Manualshelf

R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
31323334353637383940
30
Table 14 Scanning detection configuration items
Item Descri
p
tion
Security Zone
Select a security zone to perform scanning detection configuration for it.
Enable Scanning Detection Select this option to enable scanning detection for the security zone.
Scanning Threshold Set the maximum connection rate for a source IP address.
Add a source IP to the
blacklist
Select this option to allow the system to blacklist a suspicious source IP address.
If this option is selected, you can then set the lifetime of the blacklisted source IP
addresses.
TIP:
Only when the blacklist feature is enabled, can the scanning detection function
blacklist a suspect and discard subsequent packets from the suspect.
Lifetime Set the lifetime of the blacklist entry.
Traffic abnormality detection configuration
example
Network requirements
As shown in Figure 32, the internal network is the trusted zone, the subnet where the internal servers are
located is the demilitarized zone (DMZ), and the external network is the untrusted zone. Configure the LB
module so that the module:
Protects the internal network against scanning attacks from the external network.
Limits the number of connections initiated by an internal host.
Limits the number of connections to the internal server.
Protects the internal server against SYN flood attacks from the external network.
To meet these requirements, you need to perform these configurations on the module:
Configure scanning detection for the untrusted zone, enable the function to add entries to the
blacklist, and set the scanning threshold to 4500 connections per second.
Configure source IP address-based connection limit for the trusted zone, and set the number of
connections each host can initiate to 100.
Configure destination IP address-based connection limit for the DMZ, and set the number of
connections the server can accommodate to 10000.
Configure SYN flood detection for the DMZ, and set the connection rate of the server to 5000
connections per second (which value is proper depends on the performance of the server). And
configure the module to block subsequent connections to the server after an attack is detected.