServerIron processes ACLs Backwards compatibility option: You can use the ip flow-based-acl-enable command to provide backwards compatibility for IPv4 ACL processing. If this command is configured, Layer 4 - 7 traffic, packets are processed in hardware and then forwarded to the BPs where the BPs also process the ACLs. This command is configured as shown in the following.
Default ACL action 2 How fragmented packets are processed The descriptions for rule-based ACLs above apply to non-fragmented packets. The default processing of fragments by rule-based ACLs is as follows: • The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination application port numbers.
2 Types of IP ACLs • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL. The software permits packets that are not denied by the deny entries. Types of IP ACLs Rule-based ACLs can be configured as standard or extended ACLs. A standard ACL permits or denies packets based on source IP address.
ACL entries and the Layer 4 CAM 2 1. The system-max for Ip-filter-sys value must be set to 4096. ServerIronADX(config)# system-max ip-filter-sys 4096 2. The Ip access-group max-l4-cam parameter must be set to 4096 on the interface that the ACL will be applied ServerIronADX(config)# interface ethernet 1 ServerIronADX(config-if-e1000-1)# ip access-group max-l4-cam 4096 3. Execute the write memory command to save the running configuration to the startup-config reload the ServerIron ADX.
2 Configuring numbered and named ACLs Specifying the maximum number of CAM entries for rule-based ACLs For rule-based ACLs, you can adjust the allocation of Layer 4 CAM space for use by ACLs, on an IPC or IGC basis and on 10 Gigabit Ethernet modules. The new allocation applies to all the ports managed by the IPC or IGC or 10 Gigabit Ethernet module. Most ACLs require one CAM entry for each ACL entry (rule). The exception is an ACL entry that matches on more than one TCP or UDP application port.
Configuring numbered and named ACLs 2 Configuring standard numbered ACLs This section describes how to configure standard numbered ACLs with numeric IDs: • For configuration information on named ACLs, refer to “Configuring standard or extended named ACLs” on page 62. • For configuration information on extended ACLs, refer to “Configuring extended numbered ACLs” on page 56. Standard ACLs permit or deny packets based on source IP address. You can configure up to 99 standard ACLs.
2 Configuring numbered and named ACLs The parameter specifies the mask value to compare against the host address specified by the parameter. The is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the . Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.
Configuring numbered and named ACLs 2 The IP protocol can be one of the following well-known names or any IP protocol number from 0 – 255: • • • • • • • Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Internet Gateway Routing Protocol (IGRP) Internet Protocol (IP) Open Shortest Path First (OSPF) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) For TCP and UDP, you also can specify a comparison operator and port name or number.
2 Configuring numbered and named ACLs ServerIronADX(config)# int eth 1/2 ServerIronADX(config-if-1/2)# ip access-group 102 in ServerIronADX(config-if-1/2)# exit ServerIronADX(config)# int eth 4/3 ServerIronADX(config-if-4/3)# ip access-group 102 in ServerIronADX(config)# write memory Here is another example of an extended ACL. ServerIronADX(config)# ServerIronADX(config)# 209.157.22.
Configuring numbered and named ACLs 2 The parameter indicates the ACL number and be from 100 – 199 for an extended ACL. The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. The parameter indicates the type of IP packet you are filtering. You can specify a well-known name for any protocol whose number is less than 255. For other protocols, you must enter the number.
2 Configuring numbered and named ACLs • • • • • • • • • • • • • echo-reply information-request log mask-reply mask-request parameter-problem redirect source-quench time-exceeded timestamp-reply timestamp-request unreachable The parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http.
Configuring numbered and named ACLs 2 NOTE The out option is not supported in the rule-based ACL mode. The precedence | parameter of the ip access-list command specifies the IP precedence. The precedence option for of an IP packet is set in a three-bit field following the four-bit header-length field of the packet’s header. You can specify one of the following: • critical or 5 – The ACL matches packets that have the critical precedence.
2 Configuring numbered and named ACLs NOTE This parameter applies only if you specified icmp as the value. The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL. You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The software replaces the ACL or filter command with the new one.
Configuring numbered and named ACLs 2 The parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.
2 Configuring numbered and named ACLs ServerIronADX(config)# show access-list 99 3 Standard IP access-list 99 deny 10.10.10.1 deny 192.168.1.13 permit any Syntax: show access-list [] Enter the ACL’ number for the parameter. Determine from which line you want the displayed information to begin and enter that number for the parameter. Named ACL For a named ACL, enter a command such as the following.
Configuring numbered and named ACLs 2 ServerIronADX(config)#show access-list 99 | include 5 Standard IP access-list 99 permit host 5.6.7.8 permit host 5.10.11.12 The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list. If you want to exclude ACL entries that contain a keyword from the show access-list display, enter the following command. ServerIronADX(config)# show access-list 99 | exclude 5 Standard IP access-list 99 deny host 1.2.3.
2 Configuring numbered and named ACLs ServerIronADX(config)# show access-list melon | include 5 Standard IP access-list melon permit host 5.6.7.8 permit host 5.10.11.12 The second and third entries in the ACL contain the keyword “5” and are displayed in the show access-list. If you want to exclude ACL entries that contain a keyword from the show access-list display, enter the following command. ServerIronADX(config)# show access-list melon | exclude 5 Standard IP access-list melon deny host 1.2.3.
Modifying ACLs 2 Modifying ACLs When you use the Brocade device’s CLI to configure any ACL, the software places the ACL entries in the ACL in the order you enter them. For example, if you enter the following entries in the order shown below, the software always applies the entries to traffic in the same order. ServerIronADX(config)# access-list 1 deny 209.157.22.0/24 ServerIronADX(config)# access-list 1 permit 209.157.22.
2 Displaying a list of ACL entries access-list access-list access-list access-list 1 deny host 209.157.22.26 log 1 deny 209.157.22.0 0.0.0.255 log 1 permit any 101 deny tcp any any eq http log The software will apply the entries in ACL 1 in the order shown and stop at the first match. Thus, if a packet is denied by one of the first three entries, the packet will not be permitted by the fourth entry, even if the packet matches the comparison values in this entry. 4.
Applying an ACLs to interfaces 2 Named ACLs To display the contents of named ACLs, enter a command such as the following. ServerIronADX# show ip access-list melon Standard IP access list melon deny host 1.2.4.5 deny host 5.6.7.8 permit any Syntax: show ip access-list | Applying an ACLs to interfaces Configuration examples in the section “Configuring numbered and named ACLs” on page 54 show that you apply ACLs to interfaces using the ip access-group command.
2 ACL logging ACL logging You may want the software to log entries for ACLs in the syslog. This section present the how logging is processed by rule-based ACLs. Rule-based ACLs do not support the log option. Even when rule-based ACLs are enabled, if an ACL entry has the log option, traffic that matches that ACL is sent to the CPU for processing. Depending on how many entries have the log option and how often packets match those entries, ACL performance can be affected.
ACL logging 2 NOTE The software requires that an ACL has already been applied to the interface. When you enable redirection, the deny action of the ACL entry is still honored. Traffic that matches the ACL is not forwarded. Displaying ACL log entries The first time an entry in an ACL permits or denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets permitted or denied by ACLs are at the warning level of the Syslog.
2 Dropping all fragments that exactly match a flow-based ACL You can also configure the maximum number of ACL-related log entries that can be added to the system log over a one-minute period. For example, to limit the device to 100 ACL-related syslog entries per minute. ServerIronADX(config)# max-acl-log-num 100 Syntax: [no] max-acl-log-num You can specify a number between 0 – 4096. The default is 256. Specifying 0 disables all ACL logging.
Enabling ACL filtering of fragmented packets 2 On an individual interface basis, you can configure an IronCore device to automatically drop a fragment whose source and destination IP addresses exactly match an ACL entry that has Layer 4 information, even if that ACL entry’s action is permit. To do so, enter the following command at the configuration level for an interface.
2 Enabling ACL filtering of fragmented packets Syntax: [no] ip access-group frag inspect | deny The inspect | deny parameter specifies whether you want fragments to be sent to the CPU or dropped: • inspect – This option sends all fragments to the CPU. • deny – This option begins dropping all fragments received by the port as soon as you enter the command. This option is especially useful if the port is receiving an unusually high rate of fragments, which can indicate a hacker attack.
Enabling hardware filtering for packets denied by flow-based ACLs 2 The parameter specifies the maximum number of fragments the device or an individual interface can receive and send to the CPU in a one-second interval. • frag-rate-on-system – Sets the threshold for the entire device. The device can send to the CPU only the number of fragments you specify per second, regardless of which interfaces the fragments come in on.
2 Enabling strict TCP or UDP mode for flow-based ACLs Syntax: [no] hw-drop-acl-denied-packet Enabling strict TCP or UDP mode for flow-based ACLs By default, when you use ACLs to filter TCP or UDP traffic, the Brocade device does not compare all TCP or UDP packets against the ACLs. For TCP and UDP, the device first compares the source and destination information in a TCP control packet or a UDP packet against entries in the session table.
Enabling strict TCP or UDP mode for flow-based ACLs 2 NOTE Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs before creating a session entry for forwarding the traffic. NOTE If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode. To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI.
2 Enabling strict TCP or UDP mode for flow-based ACLs Syntax: [no] ip strict-acl-udp This command configures the device to compare all UDP packets against the configured ACLs before forwarding them. To disable the strict ACL mode and return to the default ACL behavior, enter the following command. ServerIronADX(config)# no ip strict-acl-udp NOTE Enter the ip rebind-acl command at the global CONFIG level of the CLI to place the ip strict-acl-udp or no ip strict-acl-udp command into effect.
ACLs and ICMP 2 ServerIronADX# show access-list 100 Extended IP access list 100 (Total flows: 432, Total packets: 42000) permit tcp 1.1.1.0 0.0.0.255 any (Flows: 80, Packets: 12900) deny udp 1.1.1.0 0.0.0.255 any (Flows: 121, Packets: 20100) permit ip 2.2.2.0 0.0.0.255 any (Flows: 231, Packets: 9000) Syntax: show access-list | | all To clear the flow counters for ACL 100.
2 ACLs and ICMP • Also, to create ACL policies that filter ICMP message types, you can either enter the description of the message type or enter its type and code IDs. Furthermore ICMP message type filtering is now available for rule-based ACLs on BigIron Layer 2 Switch and Layer 3 Switch images. Numbered ACLs For example, to deny the echo message type in a numbered ACL, enter commands such as the following when configuring a numbered ACL.
ACLs and ICMP 2 The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded. You can either use the and enter the name of the message type or use the parameter and enter the type number and code number of the message. Refer to Table 5 for valid values. NOTE “X” in the Type-Number or Code-Number column in Table 5 means the device filters any traffic of that ICMP message type.
2 Using ACLs and NAT on the same interface (flow-based ACLs) TABLE 5 ICMP message types and codes ICMP message type Type Code protocol-unreachable 3 2 reassembly-timeout 11 1 redirect 5 x router-advertisement 9 0 router-solicitation 10 0 source-host-isolated 3 8 source-quench 4 0 source-route-failed 3 5 time-exceeded 11 x timestamp-reply 14 0 timestamp-request 13 0 ttl-exceeded 11 0 unreachable 3 x NOTE: This includes all redirects.
Displaying ACL bindings 2 ServerIronADX(config)# ip strict-acl-tcp ServerIronADX(config)# access-list 1 permit 10.10.200.0 0.0.0.255 ServerIronADX(config)# access-list 2 deny 209.157.2.184 The following commands configure global NAT parameters. ServerIronADX(config)# ip nat inside source list 1 pool outadds overload ServerIronADX(config)# ip nat pool outadds 204.168.2.1 204.168.2.254 netmask 255.255.255.0 The following commands configure the inside and outside NAT interfaces.
2 • To view the types of packets being received on an interface, enable ACL statistics using the enable-acl-counter command, reapply the ACLs by entering the ip rebind-acl all command, then display the statistics by entering the show ip acl-traffic command. • To determine whether an ACL entry is correctly matching packets, add the log option to the ACL entry, then reapply the ACL. This forces the device to send packets that match the ACL entry to the CPU for processing.
Chapter IPv6 Access Control Lists 3 IACL overview ServerIron ADX supports IPv6 Access Control Lists (ACLs) in hardware. The maximum number of ACL entries you can configure is a system-wide parameter and depends on the device you are configuring. You can configure up to the maximum number of 1024 entries in any combination in different ACLs.
3 IACL overview • Transmission Control Protocol (TCP) • User Datagram Protocol (UDP) NOTE TCP and UDP filters will be matched only if they are listed as the first option in the extension header. For TCP and UDP, you also can specify a comparison operator and port name or number. For example, you can configure a policy to block web access to a specific website by denying all TCP port 80 (HTTP) packets from a specified source IPv6 address to the website’s IPv6 address.
IACL overview 3 For deny actions: All deny packets are dropped in hardware. For permit actions: For all traffic, packets are processed in hardware and then forwarded to the BPs. The BPs do not take any action on the ACLs. Backwards compatibility option: You can use the ipv6 flow-based-acl-enable command to provide backwards compatibility for IPv6 ACL processing. If this command is configured, packets are processed in hardware and then forwarded to the BPs where the BPs also process the ACLs.
3 IACL overview The fourth condition permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL would deny all incoming IPv6 traffic on the ports to which you assigned the ACL. The following commands apply the ACL "netw" to the incoming traffic on port 1/2 and to the incoming traffic on port 4/3.
IACL overview 3 • If you want to tightly control access, configure ACLs consisting of permit entries for the access you want to permit. The ACLs implicitly deny all other access. • If you want to secure access in environments with many users, you might want to configure ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of each ACL. The permit entry permits packets that are not denied by the deny entries.
3 IACL overview • The following ICMPv6 Message Types are not supported: DECIMAL <0-255> ICMP message type beyond-scope Destination Unreachable ICMP message, Beyond Scope destination-unreachable Destination Unreachable ICMP messages dscp Match dscp value in IPv6 packet echo-reply Echo Reply ICMP message echo-request Echo Request ICMP message header Parameter Problem ICMP Message,Header Error hop-limit Time Exceeded ICMP Message,In Transit log Log matches against this entry mld-query MLD
IACL overview 3 Syntax: permit | deny | any | host | any | host [ipv6-operator []] [log] For ICMP Syntax: [no] ipv6 access-list Syntax: permit | deny icmp | any | host | any | host [ipv6-operator []] [ [][
3 IACL overview TABLE 6 Syntax Descriptions Arguments... Description... // parameter specify a source prefix > and prefix length that a packet must match for the specified action (deny or permit) to occur. You must specify the parameter in hexadecimal using 16-bit values between colons as documented in RFC 2373. You must specify the parameter as a decimal value.
IACL overview TABLE 6 3 Syntax Descriptions Arguments... Description... tcp-udp-operator The parameter can be one of the following: eq – The policy applies to the TCP or UDP port name or number you enter after eq. gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt. Enter "?" to list the port names.
3 Using an ACL to Restrict SSH Access Displaying ACLs To display the ACLs configured on a device, enter the show ipv6 access-list command.
Using an ACL to Restrict Telnet Access 3 ServerIronADX(config)# ipv6 access-list test2 ServerIronADX(config-ipv6-access-list test2)# deny ipv6 host 2000:1::1 any log ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:1::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 2000:2::0/32 any ServerIronADX(config-ipv6-access-list test2)# permit ipv6 host 2000:3::1 any ServerIronADX(config-ipv6-access-list test2)# exit ServerIronADX(config)# ssh access-group ipv6 test2 Syntax: [no] s
3 96 ServerIron ADX Security Guide 53-1002440-03
Chapter 4 Network Address Translation Introduction Network Address Translation (NAT) translates one IP address into another. For example, it translates an internal private IP address (nonregistered) into an external unique IP address (registered) used on the Internet. FIGURE 5 Mapping an internal address to an external address Internal External Internet or Intranet Backbone SI 150.1.1.1 10.1.1.
4 Configuring NAT • Dynamic NAT — Maps private addresses to Internet addresses. The Internet addresses come from a pool of addresses that you configure. For example, you can dynamically translate the global pool 150.1.1.10 - 19 to private pool 10.1.1.1 - 254. In Figure 6, the pool is the range of addresses from 209.157.1.2/24 – 209.157.1.254/24. With dynamic NAT, the software uses a round robin technique to select a global IP address to map to a private address from a pool you configure.
Configuring NAT 4 Configuring an address pool Use the ip nat pool command to configure the address pool. For an example, refer to “Dynamic NAT configuration example 1” on page 100. Syntax: [no] ip nat pool netmask | prefix-length | port-pool-range The parameter specifies the name assigned to the pool. It can be up to 255 characters long and can contain special characters and internal blanks.
4 Configuring NAT Dynamic NAT configuration example 1 This section describes the Dynamic NAT configuration shown in Figure 6. FIGURE 6 Minimum required commands Internet ip address 10.10.1.2 255.255.255.0 ip default-gateway 10.10.1.1 ip nat inside ip nat inside source list 10 pool out_pool ip nat pool out_pool 209.157.1.2 209.157.1.30 prefix-len ! interface ethernet 2 port-name To-gateway-router ! interface ethernet 1 port-name Inside-Network ! access-list 10 permit 10.10.1.0 0.0.0.
Configuring NAT 4 ServerIronADX(config-ve-2)#ip nat inside ServerIronADX(config-ve-3)#ip nat outside 3. Configure a numbered ACL and permit the IP addresses on the inside. Then define the global address pool and enable dynamic NAT. ServerIronADX(config)# access-list 101 permit ip 10.10.1.0/24 any ServerIronADX(config)# ip nat pool global_pool 209.157.1.2 209.157.1.254 prefix-length 24 Make sure you specify permit in the ACL, rather than deny.
4 Configuring NAT ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command creates a pool of IP NAT addresses from 15.15.15.15 to 15.15.15.25 named p1. ServerIronADX(config)# ip nat pool p1 15.15.15.15 15.15.15.25 prefix-len 24 An ACL is created to permit traffic from inside hosts in the 20.20.0.0 network as shown. ServerIronADX(config)# access-list 1 permit 20.20.0.0 0.0.255.
PAT 4 ServerIronADX(config)# interface ethernet 1/1 ServerIronADX(config-if-e1000-1/5) ip address 30.30.0.1 255.255.0.0 ServerIronADX(config-if-e1000-1/5) ip nat outside The following command configures the ServerIron ADX to translate IP packets with a local IP address of 20.20.5.6 to the global IP address 15.15.15.15. ServerIronADX(config)# ip nat inside source static 20.20.5.6 15.15.15.
4 Translation timeouts ServerIronADX(config)# nat-forward-no-session Syntax: [no] nat-forward-no-session Translation timeouts The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is one the ServerIron ADX creates for a private address when the client at that address sends traffic.
Stateless static IP NAT 4 The finrst-timeout keyword identifies TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds. This timer is not related to tcp-timeout, which applies to packets to or from a host address that is mapped to an global IP address and a TCP port number (PAT feature). The finrst-timeout applies to packets that terminate a TCP session, regardless of the host address or whether PAT is used.
4 Redundancy The new protocol is similar to the symmetric VIP protocol and uses any L2 link to exchange the NAT PDUs. Both ServerIronADXs will run a “symmetric VIP like” protocol to report and receive ownership (similar to the VLAN AD protocol in symmetric SLB). When one ServerIron ADX goes down, the peer ServerIron ADX will become the master for that NAT IP (in case of static NAT) or NAT pool (in case of dynamic NAT).
Displaying NAT information 4 The can be 1 or 2. 2 is the higher priority, and will be the owner of the NAT IP as long as the system is up. Enabling dynamic NAT redundancy To enable dynamic NAT redundancy, enter commands such as the following. ServerIronADX(config)# ip nat pool foo 63.23.1.2 63.23.1.
4 Displaying NAT information Displaying NAT statistics To display NAT statistics, enter commands such as the following.
Displaying NAT information 4 Syntax: show ip nat statistics TABLE 7 Display fields for show ip nat statistics This field... Displays... send nat unreachable (tcp fwd) Indicates the number of times that a “port unreachable” message was generated for NAT TCP forward traffic. nat tcp no ports avl Indicates the number of times that a “port unreachable” message was generated because the ServerIron could not get a port from the port pool for a NAT IP for TCP forward traffic.
4 Displaying NAT information TABLE 7 Display fields for show ip nat statistics (Continued) This field... Displays... nat udp rev ip status zero Indicates the number of times that an error in NAT translation for UDP reverse traffic has occurred. nat udp rev usr index null Indicates the number of times that a “port unreachable” message was generated because the ServerIron could not create a a user session for UDP reverse traffic.
Displaying NAT information TABLE 8 4 Display fields for show ip nat translation This field... Displays... Pro When PAT is enabled, this field indicates the protocol NAT is using to uniquely identify the host. NAT can map the same IP address to multiple hosts and use the protocol port to distinguish among the hosts. This field can have one of the following values: • tcp – In addition to this IP address, NAT is associating a TCP port with the host on the private network.
4 Clearing NAT entries from the table ServerIronADX# show ip nat redundancy (on standby) NAT Pool Start IP: 10.1.1.150 Mac address: 020c.db01.0196 State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.91 Mac address: 020c.db01.015b State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.92 Mac address: 020c.db01.015c State: Standby Priority: Low Standby Idle count: 0 Threshold: 20 NAT Pool Start IP: 10.1.1.95 Mac address: 020c.db01.
Chapter Syn-Proxy and DoS Protection 5 This chapter describes how to configure Syn-Proxy and DOS protection features on the ServerIron ADX Traffic Managers. Understanding Syn-Proxy Syn-Proxy™ allows TCP connections to be terminated on the ServerIron ADX. When Syn-Proxy is enabled, the ServerIron ADX completes the three-way handshake with a connecting client.
5 Configuring Syn-Proxy If you want your ServerIron ADX to behave more like a JetCore-based ServerIron device, you can use any of the following three workarounds: 1. Enable syn-proxy on the server interface 2. Enable ip nat 3. Enable "server security-on-vip-only".
Configuring Syn-Proxy 5 ServerIronADX(config)# interface ethernet 2/1 ServerIronADX(config-if-e1000-2/1)# ip tcp syn-proxy in Syntax: interface ethernet Syntax: ip tcp syn-proxy in The ip tcp syn-proxy command can be configured for either a physical interface (as shown) or a ve interface.
5 Configuring Syn-Proxy ServerIronADX(config)#ip tcp syn-proxy reset-using-client-mac Syntax: [no] ip tcp syn-proxy reset-using-client-mac This command is useful only when the client cannot be reached using the ServerIron ADX default gateway and the default gateway of the server is different than the default gateway of the ServerIron ADX.
Configuring Syn-Proxy 5 Limiting syn-proxy feature to defined VIPs With this feature enabled, the syn packets are dropped if a virtual server IP port is not defined under a VIP configuration. This feature is enabled with the following command. ServerIronADX(config)# server syn-cookie-check-vport Syntax: [no] server syn-cookie-check-vport Setting the source MAC address With this feature enabled, the SYN-ACK reply packets will have their source MAC address set to the MAC address of the ServerIron ADX.
5 Configuring Syn-Proxy • Virtual server lever – configures the TCP MSS value for all virtual ports under a specified virtual server • Virtual port level – configures the TCP MSS value for a specified virtual port • Destination IP – configures the TCP MSS value for pass-through traffic to a specified destination IP address NOTE tcp-mss will work when syn-proxy is enabled. If syn-proxy is turned off, tcp-mss will not take effect.
Configuring Syn-Proxy 5 The variable specifies MSS value for all SYN-ACK packets generated by the ServerIron ADX for this virtual server regardless of the client’s MSS value. This value can be from 64 to 9216. Make sure that the IP MTU of the interfaces is always greater than the MSS value.
5 Configuring Syn-Proxy TABLE 9 MSS values for IPv4, IPv6 and IPv4 jumbo MSS value IPv6 64, 236, 516, 946, 1004, 1420, 1432, 1440 IPv4 Jumbo 256, 536, 966, 1024, 1452, 1460, 4038, 8960 Configuring Syn-Proxy auto control Syn-proxy auto control operates the same as the normal Syn-proxy feature except that it is enabled and disabled based-on the arrival rate of TCP SYN packets on the ServerIron ADX. This is described in “Syn-Proxy auto control” on page 113.
Configuring Syn-Proxy 5 The on-threshold-value variable is used with the on-threshold parameter and specifies the number of TCP SYN packets received per-second. When this value is exceeded for an interval time defined by the server syn-attack-detection-interval command, Syn Proxy is enabled on the ServerIron ADX. This value should be set to a much higher value than the normal TCP SYN packet arrival rate.
5 Configuring Syn-Proxy Displaying TCP Attack Information The show server tcp-attack command displays attack information for connection rates counters.
Configuring Syn-Proxy 5 Syntax: show server traffic TABLE 10 Field Descriptions for show L4-traffic Field Description last conn rate Rate of TCP traffic per second. This includes all TCP traffic, including TCP SYN DoS attacks max conn rate Peak rate of TCP traffic (per second) encountered on this device. last TCP attack rate Rate of TCP Dos attacks per second. This rate is delayed by 1 to 2 minutes. max TCP attack rate Peak rate of TCP DoS attacks (per second) encountered on this device.
5 DDoS protection TABLE 11 Output Descriptions for show server syn-cookie Field Description CPU SYNs rcvd AXP SYNs rcvd Number of SYNs received on ServerIron ADX ports that have the Syn-Proxy feature enabled. CPU SYN-ACKs sent AXP SYN-ACKs sent Number of SYN ACKs sent from the ServerIron ADX to the client CPU Valid ACKs rcvd AXP Valid ACKs rcvd Number of valid ACKs received from the client. Invalid ACKs rcvd Number or invalid ACKs received from the client.
DDoS protection 5 Configuring a security filter Configuring a a security filter requires you to define it by name and configure rules within it as shown in the following. ServerIronADX(config)# security filter filter1 ServerIronADX(config-sec-filter1)#rule xmas-tree drop Syntax: security filter The variable specifies the filter being defined that will then be bound to a port. The rule command defines the attack method that is being filtered for.
5 DDoS protection lt less-than lteq less-than-or-equals neq not-equals The configured generic rule will have to be bound to a filter, to take effect.
DDoS protection 5 Configuring a rule for common attack types As described in “Configuring a Generic Rule” on page 125, you can create a custom rule to manage DDoS attacks. In addition, ServerIron ADX has built-in rules to manage common attack types. In this case, the rule command is used with a variable specified in Table 13. The following example configures a the "filter1" security filter with a rule to drop packets that are associated with a "xmas tree" attack.
5 DDoS protection TABLE 13 128 Rules for common attack types and descriptions fin-with-no-ack TCP packets with a FIN flag normally have an ACK bit set. Use fin-with-no-ack to drop TCP packet where FIN flag is set, but the ACK bit is not set. large icmp ICMP packets greater than 1500 bytes. unknown-ip-protocol Protocol 101 and above are currently reserved and undefined. Attackers sometimes use protocol values that are not valid protocols.
DDoS protection 5 Configuring a rule for ip-option attack types ServerIron ADX has a set of built-in rules to manage ip-option attack types. In this case, the rule command is used with a variable specified in Table 14. The following example configures the "filter2" security filter with a rule to drop packets that are associated with a ip-option record-route attack.
5 DDoS protection Configuring a rule for icmp-type options ServerIron ADX has a set of built-in rules to manage icmp-type options. In this case, the rule-icmp-type command is used with a variable specified in Table 15. The following example configures the "filter3" security filter with a rule to drop packets that contain the icmp-type echo-reply type.
DDoS protection TABLE 15 5 icmp option types and descriptions icmp-type router-advertisement icmp type 9: router-advertisement icmp-type r outer-selection icmp type 10: router-selection icmp-type source-quench icmp type 4: source-quench icmp-type time icmp type 11: time-exceeded icmp-type timestamp icmp type 13: timestamp icmp-type timestamp-reply icmp type 14: timestamp-reply Configuring a rule for IPv6 ICMP types ServerIron ADX has a set of built-in rules to manage IPv6 icmp types.
5 DDoS protection TABLE 16 ICMPv6 types and descriptions reserved ICMP type 255: reserved for expansion router-advertisement ICMP type 134: router-advertisement router-solicitation ICMP type 133: router-solicitation Configuring a rule for IPv6 ext header types ServerIron ADX has a set of built-in rules to manage IPv6 header types. In this case, the rule command is used with a variable specified in Table 17.
DDoS protection 5 Binding the filter to an interface To implement a filter, it must be bound to an interface. It will then be applied globally to all interfaces on the ServerIron ADX. To bind a filter to an interface, use the following command: ServerIronADX(config-if-e1000-1/2)# security apply-filter filter1 Syntax: security apply-filter The variable specifies filter that you want to apply on the ServerIron ADX. A maximum or 10 filters can be bound to a single interface.
5 DDoS protection Displaying security filter statistics You can display security filter statistics as shown.
Chapter Secure Socket Layer (SSL) Acceleration 6 ServerIron ADX supports integrated hardware-based SSL acceleration. This chapter describes how to configure a ServerIron ADX for SSL acceleration in SSL Termination or SSL Proxy mode. SSL support on the ServerIron ADX includes support for SSLv2, SSLv3, and TLS1.0. SSL overview The Secure Sockets Layer (SSL) protocol was developed by Netscape to provide security and privacy between client and server over the Internet.
6 SSL overview Asymmetric cryptography This method alters information so that the key used for encryption is different from the key used for decryption. Encrypted information is unintelligible to unauthorized parties. Certificate Authority (CA) The certificate authority (CA) issues and manages security credentials and public keys for message encryption within a network.
SSL acceleration on the ServerIron ADX 6 Public key The other half of a key pair, a public key is held in a digital certificate. Public keys are usually published in a directory. Any public key can encrypt information; however, data encrypted with a specific public key can only be decrypted by the corresponding private key. NOTE We recommend that you always back up your SSL certificate keys. These keys may be lost in the event of module failure.
6 SSL acceleration on the ServerIron ADX Real Server Client rs10 (10.1.1.20) ServerIron SSL Traffic SSL Termination on: vip 10 (10.1.1.100) (encrypted) HTTP Traffic (unencrypted) SSL Proxy Mode In full SSL proxy mode, a ServerIronADX maintains encrypted data channels with the client and server. The ServerIronADX maintains an SSL session with the client and a separate one with the server. This maintains total SSL security between client and server.
SSL acceleration on the ServerIron ADX 6 ServerIron ADX keypair file The keypair file specifies the location for retrieving the SSL asymmetric key pair, during an SSL handshake. You can create a keypair file by generating a key pair locally on the ServerIron ADX or import a pre-existing key pair, using secure copy (SCP).The key pair is stored in the flash memory and is not deleted during a power cycle.
6 Configuring SSL on a ServerIron ADX Configuring SSL on a ServerIron ADX When configuring a ServerIron ADX for either SSL Termination mode or SSL Proxy mode, you must perform each of the following configuration tasks: • Obtain a Keypair File – This section describes how to obtain an SSL asymmetic key pair. You can generate an RSA key pair or import an existing key pair. See “Obtaining a ServerIron ADX keypair file” on page 140.
Configuring SSL on a ServerIron ADX 6 Once a key pair is generated it can be saved for backup on your server by exporting it as described in “Importing keys and certificates” on page 148. Also, you can import a keypair file (instead of generating it) as described in “Importing keys and certificates” on page 148. NOTE The ServerIron ADX supports keys in PEM (Privacy Enhanced Mail) or PKCS12 (Public Key Cryptography Standard 12) formats.
6 Configuring SSL on a ServerIron ADX NOTE To export a certificate off of a ServerIron ADX you need the key-pair-file and password configured here. NOTE To generate a self signed certificate, the certkey and sign key must be the same. Using CA-signed certificates Before generating a CA-signed certificate, you must obtain an RSA key pair as described in “Obtaining a ServerIron ADX keypair file” on page 140.
Configuring SSL on a ServerIron ADX 6 MIIDKTCCApKgAwIBAgIRAJoKUHAGHghM4kW84LNXP1wwDQYJKoZIhvcNAQEFBQAw ZDETMBEGCgmSJomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCGpvbmRhdmlz MQ0wCwYDVQQKEwRUQU1VMREwDwYDVQQLEwhTZWN1cml0eTERMA8GA1UEAxMIVW5k ZXJ0b3cwHhcNMDQwOTAyMTc1ODE3WhcNMDcwNzIzMTc1NzQxWjBkMRMwEQYKCZIm iZPyLGQBGRYDb3JnMRgwFgYKCZImiZPyLGQBGRYIam9uZGF2aXMxDTALBgNVBAoT BFRBTVUxETAPBgNVBAsTCFNlY3VyaXR5MREwDwYDVQQDEwhVbmRlcnRvdzCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyk4jxC526rUPrkYC1pL+VobYp4B8yLEq rzbYyL4G6g8OlQ5Zo
6 Configuring SSL on a ServerIron ADX 8. Continue to follow steps in the wizard, and enter a password for the certificate backup file when prompted. Using a strong password is highly recommended to ensure that the private key is well protected. 9. Type the name of the file you want to export, or click Browse to search for the file. Click Next. 10. Click Finish to exit the Certificate Export Wizard. In order for certificates to be imported into the ServerIron ADX, they must be in a specific format. The .
Configuring SSL on a ServerIron ADX 6 11. When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK. The resulting file contents will resemble the following: 1.3.6.1.4.1.311.17.
6 Configuring SSL on a ServerIron ADX Bag Attributes: subject=/DC=org/DC=test/O=root/OU=Security/CN=root issuer=/DC=org/DC=test/O=root/OU=Security/CN=root -----BEGIN CERTIFICATE----MIIC1TCCAj6gAwIBAgIQJhB5wR9FdbXPEWcLp/1MAjANBgkqhkiG9w0BAQUFADBm MRMwEQYKCZImiZPyLGQBGRYDb3JnMRgwFgYKCZImiZPyLGQBGRYIam9uZGF2aXMx EDAOBgNVBAoTB1Rla2VsZWMxETAPBgNVBAsTCFNlY3VyaXR5MRAwDgYDVQQDEwdU ZWtlbGVjMB4XDTA1MDQxOTAxMTk1OFoXDTA3MDgwNzE3NDM1OFowZjETMBEGCgmS JomT8ixkARkWA29yZzEYMBYGCgmSJomT8ixkARkWCGpvbmRhdm
Configuring SSL on a ServerIron ADX 6 Converting certificate formats The ServerIronADX accepts server certificates in the PEM or PKCS12 format. The following sections describe how to convert between the two formats and from PFX to the two formats using OpenSSL. You can download a Win32 distribution of OpenSSL at the following location: http://gnuwin32.sourceforge.net/packages/openssl.htm Converting PEM to PKCS12 Use the open-source utility OpenSSL to perform the conversion from .PEM to .
6 Configuring SSL on a ServerIron ADX Converting a PFX file to a P12 file To convert a PFX file to a P12 file on a Windows machine, change the extension from .PFX to .P12 Converting a PFX file to a PEM file To convert a PFX file to a PEM file on a Windows machine, follow these steps: 1. If you do not have it installed, download and install the Win32 OpenSSL package from the URL described under “Converting certificate formats”. 2. Create a folder C:\certs and copy the file yourcert.
Configuring SSL on a ServerIron ADX 6 Windows Users GUI-based SCP tools do not work in the current environment when you use SCP to transfer the certificate files to the ServerIronADX. Windows users should have PSCP, a free SCP utility based on putty SSH client. To access this Windows utility, use the following commands: C:\images>pscp first.cer admin@200.100.100.2:sslcert:bs:pem C:\images>pscp second.cer admin@200.100.100.
6 Configuring SSL on a ServerIron ADX c:\ scp myrsakeys.pem admin@:sslkeypair:myrsakeys:brocade:pem After uploading the keypair file, the same file can be downloaded to a client with the following command: c:\ scp admin@:sslkeypair:myrsakeys:foundry:pem myrsakeys.pem NOTE The downloaded file includes the following additional block of text at the end.
Configuring SSL on a ServerIron ADX 6 After transferring the file, it can be used both as a key and a certificate. To add the certificate file and keys to the profile, use the following commands: ServerIronADX(config-ssl-profile-mysslprofile)# keypair-file mypkcsfile ServerIronADX(config-ssl-profile-mysslprofile)# certificate-file mypkcsfile The show ssl cert command can be used to display a pkcs file. The show ssl key command does not display a pkcs file, but it does contain a keypair.
6 Configuring SSL on a ServerIron ADX Certificate Verification Every certificate has two very important fields: issuer (issued-by) and subject (issued-to). A CA’s certificate has the same value in both fields, because the authority has issued a certificate to itself. However, when the authority issues a certificate to a server, the issuer field contains the CA's name, but the subject contains the server's name.
Configuring SSL on a ServerIron ADX 6 Chained Certificate Verification When the server certificate is not signed directly by the root CA, but signed by an intermediate CA, as shown in the following example, there are two possible scenarios. • CA ----> intermediate CA ----> server certificate Client Already Has Intermediate CA's Certificate In the first scenario, there are NO additional requirements.
6 Configuring SSL on a ServerIron ADX FIGURE 12 Certificate Fields There are two steps that will ensure that the chain is correct. 1. Verify that the issuer of the server certificate matches the subject of the intermediate CA's certificate. 2. Verify that the issuer of the intermediate CA's certificate has an entry in the client's trusted certificates. For the first step, you must convert the certificate chain to a readable format.
Configuring SSL on a ServerIron ADX 6 Serial Number: 70:2b:a7:4b:07:ea:29:99:5a:dc:3f:6f:74:da:39:6d Signature Algorithm: sha1WithRSAEncryption Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Validity Not Before: Nov 2 00:00:00 2005 GMT Not After : Nov 2 23:59:59 2006 GMT Subject: C=US, ST=California, L=San Jose, O=Brocade Inc, OU=Engineering, OU=Terms of use at www.verisign.
6 Configuring SSL on a ServerIron ADX Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority Validity Not Before: Apr 17 00:00:00 1997 GMT Not After : Oct 24 23:59:59 2011 GMT Subject: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.
Configuring SSL on a ServerIron ADX 6 Find and match this certificate in the list of trusted root certificates from the client browser. Figure 13 shows the issuer certificate authority window. FIGURE 13 Issuer Certificate Authority Now the certificate chain is complete and the client browser will able to interpret it correctly. Let’s consider another example with four level chain. Here, the root Certificate Authority is called as "OS Level_0 CA".
6 Configuring SSL on a ServerIron ADX The certificate hierarchy is shown as under: Level 0 (root) issuer : CN=OS Level_0 CA Subject : CN=OS Level_0 CA Level 1 (first intermediary: Issuer : CN=OS Level_0 CA Subject : CN=OS Level_1 CA Level 2 (Second intermediary:Issuer : CN=OS Level_1 CA Subject: CN=OS Level_2 CA Level 3 (Server Certificate)Issuer: CN=OS Level_2 CA Subject: CN=ServerCert by Level_2 ServerIronADX# show ssl cert l4chaincert Certificate: Dat Version: lu (0xlx) Serial Number: 3 (0x00000003) S
Configuring SSL on a ServerIron ADX 6 *sX509v3 Certificate Policies: *sPolicy: 1.1.1.1.1 *sCPS: *sUser Notice: *sExplicit Text: *sX509v3 Issuer Alternative Name: *semail:root@s1.l47qa.com, URI:http://sq.l47qa.
6 Configuring SSL on a ServerIron ADX Exponent: lu IÕ8~0xlx) *s: *sX509v3 Basic Constraints: critical *sCA:TRUE *sX509v3 Key Usage: critical *sCertificate Sign, CRL Sign *sNetscape Cert Type: *sSSL CA, S/MIME CA, Object Signing CA *sNetscape CA Revocation Url: *s *sX509v3 Subject Key Identifier: *s *sX509v3 Authority Key Identifier: *skeyid:D6:D5:03:E1:B4:F0:0D:82:E9:AB:F0:4C:B2:FC:84:1B:82:18:8A:76 *sDirName:/CN=OS Level_0 CA *sserial:01 *sAuthority Information Access: *sCA Issuers - URI:http://s1.l47qa.
Configuring SSL on a ServerIron ADX 6 y g yp RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a2:a9:48:46:79:dd:98:6b:9f:e9:77:b0:c7:eb: 37:ea:0a:7b:71:0d:5e:02:e6:d4:f7:1e:f2:9b:4f: 2d:f4:17:98:52:bc:13:5c:3b:83:84:f1:58:65:5b: db:73:1b:38:96:c9:11:11:ca:6e:92:3c:80:9b:25: 3d:5a:78:15:93:00:a9:b8:82:9e:35:d3:13:1e:55: 9f:4f:87:03:d6:63:df:41:bd:51:85:5d:ef:b3:aa: 08:d9:80:43:9d:40:05:ae:10:f4:a1:0d:2c:32:b0: d8:c5:50:59:65:01:a8:87:79:6e:f8:bf:6d:2a:90: a0:06:f4:72:2a:26:6a:84:53:5a:0f:92:6e:07:1f: d0:d
6 Configuring SSL on a ServerIron ADX d3:c2:64:4d:24:41:5a:2c:17:3d:34:27:8b:0c:25:60:6b:3a: 86:f6:54:fc:8d:31:08:3b:dd:4c:cb:46:fb:47:a3:e4:23:3d: 82:33:84:d2:fb:81:05:61:95:09:98:a4:25:f0:55:eb:80:0c: 32:69:48:cf:41:7c:36:2d:d7:c0:02:79:a1:7b:4d:28:4c:84: 64:68:3c:8a:af:28:5f:f6:78:1e:31:d4:5a:2c:60:20:12:99: 5c:e3:df:59:01:79:7c:20:c8:f5:ab:75:e6:ab:db:de:2a:e7: be:4d:a1:9d:d5:5a:7c:9a:22:14:ca:7b:31:9d:48:d8:62:3a: ab:97:15:6b:4f:13:3e:35:c0:fb:82:57:20:e7:08:03:33:28: 19:20:16:24:28:98:d4:f7:cf:0b:4b
Configuring SSL on a ServerIron ADX 6 Solution: To verify that the certificate chain is properly uploaded on ServerIronADX, connect to the BP console and enter the show ssl certificate command. Make sure that all of the intermediate CA certificates are included. • Symptom: The wrong format was specified when uploading the certificate. For example, the certificate was obtained in DER format but uploaded in PEM format.
6 Basic SSL profile configuration To enable the ServerIronADX to send the entire certificate chain configure the enable-certificate-chaining command within an SSL profile as described in “Enabling a certificate chain” on page 169. Support for SSL renegotiation Some SSL application clients use renegotiation as a way within SSL protocols to change cipher specifications and redo the handshake. It has been found however that unsecure renegotiation is susceptible to Man-in-the-Middle attack.
Basic SSL profile configuration 6 Specifying a keypair file Each SSL profile must be associated with an RSA key-pair file that was previously defined using the genrsa command. The following example uses the keypair-file command to associate the key pair file named "rsakey" with the "profile1" SSL profile.
6 Advanced SSL profile configuration To configure this feature, use commands such as the following: ServerIronADX(config)#ssl profile sp1 ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-aes-128-sha ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-rc4-128-md5 ServerIronADX(config-ssl-profile-sp1)# cipher-suite rsa-with-rc4-128-sha Specifying a certificate file Each SSL profile must be associated with a certificate file that was either imported or self generated as described in “Ch
Advanced SSL profile configuration 6 Enabling certificate verification The ServerIronADX can be optionally configured to enforce client certificate verification. When client certificate verification is configured, the ServerIronADX requires all clients to present their signed certificates. The certificates are compared against trusted CAs and a connection is allowed or denied.
6 Advanced SSL profile configuration • A certificate issued by a CA that is trusted by the server • A key-pair for the certificate The certificate and the key can be obtained from the CA in either PKCS or PEM format. For client-authentication to work, these items must be uploaded to the ServerIronADX and then added to the server profile. For example, if you use si_client_cert.pem as the certificate and si_client_key.
Advanced SSL profile configuration 6 The ServerIronADX supports configuration of up to ten CRL records. For each CRL record, the size is up to 255K. Syntax: ssl crl-record der | pem The variable specifies a name for the CRL entry. The value of this entry is an ASCII string. The variable specifies the location where the CRL is located. This value can be either an IP address or a domain name.
6 Advanced SSL profile configuration NOTE All intermediate CA certificates need to be uploaded to the ServerIronADX. Configuring certificate chain depth You can configure certificate chain depth up to which certificate verification can be done by a ServerIronADX. The default value is 4 and it can be configured up to 10 as shown in the following.
Advanced SSL profile configuration 6 Configuring a session cache timeout By default, SSL sessions are held in the cache for 30 seconds. You can change the time period a session is in cache, as shown in the following. ServerIronADX(config)# ssl profile profile1 ServerIronADX(config-ssl-profile-profile1)# session-cache-timeout Syntax: [no] session-cache-timeout The variable can be set to a value between 20 and 86400 seconds. The default value is 30 seconds.
6 Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Enabling a ServerIron ADX SSL to respond with renegotiation headers Some SSL application clients use renegotiation as a way within SSL protocols to change cipher specifications and redo the handshake. It has been reported that unsecure renegotiation is susceptible to Man-in-the-Middle attack. ServerIron ADX does not support renegotiation. This means that ServerIron ADX is not susceptible to these attacks.
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode 6 Configuring Real and Virtual Servers for SSL Termination Mode Real and Virtual Server configuration is described in detail in the Brocade ServerIron ADX Server Load Balancing Guide.
6 Configuring Real and Virtual Servers for SSL Termination and Proxy Mode Configuring Real and Virtual Servers for SSL Proxy Mode Real and Virtual Server configuration is described in detail in the ServerIron ADX Server Load Balancing Guide.
Configuring Real and Virtual Servers for SSL Termination and Proxy Mode 6 The and variables specify the name of the SSL profiles that you want to bind to the SSL port, proxy mode configuration. The first profile is used for the client to ServerIron ADX side and the second profile is used for the ServerIron ADX to the Real Server side.
6 Configuration Examples for SSL Termination and Proxy Modes Configuration Examples for SSL Termination and Proxy Modes This section describes the procedures required to perform the configurations described in “SSL Termination Mode” on page 137 and “SSL Proxy Mode” on page 138. As shown in the examples there, SSL Termination mode provides for an SSL connection between clients to the ServerIron ADX. When configuring SSL Proxy Mode a configuration is created between the ServerIron ADX and the server.
Configuration Examples for SSL Termination and Proxy Modes 6 Create SSL profile with required settings ServerIronADX(config)# ssl profile myprofile ServerIronADX(config-ssl-profile-myprofile)# ServerIronADX(config-ssl-profile-myprofile)# ServerIronADX(config-ssl-profile-myprofile)# ServerIronADX(config-ssl-profile-myprofile)# keypair-file rsakey-file certificate-file mycert cipher-suite all exit Define HTTP ports on real servers ServerIronADX(config)# server ServerIronADX(config-rs-rs1)# ServerIronADX(c
6 Configuration Examples for SSL Termination and Proxy Modes Example Create Client Side SSL profile with required settings ServerIronADX(config)# ssl profile clientprofile ServerIronADX(config-ssl-profile-clientprofile)# ServerIronADX(config-ssl-profile-clientprofile)# ServerIronADX(config-ssl-profile-clientprofile)# ServerIronADX(config-ssl-profile-clientprofile)# keypair-file rsakey-file certificate-file mycert cipher-suite all exit Create server side SSL profile with required settings ServerIronADX(
Configuration Examples for SSL Termination and Proxy Modes FIGURE 15 ServerIron ADX Security Guide 53-1002440-03 6 Client Capture 179
6 Configuration Examples for SSL Termination and Proxy Modes FIGURE 16 Server Capture In these examples, the HTTP GET requests are intentionally broken down into multiple parts. In real life, you may not see GET requests divided over multiple packets. These trace results indicate that there is degradation of performance when the ServerIronADX is configured for SSL terminate.
Configuration Examples for SSL Termination and Proxy Modes 6 Resolution There two possible approaches to this problem. • Turn OFF delayed ACK on the server. To see how to modify or turn off delayed ACK on Windows 2003 servers, go to the following location: http://support.microsoft.com/default.aspx?scid=kb;en-us;823764 NOTE This method might not be the most satisfactory, as it involves changing the registry on the servers. • Turn OFF Nagle Algorithm on the ServerIron.
6 Configuration Examples for SSL Termination and Proxy Modes Disabling Nagle’s Algorithm You can disable Nagle’s algorithm within a TCP profile as shown in the following example. ServerIronADX(config)# tcp profile tcpprofile1 ServerIronADX(config-tcp-profile-tcpprofile1)# nagle off Syntax: [no] nagle off Disabling the delayed ACK algorithm You can disable the delayed ACK algorithm within a TCP profile as shown in the following example.
Configuration Examples for SSL Termination and Proxy Modes 6 You can also apply the TCP profile to the SSL profile.
6 Configuration Examples for SSL Termination and Proxy Modes Define client Iinsertion mode and prefix The client certificate insertion mode and prefix can be optionally configured within a CSW policy as described in the following. To configure the client insertion mode, use the default rewrite request-insert command as shown.
Configuration Examples for SSL Termination and Proxy Modes 6 ServerIronADX(config)# server real rs1 ServerIronADX(config-rs-rs1)# port pop3 ServerIronADX(config-rs-rs1)# port imap4 ServerIronADX(config-rs-rs1)# port ldap ServerIronADX(config-rs-rs1)# exit ServerIronADX(config)# ServerIronADX(config)# server real rs2 ServerIronADX(config-rs-rs2)# port pop3 ServerIronADX(config-rs-rs2)# port imap4 ServerIronADX(config-rs-rs2)# port ldap ServerIronADX(config-rs-rs2)# exit ServerIronADX(config)# ServerIronADX
6 Configuration Examples for SSL Termination and Proxy Modes NOTE Please note that the connection count for the SSLv2 rate includes both client-side (Terminate / Proxy) and server-side (Proxy) connections. Configuring memory limit for SSL hardware buffers You can configure the maximum memory allocated for the buffers accessed by the SSL hardware, as shown in the following example.
SSL debug and troubleshooting commands 6 SSL debug and troubleshooting commands This section describes SSL debug and troubleshooting commands. Diagnostics You can run diagnostic tests on the SSL hardware devices to verify proper functionality. Please note that the diagnostic tests should not be run while SSL traffic is being processed. Also, the system should be reloaded after running the diagnostic test-suite. The diagnostic test-suite can be initiated from the MP or from individual BPs.
6 SSL debug and troubleshooting commands soft-reset Soft Reset Test Detailed information is logged on the BP console when these tests are run.
SSL debug and troubleshooting commands 6 Displaying proxy statistics Use the show cp statistics command in the rconsole mode to display connection proxy statistics, as shown in the following.
6 SSL debug and troubleshooting commands Displaying locally stored SSL certificates Use the show ssl certificate command to display locally stored SSL certificates, as shown in the following. ServerIronADX# show ssl certificate * ssl certificate files: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 : : : : : : : : : : : : : : : : cert3003.pem cert2112.pem cert2031.pem cert4030.pem cert3301.pem cert3220.pem cert2410.pem cert2014.pem cert4013.pem cert3203.pem cert3122.pem cert3041.pem cert2312.pem cert2231.
SSL debug and troubleshooting commands 6 Displaying SSL connection information Use the show ssl con command in rconsole mode to display SSL connection information as shown in the following.
6 SSL debug and troubleshooting commands ServerIronADX(config)# ssl crl crl1 http://192.168.5.16/temp.crl pem 1 ServerIronADX#show ssl crl (on MP) Output : URL : /temp.crl IP address : 192.168.5.
SSL debug and troubleshooting commands 6 Displaying SSL debug counters Use the show ssl debug command in the rconsole mode to display debug counters, as shown in the following.
6 SSL debug and troubleshooting commands The following example provides information about a specified key: "rsakey".
SSL debug and troubleshooting commands 6 The * parameter displays a list of all locally stored SSL keys. Displaying an SSL Profile The show ssl profile command allows you to display the configuration of a particular SSL profile or all configured SSL profiles. The following example displays all configured SSL profiles on a ServerIron ADX.
6 SSL debug and troubleshooting commands Displaying the certificate bound to an SSL profile Use the show ssl profile cert command on the rconsole, as shown in the following, to display the certificate bound to a specified profile. This is useful when checking to see if a certificate is intact on the BPs.
SSL debug and troubleshooting commands 6 00:ac:6e:a1:3d:3c:0a:f3:df:e2:8d:b4:5e:d6:cb: 90:e3:96:87:2d:bc:aa:41:64:22:fa:ea:c2:86:d8: b1:bc:99:c5:c6:af:87:2d:d1:2b:89:b9:31:6f:9c: 35:03:86:9b:47:6d:82:a8:4f:88:07:dc:46:8a:87: 86:5c:cd:15:c6:3d:de:72:05:68:0b:50:b5:77:27: 9f:6c:33:a3:8b:2a:de:e6:f7:b3:f3:70:e6:b9:cc: 8d:4c:84:25:b7:2f:62:d6:76:ed:93:59:87:f7:4c: b1:99:23:f0:9f:d9:61:d3:e1:e7:40:a0:12:6a:1d: f5:20:b7:2e:2b:08:9e:80:c5 publicExponent: 00010001 (0x00010001) privateExponent: 42:81:64:e5:16:4c:6
6 SSL debug and troubleshooting commands Displaying record size information Use the show ssl record-size command in rconsole mode to display information regarding record size.
Displaying socket information 6 Displaying socket information The following socket information is available from the BP console within the rconsole mode. • Socket detail in open status • All sockets in open status • Socket state information To access the display command that present this information, you must enter the BP console using the rconsole command as shown in “Using Rconsole” on page 188.
6 Displaying socket information Displaying socket state information Use the show socket state command in the rconsole mode to display socket state information, as shown in the following.
Displaying socket information 6 Displaying SSL Statistics information The following SSL Statistics information is available from the BP console within the rconsole mode: • • • • • SSL Statistics alert information Decoded status counters of SSL alerts SSL decoded client site status counters SSL statistical counters SSL crypto engine status counters To access the display command that present this information, you must enter the BP console using the rconsole command as shown in “Using Rconsole” on page 18
6 Displaying socket information Displaying SSL decoded client site status counters Use the show ssl statistics client command in rconsole mode to display SSL decoded client site status counters as shown.
Displaying socket information 6 Displaying SSL Statistics counters Use the show ssl statistics counters command in rconsole mode to display SSL statistical counters as shown.
6 Displaying socket information Displaying SSL crypto engine status counters Use the show ssl statistics crypto command in rconsole mode to display SSL crypto engine status counters as shown.
Displaying socket information 6 Displaying TCP IP information The following TCP IP information is available from the BP console within the rconsole mode: • • • • SSL, TCP, and IP buffer information TCP and IP chain length statistics SSL, TCP, and IP queues SSL memory To access the display command that present this information, you must enter the BP console using the rconsole command.
6 Displaying socket information Displaying TCP, and IP chain length statistics Use the show tcp-ip chain-statistics command in rconsole mode to display TCP and IP chain length statistics as shown.
Displaying socket information 6 Displaying TCP and IP statistics Use the show tcp-ip statistics command in rconsole mode to display TCP and IP statistics as shown in the following.
6 Displaying socket information Show SSL memory Use the show ssl mem command in rconsole mode to display SSL memory statistics as shown in the following. ServerIronADX# rconsole 1 1 ServerIronADX1/1# show ssl mem Total SSL Buffer Usage: Size: 32B 64B 128B 256B Free 23dc4 037fc 1a592 e2ec Used 41624 04004 06a6e 2d14 512B 181d 07e3 1K 2K 8K 8.
Displaying socket information 6 ASM SSL dump commands The following ASM SSL dump commands can be used for troubleshooting your ServerIron ADX system. Because these commands are performance intensive, use discretion when using them within a production system. asm dm ssldump Use the asm dm ssldump command on the BP to display all transmit and receive SSL packets. ServerIronADX# rconsole 1 1 ServerIronADX1/1# asm dm ssldump SSL transmit and receive packets in on now 2/1 # 1 135834ms 10.10.1.101:443->10.10.
6 Displaying socket information asm dm ssldump both Use the asm dm ssldump both command on the BP to display both client and server SSL packets. ServerIronADX# rconsole 1 1 ServerIronADX1/1# asm dm ssldump both Debug both client and server packets Syntax: asm dm ssldump both asm dm ssldump client Use the asm dm ssldump client command on the BP to display client SSL packets only.
Displaying socket information 6 asm dm ssldump mode detail Use the asm dm ssldump mode detail command on the BP to display SSL handshake packet detail information. asm dm ssldump mode decrypt Use the asm dm ssldump mode decrypt command on the BP to display SSL decrypted received packets only. asm dm ssldump receive Use the asm dm ssldump receive command on the BP to display received packets only.
6 Displaying socket information Syntax: asm dm ssldump max asm dm ssldump max Use the asm dm ssldump max command to limit the number of packets logged on the console. Syntax: asm dm ssldump max The default value is 50.
