background image

 

DefensePro User Guide

Bandwidth Management

Document ID: RDWR-DP-V0602_UG1201

 

213

Bandwidth Management Classification Criteria

You can use an object (for example, a network object) that you have already configured or you can 
add an IP address manually. Radware recommends that you work with objects that you have already 
configured.
A policy includes the following traffic classification criteria:

Source—Specifies the source of the traffic. This can be specific IP addresses, a range of IP 
addresses or IP Subnet address. You should first configure Networks. The default value is any
which covers traffic from any source.

Destination—Specifies the destination of the traffic. This can be specific IP addresses, a range 
of IP addresses or IP Subnet address. The default value is any, which covers traffic to any 
destination.

Note:

To limit or block access to the device’s interface, type the IP address of the interface 
in the Destination box.

Direction—Setting the direction mode to one way enables asymmetric BWM. When a policy is 
set to One Way, the classifier searches for traffic in one direction only, while with Two Way, the 
device searches both directions. When a rule is set to One Way, the device classifies only one 
direction of the traffic and the return traffic is not classified. When a rule is set to Two Way, on 
the way back, the device replaces the source and destination IP addresses and ports (in case the 
rule is a Layer 4 or Layer 7 rule).

Service—Specifies the traffic type. The Service configured per policy can allow the policy to 
consider other aspects of the packet, such as the protocol (IP/TCP/UDP), TCP/UDP port 
numbers, bit patterns at any offset in the packet, and actual content (such as URLs or cookies) 
deep in the upper layers of the packet. Available Services are very granular. The default value is 
None, which covers all protocols.

Inbound Physical Port Group—Classifies only traffic received on certain interfaces of the 
device. Enables you to set different policies to identify traffic classes that are received on 
different interfaces of the device. 

VLAN Tag Group—Specifies VLAN traffic classification according to VLAN ID (VLAN Identifier) 
tags. 

Traffic Flow Identification—Specifies what type of traffic flow we are going to limit via this 
policy. The available options are:

Client (source IP)

Session (source IP and port)

Connection (source IP and destination IP)

Full L4 Session (source and destination IP and port)

Session Cookie (must configure cookie identifier)

Cookie Field Identifier—A string that identifies the cookie field whose value must be used to 
determine the different traffic flows. 

Note:

This is required only when Traffic Flow Identification is set to SessionCookie. When 
Traffic Flow Identification is set to SessionCookie, the BWM classifier searches for 
the Cookie Field Identifier followed by an equal sign (=) and classifies flows 
according to the value.

Summary of Contents for DefensePro 6.02

Page 1: ...DefensePro User Guide Software Version 6 02 Document ID RDWR DP V0602_UG1201 January 2012 ...

Page 2: ...DefensePro User Guide 2 Document ID RDWR DP V0602_UG1201 ...

Page 3: ...ware Ltd Ce guide d informations est fourni à nos clients dans le cadre de l installation et de l usage des produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui pour lequel il a été conçu Les informations répertoriées dans ce document restent la propriété de Radware et doivent être conservées de manière confidentielle Il est strictement interdit de cop...

Page 4: ...oped by the OpenBSD Project Copyright c 1983 1990 1992 1993 1995 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redi...

Page 5: ...incent Rijmen Antoon Bosselaers et Paulo Barreto est du domaine public et distribuée sous les termes de la licence suivante version 3 0 Décembre 2000 Code ANSI C code pour Rijndael actuellement AES author Vincent Rijmen vincent rijmen esat kuleuven ac be author Antoon Bosselaers antoon bosselaers esat kuleuven ac be author Paulo Barreto paulo barreto terra com br Le commutateur OnDemand peut utili...

Page 6: ...CTS INDIRECTS ACCESSOIRES SPÉCIAUX EXEMPLAIRES OU CONSÉCUTIFS Y COMPRIS MAIS SANS S Y LIMITER L ACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT LA PERTE D USAGE DE DONNÉES OU DE PROFITS OU L INTERRUPTION DES AFFAIRES QUELLE QU EN SOIT LA CAUSE ET LA THÉORIE DE RESPONSABILITÉ QU IL S AGISSE D UN CONTRAT DE RESPONSABILITÉ STRICTE OU D UN ACTE DOMMAGEABLE Y COMPRIS LA NÉGLIGENCE OU AUTRE DÉCOULAN...

Page 7: ...e Software Dieses Produkt enthält von Simon Wilkinson entwickelte Software Die Verbreitung und Verwendung in Quell und binärem Format mit oder ohne Veränderungen sind unter folgenden Bedingungen erlaubt 1 Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten 2 Die Verbreitung in binärem Format muss den v...

Page 8: ...m Safety Warning in Chinese page 8 This unit has more than one power supply Disconnect all power supplies before maintenance to avoid electric shock SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so There are no serviceable parts inside the unit HIGH VOLTAGE Any adjustment maintenance and repair of the opened instrument...

Page 9: ...ass A EN 55024 EN 61000 3 2 EN 61000 3 3 IEC 61000 4 2 to 4 6 IEC 61000 4 8 and IEC 61000 4 11For CE MARK Compliance These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction ma...

Page 10: ...2 Note when residing in non LPS circuit OVERCURRENT PROTECTION A readily accessible listed branch circuit over current protective device rated 15 A must be incorporated in the building wiring for each power input REPLACEABLE BATTERIES If equipment is provided with a replaceable battery and is replaced by an incorrect battery type then an explosion may occur This is the case for some Lithium batter...

Page 11: ...cated on the rear panel of the device 2 Connect the power cable to the grounded AC outlet CAUTION Risk of electric shock and energy hazard Disconnecting one power supply disconnects only one power supply module To isolate the unit completely disconnect all power supplies Instructions de sécurité AVERTISSEMENT Un dispositif de déconnexion facilement accessible sera incorporé au câblage du bâtiment ...

Page 12: ...en remplacement L usage de fusibles réparés et le court circuitage des porte fusibles doivent être évités Lorsqu il est pratiquement certain que la protection offerte par les fusibles a été détériorée l instrument doit être désactivé et sécurisé contre toute opération involontaire TENSION DE LIGNE Avant de connecter cet instrument à la ligne électrique vérifiez que la tension de la source d alimen...

Page 13: ... Pour un raccordement électrique en Amérique du Nord sélectionnez un cordon d alimentation homologué UL et certifié CSA 3 conducteur 18 AWG muni d une prise moulée à son extrémité de 125 V 5 A d une longueur minimale de 1 5 m six pieds et maximale de 4 5m Pour la connexion européenne choisissez un cordon d alimentation mondialement homologué et marqué HAR 3 conducteur câble de 0 75 mm2 minimum de ...

Page 14: ...pareil dans un endroit où la température ambiante dépasse la valeur maximale autorisée 40 C 104 F 7 Débranchez le cordon électrique de la prise murale AVANT d essayer de retirer et ou de vérifier le fusible d alimentation principal PRODUIT LASER DE CLASSE 1 ET RÉFÉRENCE AUX NORMES LASER LES PLUS RÉCENTES IEC 60 825 1 1993 A1 1997 A2 2001 ET EN 60825 1 1994 A1 1996 A2 2001 Unités à CA pour le Danem...

Page 15: ...vérifier le fusible de l alimentation générale Sicherheitsanweisungen VORSICHT Die Elektroinstallation des Gebäudes muss ein unverzüglich zugängliches Stromunterbrechungsgerät integrieren Aufgrund des Stromschlagrisikos und der Energie mechanische und Feuergefahr dürfen Vorgänge in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden ausschließlich von qualifiziertem Servicepersona...

Page 16: ...rden In Fällen in denen wahrscheinlich ist dass der von den Sicherungen gebotene Schutz beeinträchtigt ist muss das Gerät abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden LEITUNGSSPANNUNG Vor Anschluss dieses Gerätes an die Stromversorgung ist zu gewährleisten dass die Spannung der Stromquelle den Anforderungen des Gerätes entspricht Beachten Sie die technischen Angaben bezüglich d...

Page 17: ... V mit PVC Umkleidung Das Kabel muss in einem gegossenen Stecker für 250 V 3 A enden BEREICH MIT EINGESCHRÄNKTEM ZUGANG Das mit Gleichstrom betriebene Gerät darf nur in einem Bereich mit eingeschränktem Zugang montiert werden INSTALLATIONSCODES Dieses Gerät muss gemäß der landesspezifischen elektrischen Codes montiert werden In Nordamerika müssen Geräte entsprechend dem US National Electrical Code...

Page 18: ...Die Trennung einer Stromquelle trennt nur ein Stromversorgungsmodul von der Stromversorgung Um das Gerät komplett zu isolieren muss es von der gesamten Stromversorgung getrennt werden Vorsicht Zur Reduzierung der Stromschlag und Feuergefahr 1 Dieses Gerät ist dazu ausgelegt die Verbindung zwischen der geerdeten Leitung des Gleichstromkreises und dem Erdungsleiter des Gerätes zu ermöglichen Siehe M...

Page 19: ...ipment software or data Endommagement possible de l équipement des données ou du logiciel Mögliche Schäden an Gerät Software oder Daten Note Additional information Informations complémentaires Zusätzliche Informationen To A statement and instructions Références et instructions Eine Erklärung und Anweisungen Tip A suggestion or workaround Une suggestion ou solution Ein Vorschlag oder eine Umgehung ...

Page 20: ...DefensePro User Guide 20 Document ID RDWR DP V0602_UG1201 ...

Page 21: ...istorical Security Reporting APSolute Vision Reporter 34 Related Documentation 34 DefensePro Release Notes and Maintenance Release Notes 35 Radware Installation and Maintenance Guide 35 APSolute Vision Documentation 35 APSolute Vision Reporter Documentation 36 Web Based Management Help 36 Chapter 2 Getting Started 37 DefensePro Physical Ports 37 DefensePro Platforms and Models 37 Logging into APSo...

Page 22: ... 58 Managing Certificates 60 Configuring High Availability 64 Configuring BOOTP 71 Advanced Parameters 71 Configuring Advanced Settings 72 Configuring Configuration Auditing 73 Configuring Dynamic Protocols 73 Configuring Tuning Parameters 75 Configuring Security Reporting Settings 84 Configuring Out of Path Settings for DefensePro 87 Configuring Session Table Settings 88 Configuring Suspend Setti...

Page 23: ... Configuring Global Behavioral DoS Protection 121 Configuring Global Anti Scanning Protection Settings 127 Configuring Global SYN Flood Protection 128 Configuring Global Out of State Protection 129 Configuring Global HTTP Flood Protection 131 Configuring Global SIP Cracking Protection 132 Configuring Global Fraud Protection 133 Managing Global Packet Anomaly Protection 134 Configuring Global DNS F...

Page 24: ...n Classification 209 Classification Mode 210 Managing Bandwidth Management Global Settings 210 Bandwidth Management Policies 212 Bandwidth Management Policy Mechanism 212 Bandwidth Management Classification Criteria 213 Bandwidth Management Rules 214 Managing Bandwidth Management Policies 215 Port Bandwidth 220 Chapter 7 Managing Classes 221 Configuring Network Classes 221 Configuring Application ...

Page 25: ...a Device s Configuration 245 Updating Policy Configurations on a DefensePro Device 246 Checking Device Memory Availability 247 Resetting the Baseline for DefensePro 247 Enabling and Disabling Interfaces 248 Scheduling APSolute Vision and Device Tasks 248 Overview of Scheduling 248 Configuring Tasks in the Scheduler 249 Task Parameters 250 Chapter 10 Monitoring DefensePro Devices and Interfaces 257...

Page 26: ...rces Geographical Map 293 Protection Monitoring 293 Displaying Attack Status Information 294 Monitoring Network Rule Traffic 294 Monitoring DNS Flood Attack Traffic 296 HTTP Reports 298 Monitoring Continuous Learning Statistics 299 Monitoring Hour Specific Learning Statistics 300 HTTP Request Size Distribution 300 Chapter 12 Administering DefensePro 303 Command Line Interface 303 CLI Session Time ...

Page 27: ... V0602_UG1201 27 Appendix C Troubleshooting 315 Diagnostic Tools 315 Traffic Capture Tool 315 Trace Log 316 Diagnostic Tools Files Management 319 Diagnostics Policies 320 Technical Support File 322 Appendix D Predefined Basic Filters 325 Appendix E Glossary 335 ...

Page 28: ...DefensePro User Guide Table of Contents 28 Document ID RDWR DP V0602_UG1201 ...

Page 29: ... from traditional vulnerability based attacks through proactive signature updates preventing the already known attacks including worms trojans bots SSL based attacks and VoIP attacks Unlike market alternatives that rely on static signatures DefensePro provides unique behavioral based automatically generated real time signatures preventing non vulnerability based attacks and zero minute attacks suc...

Page 30: ...nd users The Security Update Service consists of the following key service elements 24 7 Security Operations Center SOC Scanning Continuous threat monitoring detection risk assessment and filter creation for threat mitigation Emergency Filters Rapid response filter releases for high impact security events through Emergency Filters Weekly Updates Scheduled periodic updates to the signature files wi...

Page 31: ...ated at the gateway protecting hosts servers and network resources against incoming network attacks DefensePro also protects DMZ servers against attacks targeting Web e mail VoIP and other services This Radware deployment is at the enterprise gateway in front of the DMZ servers where DefensePro provides perimeter protection for the enterprise servers users routers and firewalls Figure 14 Typical D...

Page 32: ...CLI You can perform most tasks using any of the management systems However for the most part this guide describes management tasks by means of APSolute Vision APSolute Vision is a graphical application that enables you to configure modify monitor and generate reports centrally for single or multiple DefensePro deployments You can connect a DefensePro device to management interfaces through network...

Page 33: ... flood attacks including SYN Floods TCP Floods UDP floods ICMP and IGMP floods Scanning and worm protection Zero day protection against self propagating worms horizontal and vertical TCP and UDP scanning and ping sweeps SYN protection Protects against any type of SYN flood attack using advanced SYN cookies A SYN flood attack is usually aimed at specific servers with the intention of consuming the ...

Page 34: ...cal attacks When DefensePro detects an attack it automatically generates counter measures that you can observe and analyze using various monitoring tools DefensePro provides you with monitoring tools that show real time network traffic and application behavior parameters Security monitoring also provides statistical parameters that represent normal behavior baselines which are generated using adva...

Page 35: ...tional useful information on the following Maintenance and software upgrade Troubleshooting Hardware upgrades Specifications APSolute Vision Documentation APSolute Vision documentation includes the following APSolute Vision Administrator Guide See this for information about APSolute Vision features User management for example adding users and defining their permissions Adding and removing DefenseP...

Page 36: ...PSolute Vision Reporter Documentation See the APSolute Vision Reporter online help and APSolute Vision Reporter User Guide for information about APSolute Vision Reporter and how to use it Web Based Management Help DefensePro Web Based Management supports Help for each page ...

Page 37: ...nd you can delete the fiber optic ports from the table as required All DefensePro models support CLI commands for managing the status of physical ports For more information see Managing the Status of Physical Ports page 46 DefensePro Platforms and Models DefensePro platforms are equipped with 8P8C RJ 45 and fiber optic ports for inspecting traffic DefensePro models 1016 2016 and 3016 are based on ...

Page 38: ... the information After a globally defined number of consecutive failures the APSolute Vision server locks you out of the system If you use local user credentials a user administrator can release the lockout by resetting the password to the global default password If you use RADIUS credentials you must contact the RADIUS administrator To log into APSolute Vision as an existing user 1 Click the APSo...

Page 39: ...orts the following perspectives Configuration Perspective page 39 Monitoring Perspective page 41 Security Monitoring Perspective page 43 Asset Management Perspective page 44 Note You can configure which perspective is displayed by default when you start an APSolute Vision client session Configuration Perspective Use the Configuration perspective to configure Radware devices Typically you choose th...

Page 40: ...erspective Content area Navigation area for the tab Properties pane System pane Organization tab Includes the site tree configured sites and configured devices Button that opens the APSolute Vision Reporter Alerts pane Displays the Alerts tab and the Messages tab The Alerts tab displays APSolute Vision and device alerts The Messages tab is not relevant for DefensePro ...

Page 41: ...ut a reboot the Properties pane displays a Reboot Required notification until you reboot the device For AppDirector and DefensePro click Update Policies to implement policy configuration changes if necessary Policy configuration changes for a device are saved on the DefensePro device but are not applied until you perform a device configuration update For Alteon APSolute Vision supports the configu...

Page 42: ... perspective Content area Navigation area for tab Properties pane Alerts pane Displays the Alerts tab and the Messages tab The Alerts tab displays APSolute Vision and device alerts The Messages tab is not relevant for DefensePro System pane Includes the Organization Application Delivery and Physical tabs The Organization tabs is relevant for DefensePro ...

Page 43: ...ack details Current Attacks A view of the current attacks in a tabular format with graphical notations of attack categories threat level indication drill down to attack details and easy access to the protecting rules for immediate fine tuning Traffic Monitoring A real time graph and table displaying network information with the attack traffic and legitimate traffic filtered according to specified ...

Page 44: ...on Sites and DefensePro Devices A site in APSolute Vision is a physical or logical representation of a group of managed devices such as managed DefensePro devices A site can be based on a geographical location an administrative function device type and so on Each site can contain nested sites and devices Before you can configure a DefensePro device and security policies through APSolute Vision the...

Page 45: ...eter Description Port Pairs Source Port The user defined source port for received traffic Destination Port The user defined destination port for transmitted traffic Operation The operation mode assigned to a pair of ports Values Forward The traffic is forwarded without any inspection Process The traffic passes thought the CPU and is inspected for attacks bandwidth and so on Failure Mode Specifies ...

Page 46: ...OnDemand Switch devices Internal Bypass for RJ 45 Ports You can configure whether the traffic passes through bypasses a pair of RJ 45 ports when the platform is rebooting or is powered down for example if the device fails You can choose from two failure modes Fail Close or Fail Open Advanced Parameters Enable Interface Grouping Specifies whether the device groups the statuses of the port pair inte...

Page 47: ...changes from Fail Close to Fail Open With the Fail Open option when A port changes status from up to down A port changes status from down to up For the procedure for configuring the failure mode see Configuring Port Pairs page 45 Updating the Attack Description File The Attack Description file contains descriptions of all the different attacks You can view a specific description by entering the at...

Page 48: ... radio button To update the files from the APSolute Vision client host a Select the Client radio button b In the File Name text box enter the file path of the Attack Description file or click Browse to navigate to and select the file 3 Click Send and OK 4 The Alerts pane displays a success or failure notification and whether the operation was performed using a proxy server ...

Page 49: ...til you unlock the device you disconnect until the Device Lock Timeout elapses or an Administrator unlocks it Locking a device does not apply to the same device that is configured on another APSolute Vision server using WBM or using CLI Note Only one APSolute Vision server should manage any one Radware device For more information see the APSolute Vision Administrator Guide While the device is lock...

Page 50: ...s You can view the following device information Basic device parameters The time and date settings on the device Device hardware and software versions To view and configure DefensePro global parameters 1 In the Configuration perspective Setup tab navigation pane select Global Parameters 2 Configure location and contact information if required and then click Submit to submit the changes Table 2 Def...

Page 51: ...nization 1 In the Configuration perspective Setup tab navigation pane select Time Settings 2 Configure the parameters and then click Submit to submit the changes Version Information Software Version Read only The version of the product software on the device Hardware Version Read only The version of device hardware Table 3 NTP Parameters Parameter Description Enable NTP Enables or disables the NTP...

Page 52: ...pane select Time Settings DayLight Saving 2 Configure the parameters and then click Submit to submit the changes Configuring Access Protocols In addition to managing DefensePro devices using APSolute Vision you can also use Web Based Management WBM and Command Line Interface CLI You can connect DefensePro devices to the following WBM on the device through HTTP and HTTPS CLI through Telnet and SSH ...

Page 53: ...ryption Telnet Enable Telnet Enables Telnet access to the device Default disabled L4 Port The TCP port used by the Telnet Default 23 Session Timeout The period of time in minutes the device maintains a connection during periods of inactivity If the session is still inactive when the predefined period ends the session terminates Values 1 120 Default 5 Note To avoid affecting device performance the ...

Page 54: ...Session Timeout The period of time in minutes the device maintains a connection during periods of inactivity If the session is still inactive when the predefined period ends the session terminates Values 1 120 Default 5 Note To avoid affecting device performance the timeout is checked every 10 seconds Therefore the actual timeout can be up to 10 seconds longer than the configured time Authenticati...

Page 55: ...u configure device users you can specify whether an individual user should receive notifications via e mail and the minimal event severity reported via SNMP traps and e mail The user will receive traps of the configured severity and higher The e mail configuration applies both for SNMP traps and for SMTP e mail notifications SMTP notifications are enabled globally for the device Note The device op...

Page 56: ...ect whether to use the device User Table when RADIUS servers are not available Note The DefensePro devices must have access to the RADIUS server and must allow device access Table 8 DefensePro E mail Parameters Parameter Description Basic SMTP Parameters Enable Email Client Enables the e mail client Select to support features that are related to sending e mail messages Default Disabled Enable Send...

Page 57: ...up Server IP Address The IP address of the backup RADIUS server L4 Port The access port number of the backup RADIUS server Values 1645 1812 Default 1645 Secret The authentication password for the backup RADIUS server Verify Secret When defining the password reenter for verification Basic Parameters Timeout The length of time the device waits for a reply from the RADIUS server before a retry or if ...

Page 58: ...ision server to convey the syslog messages from all devices For more information about configuring syslog reporting on the APSolute Vision server see the APSolute Vision Administrator Guide To configure syslog 1 In the Configuration perspective Setup tab select Syslog 2 Do one of the following To enable the syslog feature select the Enable Syslog checkbox To disable the syslog feature clear the En...

Page 59: ...age delivery TCP The device sends syslog messages using TCP That is the device verifies the message delivery The device holds undelivered messages in a backlog As soon as the connection to the syslog server is re established the device sends them If the backlog is full 100 messages non configurable the device replaces lower priority messages with higher priority messages FIFO TLS The device sends ...

Page 60: ...only by its owner to encrypt and decrypt data A public key has a wide distribution and is not secret It is used for encrypting data and for verifying signatures One key is used by the sender to encrypt or interpret the data The recipient also uses the key to authenticate that the data comes from the sender The use of keys ensures that unauthorized personnel cannot decipher the data Only with the a...

Page 61: ...rspective Setup tab navigation pane select Certificates 2 Do one of the following To add a certificate click the Add button To edit a certificate double click the certificate name 3 Configure certificate parameters and click OK Table 11 Certificate Parameters Parameter Description Name The name of Key or Certificate Type The type of certification Values Certificate Certificate of Client CA1 Certif...

Page 62: ...ase should be at least four characters and Radware recommends using stronger passphrases than that based on letters numbers and signs Verify Key Passphrase After you define the key passphrase re enter for verification Locality The name of the city State Province The state or province Organization Unit The department or unit within the organization Country Name The organization country Certificate ...

Page 63: ...is created without a Radware password at system startup thus it can be exported without a Radware password Table 13 Import Certificate Parameters Parameter Description Entry Name Input new entry name to create by import or existing entry name to overwrite or complete Key or CSR Entry Type Values Certificate Imports a certificate from backup or exported from another machine The certificate must be ...

Page 64: ...cted certificate in the Certificates table is displayed 4 Select the entry type and password for the key if required 5 Click Show to display the content in the Certificate field Configuring High Availability This section contains the following topics High Availability in DefensePro Overview page 65 Monitoring DefensePro Cluster in the System Tab page 66 Configuring the Settings for a DefensePro Hi...

Page 65: ... device A secondary device maintains its own configuration for the device users IP interfaces and routing A primary device immediately transfers each relevant change to its secondary device For example after you make a change to a Network Protection policy the primary device immediately transfers the change to the secondary device However if you change the list of device users on the primary devic...

Page 66: ... been no trigger for switchover and both cluster members detect traffic This state is normal during the initial synchronization process There is no failback mechanism There is only the automatic switchover action and the manual Switch Over command When a passive device becomes active any grace time resets to 0 for example the time of the Graceful Startup Mode Startup Timer You can monitor high ava...

Page 67: ...arameters and advanced parameters When you specify the primary device you specify the peer device which becomes the secondary member of the cluster Table 16 Icons Elements in the System Pane High Availability Clusters Icon Element Description Active device Synchronizing Unavailable Table 17 Icons in the System Pane High Availability Clusters Examples Icon Description The cluster is operating nomin...

Page 68: ...Member checkbox in the configuration of the secondary only when the primary member is unavailable Peer Device The name of the other device in the cluster The drop down list contains the names of all the DefensePro devices that are not part of a cluster When the device is a member of an existing high availability cluster the drop down list is unavailable Associated Management Ports Specifies the ma...

Page 69: ...te If the Use Idle Line Detection checkbox is cleared this parameter is ignored Idle Line Timeout The time in seconds with line bandwidth below the Idle Line Threshold that triggers a switchover when the Use Idle Line Detection option is enabled Values 3 65 535 Default 10 Note If the Use Idle Line Detection checkbox is cleared this parameter is ignored Advanced Configuration Baseline Sync Interval...

Page 70: ...ane right click the cluster node and select Break Cluster After your confirmation the cluster node is removed from the tree and the DefensePro devices are displayed under the parent node To rename an DefensePro high availability cluster from the system pane 1 In the Configuration perspective system pane right click the cluster node and select Rename Cluster Name 2 Rename the cluster up to 32 chara...

Page 71: ...ootP 2 Configure the parameters and then click Submit to submit the changes Advanced Parameters This section describes the advanced parameters that are relevant for the basic configuration of a DefensePro device This section contains the following topics Configuring Advanced Settings page 72 Configuring Configuration Auditing page 73 Configuring Dynamic Protocols page 73 Configuring Tuning Paramet...

Page 72: ... the overload occurs in the Master CPU only a percentage of the traffic is processed by the CPU Behavioral DoS footprint analysis is done on sampled data ensuring the continuation of the feature but SYN Protection does not work Accelerator Overload When the overload occurs in the Accelerator CPU only a percentage of the traffic is inspected while the rest passes through using bypass modes Inspecte...

Page 73: ...ssions RTP and control sessions RTCP Some dynamic sessions are in the Session Table longer than regular sessions With VoIP SIP and H255 there are times with no traffic however the call is still active and the session does not age You can configure different aging times for various dynamic protocols and different policies for different connections of the same session In FTP for example you can set ...

Page 74: ...tocol Default Enabled Data Session Aging Time Specifies the Data Session Aging Time in seconds Default 0 Rshell Enable Rshell Enables disables Rshell Dynamic Protocol Default Enabled Control Session Aging Time Specifies the Control Session Aging Time in seconds Default 0 Data Session Aging Time Enter a value for Data Session Aging Time in seconds Rexec Enable Rexec Enables disables Rexec Dynamic P...

Page 75: ...g an interactive user session involving multimedia elements such as video voice chat gaming and so on SIP can establish modify or terminate multimedia sessions or Internet telephony calls When a policy for SIP is configured to block traffic from one direction it is not possible to open a SIP connection from another direction SIP uses the same port number for both source and destination Default Dis...

Page 76: ...ice Tuning Parameters Parameter Description IP Fragmentation Table The maximum number of IP fragments that the device stores Values 1 256 000 Default 1240 Session Table The maximum number of sessions that the device can track Values 20 4 000 000 Default per model x016 2 000 000 x412 NL O 3 000 000 x412 NL Q 3 100 000 x412 BP O 3 000 000 x412 BP Q 2 900 000 Session Resets Entries The maximum number...

Page 77: ...uired and ensuring that traffic is properly classified and inspected To configure security tuning 1 In the Configuration perspective Advanced Parameters tab navigation pane select Tuning Parameters Security 2 Configure the tuning parameters SIP Call Table The maximum number of SIP calls the device can track Values 16 256 000 Default 1024 TCP Segmentation Table The maximum number of TCP Segments Th...

Page 78: ...tion The Counter Source Table counts the number of times traffic from a specific source matches a signature When the number of packets sent from a particular source exceeds the predefined limit it is identified as an attack Values 100 65 536 Default 65 536 Max Number of Entries in Counter Source and Target Table The maximum number of sessions in which Source and Destination addresses are tracked S...

Page 79: ...100 Max Number of Entries in Generic Signature Table The maximum number of entries for concurrent active scanning protections Values 100 100 000 Default 10 000 Max Number of Signatures Configured by User The maximum number of user configurable IPS signatures and RSA signatures DefensePro can store up to 500 concurrent RSA signatures Values 10 10 000 Default with fraud protection not enabled 100 De...

Page 80: ...imit Attacks The maximum number of concurrent Connection Packet Rate Limit attacks that the device can handle Values 5 1000 Default 50 Table 24 SYN Protection Tuning Parameters Parameter Description SYN Protection Table The number of entries in the table that stores data regarding the delayed binding process An entry exists in the table from the time a client starts the three way handshake until t...

Page 81: ...the table that stores active triggers that is the destination IPs ports from which the device identifies an ongoing attack Values 1000 20 000 Default 1000 SYN Statistics Entries The number of entries in the SYN Flood Statistics table Values 1000 20 000 Default 1000 Table 25 Authentication Table Tuning Parameters Parameter Description HTTP Authentication Table Size The number of source in the HTTP ...

Page 82: ...es in the table for ranges Values 32 10 000 Default 256 Max Number of Discrete IP Addresses per Network The maximum number of entries in the table for IP addresses that are allocated to a network Values 16 1024 Default 64 Max Number of Subnets per Network The maximum number of entries in the table for network subnets Values 16 256 Default 64 Max Number of MAC Groups The maximum number of entries i...

Page 83: ... Radware recommends performing a memory check before rebooting the device Max Number of Application Ports Groups The maximum number of entries in the table for application port groups Values 32 2000 Default 512 Max Number of Content Entries The maximum number of content entries in the table Values 16 4096 Default 256 Table 27 BWM Tuning Parameters Parameter Description Policy Table The number of p...

Page 84: ...nd to report detected attacks based on their various risk levels You can also configure DefensePro devices to send captured attack packets along with the attack event for further offline analysis Packet reporting and SRP use the same default port 2088 To configure security reporting channels 1 In the Configuration perspective Advanced Parameters tab navigation pane select Security Reporting Settin...

Page 85: ...lected the device uses the traps reporting channel Default Enabled Minimal Risk Level for Sending Traps The minimal risk level for the reporting channel Attacks with the specified risk value or higher are reported Default Low Enable Sending Syslog When selected the device uses the syslog reporting channel Default Disabled Minimal Risk Level for Sending Syslog The minimal risk level for the reporti...

Page 86: ... is excluding the management ports Default none Caution A change to this parameter takes effect only after you update policies Maximum Rate The maximum number of packets per second that the Packet Trace feature sends Values 1 200 000 Default 50 000 Caution A change to this parameter takes effect only after you update policies Maximum Length of Dropped Packets The maximum length in bytes of dropped...

Page 87: ...ct Out of Path 2 Configure the parameters and then click Submit to submit the changes Agent IP Address The IP address of the netForensics agent L4 Port The port used for netForensics reporting Values 1 65 535 Default 555 Data Reporting Destinations Destination IP Address The target addresses for data reporting The table can contain up to 10 addresses By default when there is room in the table addr...

Page 88: ...Table When enabled the device uses the Session table Default Enabled Remove Session Entry at Session End When enabled the device removes sessions from the Session Table five seconds after receiving a FIN or RST packet if no additional packets are received on the same session within the five seconds This option is available only for Full Layer 4 Lookup Mode default mode Default Enabled Send Reset t...

Page 89: ...Destination Port the following Protections do not work ACL Anti Scanning Connection Packet Rate Limit Connection Rate Limit HTTP Mitigator HTTP Replies Signatures Out of State protection Server Cracking SYN Protection Aging Time The time in seconds that the device keeps a non active session in the Session Table Default 100 Note When the Access Control List ACL feature is enabled Session table agin...

Page 90: ...Maximal Aging Timeout When the suspension length has reached the maximum length allowed it remains constant for each additional suspension To configure Suspend Table settings 1 In the Configuration perspective Advanced Parameters tab navigation pane select Suspend Table Settings 2 Configure the parameters and then click Submit to submit the changes Session Table Full Action The action that the dev...

Page 91: ...lick OK Table 32 Suspend Table Parameters Parameter Description Minimal Aging Timeout The time in seconds for which the DefensePro suspends first time offending source IP addresses Default 10 Maximal Aging Timeout The maximal time in seconds for which the DefensePro suspends a specific source Each time the DefensePro suspends the same source the suspension length doubles until it reaches the Maxim...

Page 92: ...ng protocols In general wireline operators deploy MPLS and L2TP for their tunneling and mobile operators deploy GRE and GTP DefensePro can inspect traffic that may use various encapsulation protocols In some cases the external header tunnel data is the data that DefensePro needs to inspect In other cases DefensePro needs to inspect the internal data IP header and even the payload You can configure...

Page 93: ... Configuring the SNMP Group Table page 95 Configuring SNMP Access Settings page 96 Configuring SNMP Notify Settings page 97 Configuring SNMP View Settings page 98 Configuring the SNMP Target Parameters Table page 98 Configuring SNMP Target Addresses page 99 Configuring SNMP Users With SNMPv3 user based management each user can have different permissions based on the user name and authentication me...

Page 94: ... Note You cannot change the community string associated with the user name that you are currently using To configure SNMP community settings 1 In the Configuration perspective Device Security tab navigation pane select SNMP Community 2 Do one of the following To add an SNMP community entry click the Add button To edit an entry double click the row 3 Configure SNMP community parameters and click OK...

Page 95: ...p entry click the Add button To edit an entry double click the row 3 Configure SNMP group parameters and click OK Table 35 SNMP Community Parameters Parameter Description Index A descriptive name for this entry This name cannot be modified after creation Default public Community Name The community string Default public Security Name The security name identifies the SNMP community used when the not...

Page 96: ...ecurity Model The SNMP version that represents the required security model Security models are predefined sets of permissions that can be used by the groups These sets are defined according to the SNMP versions By selecting the SNMP version for this parameter you determine the permissions set to be used Values SNMPv1 SNMPv2c User Based SNMPv3 Default SNMPv1 Security Name If the User Based security...

Page 97: ...or access Values No Authentication No authentication or privacy are required Authentication No Privacy Authentication is required but privacy is not required Authentication Privacy Both authentication and privacy are required Default No Authentication Read View Name The name of the View that specifies which objects in the MIB tree are readable by this group Write View Name The name of the View tha...

Page 98: ... Configuring the SNMP Target Parameters Table The Target Parameters Table defines message processing and security parameters that are used in sending notifications to a particular management target Entries in this table are referenced in the Target Address Table To configure SNMP target parameters 1 In the Configuration perspective Device Security tab navigation pane select SNMP Target Parameters ...

Page 99: ...Parameter Description Name Name of the target parameters entry Message Processing Model Specifies which version of SNMP to use when generating SNMP notifications Values SNMPv1 SNMPv2c SNMPv3 Default SNMPv1 Security Model Select the SNMP version that represents the required Security Model Security models are predefined sets of permissions that can be used by the groups These sets are defined accord...

Page 100: ... SNMP traps The format of the values is IP address TCP port where TCP port must be 162 For example if the value for IP Address and L4 Port is 1 2 3 4 162 1 2 3 4 is the IP address of the APSolute Vision server and 162 is the port number for SNMP traps Note APSolute Vision listens for traps only on port 162 Mask A subnet mask of the management station Tag List Specifies sets of target addresses Tag...

Page 101: ...minimum severity level of traps sent to this user Values None The user receives no traps Info The user receives traps with severity info or higher Warning The user receives Warning Error and Fatal traps Error The user receives Error and Fatal traps Fatal The user receives Fatal traps only Default None Enable Configuration Tracing When selected the specified user receives notifications of configura...

Page 102: ... tab navigation pane select Advanced Ping Ports 2 To edit port ping settings double click the relevant row 3 Select or clear the checkbox to allow or not allow pinging then click OK Table 43 Port Permission Parameters Parameter Description Port Read only The name of the physical port SNMP Access When selected allows access to the port using SNMP Telnet Access When selected allows access to the por...

Page 103: ...ayer 7 To configure IP interfaces 1 In the Configuration perspective Networking tab navigation pane select IP Management 2 Do one of the following To add an IP interface click the Add button To edit an IP interface double click the row 3 Configure the parameters and then click OK Table 44 IP Interface Parameters Parameter Description IP Address IP address of the interface Mask The associated subne...

Page 104: ...P Routing 2 Do one of the following To add a static route click the Add button To edit a static route double click the row 3 Configure the static route settings and click OK 4 Configure global advanced parameters if required Notes When editing a static route you can modify only the Via Interface and Metric fields The Type field is displayed only in the Static Routes Table not in the dialog box It ...

Page 105: ...ost The captured traffic is then routed to the destination host via another interface Default Enabled Enable Sending Trap on ICMP Error The Internet Control Message Protocol ICMP is one of the core protocols of the Internet Protocol Suite and is used by networked computers operating systems to send error messages indicating for example that a requested service is not available or that a host or ro...

Page 106: ...e click the row 3 Configure the ARP parameters and click OK 4 Modify advanced parameters if required and then click Submit to submit the changes Maximum The maximum time in seconds between multicast Router Advertisements from the interface Values minimum specified interval 1800 Lifetime The maximum time in seconds that the advertised addresses are considered valid Values Maximum specified interval...

Page 107: ... is learned from ARP protocol If the entry is not active for a predetermined time the node is deleted from the table Static Entry has been configured by the network management station and is permanent Table 47 Advanced Parameters Parameter Description Inactive ARP Timeout The time in seconds that inactive ARP cache entries can remain in the ARP table before the device deletes them If an ARP cache ...

Page 108: ...her link availability and increased link capacity Port trunking is supported according to the IEEE 802 3ad standard for link aggregation as follows Link aggregation is supported only on links using the IEEE 802 3 MAC Link aggregation is supported only on point to point links Link aggregation is supported only on links operating in Full Duplex mode Link aggregation is permitted only among links wit...

Page 109: ...physical port to a trunk make sure that the port is not used in any configuration port mirroring static forwarding When a trunk is part of a protected segment definition Port Operation in the Port Pairs table must be set to Process mode for both directions of this segment A trunk cannot be assigned with an IP address for management Ports with internal bypass cannot be assigned into a trunk It is n...

Page 110: ...peration Center SOC to develop an attack signature DefensePro supports traffic rate port mirroring also DefensePro devices can perform traffic rate port mirroring when the device is under attack Traffic rate port mirroring is based on a specified traffic threshold When the threshold value is reached the DefensePro device starts copying traffic from the interface to its mirroring output port The pr...

Page 111: ...d Units parameter and the Threshold Interval parameter are defined globally for each device and not for each pair of ports Table 50 Port Mirroring Parameters Parameter Description Input Interface The traffic port Output Port The port for the mirrored traffic Traffic to Mirror The direction of the traffic that the device mirrors Values Transmit and Receive Receive Only Transmit Only Enable Promiscu...

Page 112: ...tted the originator of the packet or one of the routers transmitting the packet must fragment the packet to multiple shorter packets Using IP fragmentation the DefensePro device can classify the Layer 4 information of IP fragments The device identifies all the fragments belong to same datagram then classifies and forwards them accordingly The device does not reassemble the original IP packet but f...

Page 113: ...th the DoS Mitigation Engine that is the DME Specifies whether the device passes jumbo frames through the device Values Enabled The device passes frames of 1550 10 000 bytes through the device without any inspection or monitoring Disabled The device discards frames that are larger than 1550 bytes Default Disabled Notes Changing the configuration of the option takes effect only after a device reset...

Page 114: ...ing To add a pair of ports click the Add button To edit a pair of ports double click the row 3 Configure the parameters and then click OK IP Fragmentation Enable IP Fragmentation When selected enables IP fragmentation Default Enabled Queuing Limit The percentage of IP packets the device allocates for out of sequence fragmented IP datagrams Values 0 100 Default 25 Aging Time The time in seconds tha...

Page 115: ... power and switches that are connected to the DefensePro device detect the link as being down Fail Open Traffic passes through not processed by DefensePro when the platform is powered down Note For more information see Internal Bypass for RJ 45 Ports page 46 In Port Specifies which port in the pair is designated as the inbound port the source or destination port This setting is used in real time r...

Page 116: ...DefensePro User Guide Device Network Configuration 116 Document ID RDWR DP V0602_UG1201 ...

Page 117: ...pective navigation pane This chapter contains the following sections Security Protections page 117 Selecting a Device for Security Configuration page 118 Configuring Global Security Settings page 118 Managing the Network Protection Policy page 144 Managing the Server Protection Policy page 187 Configuring White Lists page 195 Configuring Black Lists page 198 Managing the ACL Policy page 202 Securi...

Page 118: ...ure a security policy select the device in the Configuration perspective navigation pane To select the device for security configuration Select the required device in the Configuration perspective system pane Configuring Global Security Settings Before you configure the Server Protection Policy or the Network Protection Policy and their protection profiles you must enable the protection features y...

Page 119: ...rces unavailable to its intended users Note DoS Shield protection is enabled by default Table 54 Signature Protection Settings Parameter Description Enable Application Security Protection If the protection is disabled enable it before setting up the protection profiles Note Changing the setting of this parameter requires a reboot to take effect Reassemble Fragmented TCP Packets Specifies whether t...

Page 120: ...k s bandwidth DoS Shield detects such events using an advanced sampling algorithm for optimized performance acting automatically to solve the problem The DoS Shield considers two protection states Dormant state Indicates that Sampling mechanism is used for recognition prior to active intervention A protection in Dormant state becomes active only if the number of packets entering the network exceed...

Page 121: ...ation Flood UDP flood ICMP flood IGMP flood The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and generate an accurate DoS attack footprint based on a heuristic protocol information analysis This ensures accurate attack filtering with minimal risk of false positives The default average time for a new signature creation is between 10 and 18 seconds This is...

Page 122: ...take effect Learning Response Period The initial period from which baselines are primarily weighted The default and recommended learning response period is one week If traffic rates legitimately fluctuate for example TCP or UDP traffic baselines change more than 50 daily set the learning response to one month Use a one day period for testing purposes only Values Day Week Month Default Week Enable ...

Page 123: ...level achieves the best attack blocking but increases the probability of false positives Note Footprint Strictness Examples page 124 shows examples of footprint strictness requirements Advanced Parameters These settings affect periodic attack behavior The settings are used to effectively detect and block these attack types Duration of Non attack Traffic in Analysis State The time in seconds at whi...

Page 124: ...s type settings double click the corresponding row 4 Configure the footprint bypass parameters for the selected bypass type and then click OK Duration of Non attack Traffic in Anomaly or Non Strictness State The time in seconds at which the degree of attack falls below and stays below the hard coded threshold in the Anomaly state or the Non strictness state When the time elapses DefensePro declare...

Page 125: ... 10 seconds The transition after 10 seconds occurs even if the condition is not met You can define either the number of packet header fields or the specific fields that DefensePro must detect For more information see Selecting Packet Header Fields for Early Blocking of DoS Traffic page 126 The Packet header field values threshold is the number of anomalous packet header field values that DefensePr...

Page 126: ...abling setting for a field double click the row change the setting in the dialog box and click OK Table 59 Early Blocking Parameters Parameter Description Protection Type Read only The protection for which you are configuring early blocking Any Packet Header Field When selected DefensePro blocks DoS traffic early based on the specified number of packet header fields and number of packet header fie...

Page 127: ...ction Type Read only The protection for which you are configuring early blocking Packet Header Field Read only The packet header field Enable Early Blocking Condition When selected the packet header is included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking Table 61 Global Anti Scanning Settings Parameter Description Anti Scanning...

Page 128: ...le High Port Response Specifies whether the Anti Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024 that is usually unassigned ports Values Enabled The Anti Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024 Select this checkbox when using applications that utilize standard system ports that is port values less than 1024 Disabled The Anti...

Page 129: ...ers Tracking Time The number of SYN packets directed to same destination must be lower than the value of the Termination Threshold for this amount of time in seconds to stop the protection of the destination Values 1 10 Default 5 SSL Parameters For more information on the SSL Mitigation feature see Configuring SSL Mitigation Policies page 180 Enable SSL Mitigation Specifies whether the device enab...

Page 130: ...th TCP Values 0 65 535 Default 1800 Advanced Parameters Enable Out of State Status Enables the specified Action for Out of State Protection Default Disabled Action The action that the device takes when it encounters out of state packets Values Block Report Only Default Report Only Activation Threshold The rate in PPS of out of state packets above which the device considers the packets to be part o...

Page 131: ...o set HTTP flood protection parameters Default Enabled Learning Period before Activation The time in days DefensePro takes to collect the data needed to establish the baseline that HTTP Mitigation uses Values 0 65 536 Default 7 Learning Mode The learning mode of the HTTP Mitigator Values Continuous Only The learning process about the traffic environment is continuous Automatic DefensePro can switc...

Page 132: ... to clients either on the same connection or open a new connection for this purpose This is also applicable for UDP where either the same flow or a new one is used To support such environments the SIP Server Cracking Protection can monitor all outgoing messages from the protected server to the SIP Application Port Group or from the SIP Application Port Group When DefensePro detects an attack it do...

Page 133: ...atures according to the specified estimated time for bringing down various types of malicious sites When Fraud Protection is enabled you can configure Network Protection with a Signature Profile rule that uses one or more of the following threat type attribute values Fraud Phishing Fraud Drop Points Fraud Malicious Download Table 65 SIP Cracking Parameters Parameter Description Tracking Type The d...

Page 134: ...fied physical port You enable or disable the Packet Trace feature for all the packet anomaly types configured on the device Table 66 Fraud Protection Parameters Parameter Description General Settings Enable Fraud Protection Specifies whether fraud protection is enabled Default Disabled Advanced Settings Error Reporting Frequency How often in hours the device sends a trap notifying when an expected...

Page 135: ...kbox and then click Submit to submit the changes Configuring Protection Settings for a Packet Anomaly Type To configure protection settings for a packet anomaly type 1 In the Configuration perspective Security Settings tab navigation pane select Packet Anomaly 2 Double click the relevant row 3 Configure the parameters and then click OK For more information about packet anomalies and their default ...

Page 136: ...es to Report Click No Report All to set the action for all anomaly types to No Report Risk The risk associated with the trap for the specific anomaly Values Info Low Medium High Default Info Table 68 Default Configuration of Packet Anomaly Types Anomaly Type Description Unrecognized L2 Format1 Packets with more than two VLAN tags or MPLS labels L2 broadcast or L2 multicast traffic ID 100 Default A...

Page 137: ...eader length is not greater than or equal to 20 bytes ID 112 Default Action Drop Default Risk Info Note All DefensePro platforms support this anomaly type Invalid TCP Flags1 The TCP flags combination is not according to the standard ID 113 Default Action Drop Default Risk Info Invalid UDP Header Length1 The UDP header length is less than eight bytes ID 116 Default Action Drop Default Risk Info Sou...

Page 138: ...he default average time for a new signature creation is between 10 and 18 seconds This is a relatively short time because flood attacks can last for minutes and sometimes hours Before you configure DNS Flood Protection profiles ensure that DNS Flood Protection is enabled You can also change the default global device settings for DNS Flood Protection The DNS Flood Protection global settings apply t...

Page 139: ...poses only Values Day Week Month Default Week Footprint Strictness When DefensePro detects a new attack the DNS Flood Protection module generates an attack footprint to block the attack traffic If DefensePro is unable to generate a footprint that meets the footprint strictness condition the device issues a notification for the attack but does not block it The higher the strictness the more accurat...

Page 140: ...es whether the device challenges all unauthenticated DNS queries to the protected server Default Enabled Note DefensePro challenges only A and AAAA query types Enable Collective Rate Limit Read only The device limits the rate of all DNS queries to the protected server Value Enabled Advanced Parameters These settings affect periodic attack behavior The settings are used to effectively detect and bl...

Page 141: ...ngs double click the corresponding row 4 Configure the footprint bypass parameters for the selected bypass field and then click OK Duration of Non attack Traffic in Anomaly or Non Strictness State The time in seconds at which the degree of attack falls below and stays below the hard coded threshold in the Anomaly state or the Non strictness state When the time elapses DefensePro declares the attac...

Page 142: ...ates each footprint using values from fields in the packet header for example Sequence Number Checksum and IP ID The values from fields in the packet header characterize the attack Table 71 DNS Footprint Bypass Parameters Parameter Description Footprint Bypass Controller Read only The selected DNS query type for which you are configuring footprint bypass Bypass Field Read only The selected Bypass ...

Page 143: ...lood Protection mechanism to operate properly Likewise you cannot configure fewer packet header fields than the specified strictness level requires for the DNS Flood Protection mechanism to operate properly To configure early blocking for DNS Flood Protection 1 In the Configuration perspective Security Settings tab navigation pane select BDoS Protection DNS Early Blocking 2 To modify a protection ...

Page 144: ... profiles that are applied on a predefined network segment In addition each rule includes the action to take when an attack is detected There are two main types of network protections Intrusion Preventions see Table 74 Intrusion Prevention Protections page 144 and Denial of Service protection see Table 75 Denial of Service Protections page 144 Table 73 DNS Packet Header Field Parameters Parameter ...

Page 145: ...tion page 168 Configuring Anti Scanning Protection for Network Protection page 170 Configuring Connection Limit Profiles for Network Protection page 173 Configuring SYN Profiles for Network Protection page 177 Configuring Connection PPS Limit Profiles for Network Protection page 182 Configuring DNS Protection Profiles for Network Protection page 184 Caution When you configure the policy APSolute V...

Page 146: ... class displayed in the Classes tab An IP address any DST Network The destination of the packets that the rule uses Values A Network class displayed in the Classes tab An IP address any Port Group The Physical Port class or physical port that the rule uses Values A Physical Port class displayed in the Classes tab The physical ports on the device None Direction The direction of the traffic to which...

Page 147: ... add and modify profiles Anti Scanning Profile The Anti Scanning profile to be applied to the network segment defined in this rule Note You can click the adjacent button to open the dialog box in which you can add and modify profiles Signature Protection Profile The Signature Protection profile to be applied to the network segment defined in this rule Note You can click the adjacent button to open...

Page 148: ...porting Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis Default Disabled Caution When this feature is enabled here for the feature to take effect the global setting must be enabled Configuration perspective Advanced Parameters Security Reporting Settings Enable Packet Reporting Packet Reporting Configuration on Policy Takes Precedence Specifies whe...

Page 149: ...ommends that you configure policies containing Signature Protection profiles using Networks with Source Any the public network and Destination Protected Network You can configure policies to use VLAN tags application ports physical ports and MPLS RDs For implications of direction settings for rules and protections see Table 77 Implications of Policy Directions page 150 Policies containing Signatur...

Page 150: ...tures that may be relevant to the protected network are included even if they are not associated explicitly by SOC with the application in the network To configure Signature Protection profiles IPS protection must be enabled and global DoS Shield parameters must be configured For more information see Configuring Global Signature Protection page 119 and Configuring DoS Shield Protection page 119 To...

Page 151: ...d how they are treated Signature settings parameters define how malicious packets are tracked and treated once their signature is recognized in the traffic Each attack is bound to a tracking function that defines how the packet is handled when it is matched with a signature The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action Table 78...

Page 152: ...signatures for display To filter by ID click Filter by ID enter the required ID number and click Go To filter by attribute click Filter by Attribute configure the following parameters and click Go To configure Signature Protection signatures 1 In the Configuration perspective Network Protection tab navigation pane select Signature Protection Signatures 2 To add or edit a signature do one of the fo...

Page 153: ...attack is harmful for example Code Red and Nimda attacks Fragments FTP Bounce Land Attack ncpsdcan Sampling Select this option when the defined attack is based on sampling that is a DoS Shield attack Source and Destination Count Select this option when the attack type is a source and destination based attack that is the hacker is attacking from a specific source IP to a specific destination IP add...

Page 154: ...n inspect the incoming traffic only the outgoing traffic only or both Values Inbound Outbound Inbound Outbound Default Inbound Outbound Activation Threshold The maximum number of attack packets allowed in each Tracking Time unit Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period When the value for Tracking Type is Drop All the DefensePro d...

Page 155: ...le Disable Default Disable Caution The device implements this option for the signature only when the Web Quarantine checkbox in the Network Policy Network Protection tab Network Protection Rules is selected also Filters Table Filters are components of a protection each containing one specific attack signature that scan and classify predefined traffic Filters match scanned packets with attack signa...

Page 156: ...d for Layer 2 Layer 3 Layer 4 or Layer 7 content Values L2 The complete packet length is measured including Layer 2 headers L3 The Layer 2 data part of the packet is measured excluding the Layer 2 headers L4 The Layer 3 data part of the packet is measured excluding the Layer 2 Layer 3 headers L7 The L4 data part of the packet is measured excluding the Layer 2 Layer 3 Layer 4 headers None Default N...

Page 157: ... Pattern Condition data Values Not Applicable 1 Byte 2 Bytes 3 Bytes 4 Bytes Default 1 Byte OMPC Offset The location in the packet from where data checking starts looking for specific bits in the IP TCP header Values 0 1513 Default 0 OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative Values None IP Header IP Data L4 Data L4 Header Ethernet Default None OMPC Patt...

Page 158: ... Content Types page 159 Default N A The device will not filter the content based on type Content Encoding Application Security can search for content in languages other than English for case sensitive or case insensitive text and hexadecimal strings Values Not Applicable Case Insensitive Case Sensitive Hex International Default Not Applicable Note The value of this field corresponds to the Content...

Page 159: ...d range it is recognized as an attack Regular Expression Content Specifies whether the Content Data field value is formatted as a regular expression and not as free text to search You can set a regex search for all content types Regular Expression Content Data Specifies whether the Content Data value is formatted as a regular expression and not as free text to search Table 81 Content Types Content...

Page 160: ...der Mail Subject In the SMTP header Mail To In the SMTP header MM7 File Attachment The file associated with the MM7 request MM7 Request The request for an MM7 Error message Normalized URL To avoid evasion techniques when classifying HTTP requests the URL content is transformed into its canonical representation interpreting the URL the same way the server would The normalization procedure supports ...

Page 161: ...mples Web servers mail servers browsers The parameter is optional that is the attribute may or may not contain a value There can be multiple values Complexity The level of analysis performed as part of the attack lookup mechanism There can be only a single value for the parameter Values Low This signature has negligible impact on device performance High This signature has stronger impact on the de...

Page 162: ...Medium Minimum is the default for Complexity Confidence and Risk Exact Specifies that the Attribute Value uses only its own results For example for the attribute type Risk with Match Method Exact the Attribute Value High uses only for High risk results You can change the Match Method for the attribute types Complexity Confidence and Risk To view attribute types that the device supports In the Conf...

Page 163: ...o responds to the connection requests according to the Quarantine action defined for the network policy The Web Quarantine configuration involves the following Configuring quarantine actions For more information see Configuring Web Quarantine Actions page 163 Configuring quarantined sources For more information see Configuring Quarantined Sources page 167 Enabling the Web Quarantine option in the ...

Page 164: ... 165 Redirect The device redirects outbound Web traffic from the quarantined internal hosts to the specified Redirection Location Default Quarantine Warning Redirection Location This parameter is available only when the Action is Redirect The location where the device redirects quarantined internal hosts Typically the location is an HTML page with a message from the network administrator Caution T...

Page 165: ...of the following To add an entry click the Add button To edit an entry double click the row 3 Click Upload Custom HTML Page 4 Configure the parameters and then click OK Aging Hours The number of hours that the device quarantines all Web traffic from the internal hosts in a protected network segment after matching a signature Values 0 168 That is one week The value 168 is valid only if the value fo...

Page 166: ...e for the quarantine warning page Values File Text Default File File Name This parameter is available only when Export From is File The filepath of the file with the code for the quarantine warning page Click Browse to navigate to the file and then click OK Text This parameter is available only when Export From is Text The code for the quarantine warning page Table 85 Get Page Code Parameters Para...

Page 167: ... IP Address The IP address of the quarantined host Aging Hours The number of hours that the device quarantines all Web traffic from the internal hosts in a protected network segment after matching a signature Values 0 168 That is one week The value 168 is valid only if the value for the Aging Minutes is 0 When Aging Hours and Aging Minutes are both 0 zero the device quarantines the Web traffic ind...

Page 168: ...One Way the rule prevents incoming attacks only When a rule s Direction is set to Two Way the rule prevents both incoming and outgoing attacks In both cases the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection You can configure footprint bypass to bypass specified footprint types or values For more information see Configuring BDoS Footprint Bypass pa...

Page 169: ...es from the bandwidth and quota settings Minimum 1 Note You must configure this setting to start Behavioral DoS protection Quota Settings Radware recommends that you initially leave these fields empty so that the default values will automatically be used To view default values after creating the profile double click the entry in the table You can then adjust quota values based on your network perf...

Page 170: ...y problems These scanning techniques commonly utilize a vertical scanning scheme The worm propagation activity is detected and prevented by DefensePro s Anti Scanning protection Advanced Parameters Level Of Regularization The packet rate detection sensitivity that is to what extent the BDoS engine considers the PPS rate values baseline and current This parameter is relevant only for only for BDoS ...

Page 171: ...This assures optimized attack detection sensitivity You can set policies using a VLAN tag MPLS RD or physical ports It is not recommended to define a network in which the Source and Destination are set to Any as it results in lower detection sensitivity When a policy s Direction is set to One Way DefensePro prevents incoming attacks only When a policy s Direction is set to Two Way the device preve...

Page 172: ... sensitivity to scanning activities Values High Medium Low Very Low Default Low Note High means it needs few scanning attempts to trigger the Anti Scanning protection while Very Low means it needs a high number of scanning attempts Accuracy The accuracy level determines the minimum number of parameters used in the footprint Values High Medium Low Default Medium Higher accuracy means that more para...

Page 173: ...r per client plus server combination for traffic that matches a Connection Limit policy attack definition Once the number of connections per second reaches the specified threshold any session connection over the threshold is dropped unless the action mode defined for this attack is Report Only You can also define whether to suspend the source IP address dropping traffic from this source for a numb...

Page 174: ...r more information see Connection Limit Protection Parameters page 175 Note A Connection Limit profile should contain all the Connection Limit protections that you want to apply in a network policy rule Table 89 Connection Limit Profile Parameters Parameter Description Profile Name Read only The name of the Connection Limit profile Connection Limit Protection Table Lists the Connection Limit prote...

Page 175: ...d reporting Application Port Group Name The group of Layer 4 ports representing the application you want to protect Protocol The Layer 4 protocol of the application you want to protect Values TCP UDP Default TCP Number of Connections The maximum number of TCP connections or UDP sessions per second allowed for each source destination or source and destination pair All additional sessions are droppe...

Page 176: ...der attack is suspended Source IP and Port Destination IP and Port Traffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended Default None Note When Tracking Type is set to Target Count the Suspend Action can only be set to None Packet Reporting and Trace Setting Packet Report Specifies whether the device sends samp...

Page 177: ...select SYN Profiles 2 To add or modify a profile do one of the following To add a profile click the Add button Enter the profile name and click OK To edit a profile double click the entry in the table 3 To add a SYN flood protection to the profile a Right click in the table and select Add New SYN Flood Protection b From the Profile Name drop down list select the protection c Click OK 4 To define a...

Page 178: ...ure the parameters and then click OK Table 92 SYN Flood Protection Parameters Parameter Description Protection Name A name for easy identification of the attack for configuration and reporting Note Predefined SYN Protections are available for the most common applications FTP HTTP HTTPS IMAP POP3 RPS RTSP SMTP and Telnet The thresholds are predefined by Radware You can change the thresholds for the...

Page 179: ...select SYN Protection Profiles Profiles Parameters 2 Double click the relevant profile 3 Configure the parameters and then click OK Risk The risk level assigned to this attack for reporting purposes Values Info Low Medium High Default Low Source Type Read only Specifies whether the SYN protection is a predefined static or user defined user protection Protocol Destination Port Verification Type FTP...

Page 180: ...ves a SYN packet the device responds with an ACK packet with an invalid Sequence Number field as cookie If the client responds with RST and the cookie the device discards the packet adds the source IP address to the TCP Authentication Table The next SYN packet from the same source passes through the device and the session is approved for the server The device saves the source IP address for a spec...

Page 181: ... 8 The DefensePro device sends the encrypted HTTPS challenge to the client 9 The DefensePro device receives a valid response from the client and considers the connection to be legitimate 10 The DefensePro device adds the source IP address to the HTTP Authentication Table 11 The DefensePro device passes the encrypted HTTPS response to the SSL engine of the Alteon device 12 The Alteon device communi...

Page 182: ...onnection PPS Limit Profiles 2 To add or modify a profile do one of the following To add a profile click the Add button Enter the profile name and click OK To edit a profile double click the entry in the table 3 To add Connection PPS Limit protections to the profile in the Edit Connection PPS Limit Profile dialog box protections table a Right click and select Add New Connection PPS Limit Protectio...

Page 183: ...and ID for each protection to be applied for the selected profile To add a protection in the table right click and select Add New Connection PPS Limit Protection Select the protection name and click OK Note In each rule you can use only one Connection PPS Limit profile Therefore ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule Go...

Page 184: ...vates the protection after the Termination Period That is when the PPS rate falls below the specified threshold on all the connections the device considers the attack to have ended after the Termination Period Values 1 max integer Default 9 000 Note The Termination Threshold must be less than or equal to the Activation Threshold Risk The risk assigned to this attack for reporting purposes Values H...

Page 185: ...ecommends that you initially leave these fields empty so that the default values will automatically be used To view default values after creating the profile double click the entry in the table You can then adjust quota values based on your network performance Note The total quota values may exceed 100 as each value represents the maximum volume per protocol A Query For each DNS query type to prot...

Page 186: ... the device to consider the attack to have ended Values 0 4 000 000 Default 0 Note The Termination Threshold must be less than or equal to the Activation Threshold Termination Period The time in seconds that the DNS traffic on a single connection is continuously below the Termination Threshold which causes the device to consider the attack to have ended Values 0 30 Default 3 Max QPS The maximum al...

Page 187: ...ion When this feature is enabled here for the feature to take effect the global setting must be enabled Configuration perspective Advanced Parameters Security Reporting Settings Enable Packet Trace In addition a change to this parameter takes effect only after you update policies Action and Escalation Note The device implements the parameters in this group box only when the Manual Triggers option ...

Page 188: ...e all configuration policies on the device in a single operation For more information see Updating Policy Configurations on a DefensePro Device page 246 Table 98 Server Protection Parameters Parameter Description Server Name The name of the server IP Range The IP address or range of the protected server You can assign an HTTP profile to a server definition that contains one discrete IP You can ass...

Page 189: ...ting Settings Enable Packet Reporting Packet Reporting Configuration on Policy Takes Precedence Specifies whether the configuration of the Packet Reporting feature here on this policy rule takes precedence over the configuration of the Packet Reporting feature in the associated profiles Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port Default...

Page 190: ...acket based or session based DoS flood attack Dynamic Attacks Blocking Dynamic Blocking automatically acts against any detected pre attack probe creating a temporary block against it The source is monitored for consistency during this period A consistent level of activity from the source automatically extends the blocking Blocking rules adapt specifically to the attack detected When an attack is a...

Page 191: ...the feature to take effect the global setting must be enabled Configuration perspective Advanced Parameters Security Reporting Settings Enable Packet Trace In addition a change to this parameter takes effect only after you update policies Server Cracking Protection Table Contains the protections to be applied if there is an attack on the server To add a protection in the table right click and sele...

Page 192: ...identify as an attack In such a case set the sensitivity to Low Action Mode The action that the device takes when an attack is detected Direction The direction of the traffic to inspect A protection may include attacks that should be searched only for traffic from client to server or only on traffic from server to client Values Inbound The Protection inspects traffic from policy Source to policy D...

Page 193: ...ined Attack Triggers are not used this parameter specifies how sensitive the profile is to deviations from the baseline High specifies that attack will be triggered when a small deviation from the baselines is detected Values Minor Low Medium High Default Medium Action The action that the device takes when the profile detects suspicious traffic Values Block and Report Blocks and reports on the sus...

Page 194: ...ts allowed from the same connection Value 0 The profile ignores the threshold 1 232 Default 5 Suspicious Source Characterization Thresholds Request Rate Threshold The number of HTTP requests per second from a source that causes the device to consider the source to be suspicious Values 1 65 535 Default 5 Requests per Connection Threshold The number of HTTP requests for a connection that causes the ...

Page 195: ... policies Mitigation Settings When the protection is enabled and the device detects that a HTTP flood attack has started the device implements the mitigation actions in escalating order in the order that they appear in the group box If the first enabled Mitigation Action does not mitigate the attack satisfactorily after a certain escalation period the device implements the next more severe enabled...

Page 196: ...s 4 To activate your configuration changes on the device click Activate Latest Changes Tip You can update all configuration policies on the device in a single operation For more information see Updating Policy Configurations on a DefensePro Device page 246 Table 102 White List Rule Parameters Parameter Description Identification Name The name of the rule up to 50 characters Description The user de...

Page 197: ...s HTTP Flood inspection Default Enabled Bypass Server Cracking When enabled traffic from the specified source that is the source Network class or source IP address bypasses Server Cracking inspection Default Enabled Classification Source Network The source of the packets that the rule uses Values A Network class displayed in the Classes tab An IP address any Source Port The source Application Port...

Page 198: ...ed in the Classes tab The physical ports on the device None VLAN Tag The VLAN Tag class that the rule uses Values A VLAN Tag class displayed in the Classes tab None Protocol The protocol of the traffic that the rule uses Values Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP Default Any Direction The direction of the traffic to which the rule relates Values One directional The protection applies to sessions...

Page 199: ...e supports the Packet Trace feature You enable or disable the feature globally that is for all the of the associated Black List rules To configure a Black List rule 1 In the Configuration perspective ACL tab navigation pane select Black List 2 To add or modify a black list rule do one of the following To add a rule click the Add button To edit a rule double click the entry in the table 3 Select th...

Page 200: ...nation of the packets that the rule uses Values A Network class displayed in the Classes tab An IP address None any Default any Destination Port The destination Application Port class or application port number that the rule uses Values An Application Port class displayed in the Classes tab An application port number None Physical Ports The Physical Port class or physical port that the rule uses V...

Page 201: ...r a device reset Expiration Timer Specifies the hours and minutes that the rule remains active Notes Changing the configuration of the timer values takes effect only after a device reset The timer starts when the device resets However if there is no change to the timer values and the Dynamic checkbox remains selected any other change to the device configuration and an subsequent reset does not aff...

Page 202: ...t in the flow Non IP direction According to the first packet in the flow When ACL is enabled and activated the device learns about the existing sessions for a specified amount of time by default 10 minutes During this learning period the device accepts all sessions regardless of any unknown direction However for the certain cases ACL treats the session according to the configured policies ACL trea...

Page 203: ...following cases ACL will treat the session according to the configured policies A new TCP session that starts with a SYN packet A new ICMP session that starts with a request packet Values 0 The protection starts immediately 1 max integer Default 600 TCP Handshake Timeout The time in seconds the device waits for the three way handshake to complete before the device drops the session TCP Timeout in ...

Page 204: ...ut The time in seconds that the device keeps an idle GRE session open After the timeout the session is removed from the Session table Values 1 7200 Default 3600 SCTP Timeout The time in seconds that the device keeps an idle SCTP session open After the timeout the session is removed from the Session table Values 1 7200 Default 3600 Other IP Protocols Timeout The time in seconds that the device keep...

Page 205: ... following To add a rule click the Add button To edit a rule double click the entry in the table 3 Configure the parameters 4 To activate your configuration changes on the device click Activate Latest Changes Tip You can update all configuration policies on the device in a single operation For more information see Updating Policy Configurations on a DefensePro Device page 246 Max Number of Report ...

Page 206: ...hedule that activates the policy Default None De activate Schedule The predefined event schedule that de activates the policy Default None Report Specifies whether the device issues traps for the rule Classification Protocol The protocol of the traffic that the policy inspects Values Any ICMP Other TCP UDP Default Any Source The existing source Network class of the packets that the policy inspects...

Page 207: ...d filters AND Group filters and OR Group filters DefensePro supports a long list of predefined basic filters You cannot configure Services in APSolute Vision You can configure basic filters using Web Based Management For more information see Managing Services for Traffic Filtering page 229 Action The action that the policy takes on packets that match the classification Values Accept Drop Drop RST ...

Page 208: ... rules in the ACL policy configured on the device To view the active ACL rule configuration In the Configuration perspective Classes tab navigation pane select ACL Policies Active Policy The table displays details of the current ACL rules configured on the device For information about ACL rule parameters see ACL Rule Parameters page 206 ...

Page 209: ...not affected maintaining the service level required to guarantee smooth business operation In a similar manner if you are a carrier you can ensure that a DoS attack launched on one customer does not compromise another customer s Service License Agreement SLA Using the Bandwidth Management module a device can classify traffic passing through it according to predefined criteria and can enforce a set...

Page 210: ...ive BWM tab navigation pane select Global Settings 2 Configure the parameters and then click Submit to submit the changes Table 106 BWM Global Settings Parameter Description Global Settings Classification Mode The classification to be used Values Diffserv The device classifies packets only by the DSCP Differentiated Services Code Point value Disabled No classification The BWM feature is disabled P...

Page 211: ...t 20 Max Packets for Session Classification When the Application Classification mode is Per Session and one of the policies is configured to search for content this parameter specifies the maximum number of packets that the device searches for the configured content If the device fails to find the content after the number of the configured parameter the device stops searching for the content in th...

Page 212: ...e sends BWM statistics to the APSolute Vision Default Disabled Report Settings Reports Start Threshold The threshold for starting to send reports regarding a specific policy The threshold is the percentage of the specified Maximum Bandwidth When reporting is enabled and the bandwidth consumption reaches the threshold the device starts sending the reports Values 1 100 Default 95 Reports Termination...

Page 213: ...places the source and destination IP addresses and ports in case the rule is a Layer 4 or Layer 7 rule Service Specifies the traffic type The Service configured per policy can allow the policy to consider other aspects of the packet such as the protocol IP TCP UDP TCP UDP port numbers bit patterns at any offset in the packet and actual content such as URLs or cookies deep in the upper layers of th...

Page 214: ...e rule is set to two ways Bandwidth Management Rules Once the traffic is classified and matched to a policy the Bandwidth Management rules can be applied to the policy Priority The packet is classified according to the configured priority There are nine 9 options available real time forwarding and priorities 0 through 7 Guaranteed Bandwidth You can configure the policy to guarantee a minimum bandw...

Page 215: ...of the device As these policies are adjusted the changes do not take effect unless the inactive database is activated The activation updates the active policy database which is what the device uses to filter the packets that flow through it This section contains the following topics Configuring BWM Policies page 215 Viewing the Configuration of Active BWM Policies page 219 Configuring BWM Policies...

Page 216: ...led Report Specifies whether the device issues traps for the rule Activate Schedule The Event Schedule for activation of the policy Note The schedule must be configured already De activate Schedule The Event Schedule for de activation of the policy Note The schedule must be configured already Classification Source Network The source of the packets that the rule uses Values A Network class displaye...

Page 217: ...ssions originating from sources to destinations that match the network definitions of the policy Two Way The rule applies to sessions that match the network definitions of the policy regardless of their direction Default Two Way Action Guaranteed Bandwidth The bandwidth limitation in Kbit s for packets matching this policy Default 0 Note The value for Guaranteed Bandwidth must be less than or equa...

Page 218: ...kie Field Identifier This parameter is displayed only when Traffic Flow Identification is set to SessionCookie A string that identifies the cookie field whose value to use to determine the different traffic flows When Traffic Flow Identification is set to SessionCookie the BWM classifier searches for the Cookie Field Identifier followed by and classifies flows according to the value For example if...

Page 219: ...t 0 Note This option is not available if the Traffic Flow Identifier is set to Session or Full L4 Session Maximum HTTP Requests Per Second The maximum number of requests for example GET POST or HEAD per second per traffic flow The device can implement this feature only when Traffic Flow Identification and Traffic Flow Max BW parameters are not None or 0 respectively Default 0 Table 108 Active BWM ...

Page 220: ...ation see Managing Services for Traffic Filtering page 229 Service Name The name of the service required for this policy based on the Service Type Direction The direction of the traffic to which the rule relates Action Guaranteed Bandwidth The bandwidth limitation in Kbit s for packets matching this policy Maximum Bandwidth The maximum bandwidth in kbit s for packets matching this policy Priority ...

Page 221: ...al port classes This chapter contains the following topics Configuring Network Classes page 221 Configuring Application Classes page 223 Configuring Physical Port Classes page 224 Configuring VLAN Tag Classes page 224 Configuring MAC Address Classes page 225 Viewing Active Class Configurations page 226 Configuring MPLS RD Groups page 227 Configuring Network Classes A network class is identified by...

Page 222: ...olicy Configurations on a DefensePro Device page 246 Table 109 Network Class Parameters Parameter Description Network Name The name of the network class The network name is case sensitive The network name cannot be an IP address Network Type Values IPv4 IPv6 Entry type Whether the network is defined by a subnet and mask or by an IP range Values IP Mask IP Range Network Address For IP Mask entry on...

Page 223: ...ton To edit a class double click the entry in the table 3 Configure application class parameters 4 To activate your configuration changes on the device click Activate Latest Changes Tip You can update all configuration policies on the device in a single operation For more information see Updating Policy Configurations on a DefensePro Device page 246 Table 110 Application Class Parameters Parameter...

Page 224: ...on For more information see Updating Policy Configurations on a DefensePro Device page 246 Configuring VLAN Tag Classes You can define network segments using VLAN tags Use VLAN tag classes groups to classify traffic according to VLAN tags in security policy rules and bandwidth management rules Each DefensePro device supports a maximum 64 VLAN Tag groups Each VLAN Tag group can contain a maximum 32...

Page 225: ...r configuration changes on the device click Activate Latest Changes Tip You can update all configuration policies on the device in a single operation For more information see Updating Policy Configurations on a DefensePro Device page 246 Table 111 VLAN Tag Group Class Parameters Parameter Description VLAN Tags Group Name The name of the VLAN group Group Mode The VLAN mode Values Discrete An indivi...

Page 226: ...uration of all the network classes on the device For information about network class parameters see Configuring Network Classes page 221 Viewing the Active Application Class Configuration You can view the active Application Port Group classes that are configured on the device To view the active application class configuration In the Configuration perspective Classes tab navigation pane select Acti...

Page 227: ...uration of all the MAC address classes on the device Configuring MPLS RD Groups To achieve faster switching in VPNs over Multi protocol Label Switching MPLS networks a route distinguisher RD is used for each packet If a DefensePro device is installed on a link where it can listen to Border Gateway Protocol BGP and LDP signaling you can configure policies on the device using MPLS RDs An RD is an ad...

Page 228: ...g To add an MPLS RD group click the Add button To edit an MPLS RD group double click the group name 3 Configure the MPLS RD group parameters and click OK Table 112 MPLS RD Group Parameters Parameter Description Group Name A user defined name for the MPLS RD group MPLS RD The MPLS RD value manually based on the type Type Describes the MPLS RD format Values 2 Bytes 4 Bytes 4 Bytes 2 Bytes IP Address...

Page 229: ...l The specific protocol that the packet should carry The choices are IP TCP UDP ICMP NonIP ICMPV6 and SCTP If the specified protocol is IP all IP packets including TCP and UDP will be considered When configuring TCP or UDP protocol the following additional parameters are available Destination Port From To Destination port number for that protocol For example for HTTP the protocol would be configur...

Page 230: ...Cs Content Rules are not mandatory to configure However when a Content Rule exists in the filter the packet needs to match the configured protocol and ports the OMPC if one exists and the Content Rule Predefined Basic Filters The BWM module supports an extensive list of predefined basic filters The ACL and BWM modules support an extensive list of predefined basic filters You cannot modify or delet...

Page 231: ...ilter Protocol Values IP TCP UDP ICMP NonIP ICMPV6 SCTP Default IP Source App Port The Layer 4 source port or source port range for TCP UDP or SCTP traffic Values Values in the range 0 65 535 Value ranges for example 30 400 dcerpc dns ftp http https imap ms sql m ms sql s ntp pop3 radius sip smtp snmp ssh sunrpc telnet Note The value must be greater than the Source Port Range From value ...

Page 232: ...st be greater than the Destination Port Range From value OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to Values None IPv4 Header IPv6 Header IP Data L4 Data Ethernet ASN1 L4 Header OMPC Offset The location in the packet where the data starts being checked for specific bits in the IP or TCP header Values 0 1513 Default 0 OMPC Mask The mask for OMPC data The...

Page 233: ... OMPC Length is two bytes the OMPC Pattern can be abcd0000 Values Must comprise eight hexadecimal symbols Default 00000000 OMPC Condition Values None Equal Not Equal Greater Than Less Than Default None OMPC Length Values None One Byte Two Bytes Three Bytes Four Bytes Default None Content Offset Specifies the location in the packet at which the checking of content starts Values 0 1513 Default 0 Con...

Page 234: ...he cookie value Normalized URL A normalized URL in the HTTP request URI POP3 User The POP3 User field in the POP3 header URI length Filters according to URI length FTP Command Parses FTP commands to commands and arguments while normalizing FTP packets and stripping Telnet opcodes FTP Content Scans the data transmitted using FTP normalizes FTP packets and strips Telnet opcodes Generic Url The gener...

Page 235: ...tent ends Values 0 1499 Default None Content Data Refers to search for content within the packet Content Coding The encoding type of the content to search for as specified in the Content field Values None Case Insensitive Case Sensitive HEX International Default None Note The value of this field corresponds to the Content Type parameter Content Data Coding The encoding type of the content data to ...

Page 236: ...red basic filters to the AND Group 6 Click Set OR Group Filters An OR Group Filter is a combination of basic filters and or AND filters with a logical OR between them The ACL and BWM modules support a set of predefined static OR Groups The predefined are based on the predefined basic filters Using Web Based Management you can also create your own OR Groups using basic filters or AND Groups Example...

Page 237: ...iguration of each To view active Basic Filters Select Classes View Active Services Basic Filter The Active Basic Filter Table pane is displayed Note To view the configuration of the filter read only select the link of the relevant filter To view active AND Groups Select Classes View Active Services AND Groups The Active AND Groups Table pane is displayed Note To view the configuration of the filte...

Page 238: ...iltering 238 Document ID RDWR DP V0602_UG1201 To view active OR Groups Select Classes View Active Services OR Groups The Active OR Groups Table pane is displayed Note To view the configuration of the filter read only select the link of the relevant filter ...

Page 239: ...sePro Device Configurations page 244 Updating Policy Configurations on a DefensePro Device page 246 Checking Device Memory Availability page 247 Resetting the Baseline for DefensePro page 247 Enabling and Disabling Interfaces page 248 Scheduling APSolute Vision and Device Tasks page 248 Rebooting a DefensePro Device Some configuration changes on the device require a device reboot for the configura...

Page 240: ...ute Vision monitoring when testing or using the device in a non production environment When you disable APSolute Vision monitoring for a device APSolute Vision stops polling the device for its status The device icon in the system pane includes a small question mark for DefensePro The Alerts pane does not receive alerts from the device The device node in the sites tree does not include the device e...

Page 241: ...e new features and functions on the device without altering the existing configuration In exceptional circumstances new software versions are incompatible with legacy configuration files from earlier software versions This most often occurs when attempting to upgrade from a very old version to the most recently available version The software version file must be located on the APSolute Vision clie...

Page 242: ...le 1 In the Monitoring perspective system pane right click the device name and select Export Log File 2 Configure download parameters and click OK Table 115 Software Upgrade Parameters Parameter Description Upload Via The protocol used to upload the software file from APSolute Vision to the device Values HTTP HTTPS TFTP File Name The name of the file to upload Software Version The software version...

Page 243: ...more information about using signature files see the DefensePro User Guide update the signature file of a device 1 In the Monitoring perspective system pane right click the device name and select Update Attack Signature 2 Configure the parameters and click OK Table 117 Update Device Signature File Parameters Parameter Description Signature Type The type of the signature file to upload to the devic...

Page 244: ...age configurations of the DefensePro devices that are configured in the APSolute Vision server Configuration File Content The configuration file content is divided into two sections Commands that require rebooting the device These include BWM Application Classification Mode Application Security status Device Operation Mode tuning parameters and so on Copying and pasting a command from this section...

Page 245: ...p to a maximum of 10 When the limit is reached you are prompted to delete the oldest file For more information see the APSolute Vision Administrator Guide Note You can schedule configuration file backups in the APSolute Vision scheduler For more information see Configuring Tasks in the Scheduler page 249 To download a device s configuration file 1 In the Monitoring perspective system pane right cl...

Page 246: ...erver security policy ACL policy White list Black list relevant for DefensePro only Classes To update policy configurations on a managed device 1 In the Monitoring perspective system pane right click the device name and select Update Policies 2 Click Yes in the Confirmation dialog box Table 120 Device Configuration File Upload Parameters Parameter Description Upload from The location of the backup...

Page 247: ...he protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes You can reset the baseline for all the network policy rules that contain a BDoS or DNS Protection profile or for a selected network policy rule that contains a BDoS or DNS Protection profile To reset BDoS baseline statistics 1 In the Monitoring perspective system pane right click t...

Page 248: ...he Monitoring perspective system pane select the relevant device 2 Expand the node in the tree to display the interfaces 3 Right click the interface name and select Disable Note If the interface is already disabled this option is unavailable Scheduling APSolute Vision and Device Tasks The following topics describe how to schedule operations in the APSolute Vision Scheduler Overview of Scheduling p...

Page 249: ...ile onto a DefensePro device from Radware com or the proxy server Note You can perform the operations manually from the Monitoring perspective For more information see Downloading a Device s Configuration File page 245 Rebooting a DefensePro Device page 239 Updating the Attack Description File page 47 Updating a Radware Signature File or RSA Signature File page 243 Configuring Tasks in the Schedul...

Page 250: ...ion Backup Parameters page 250 Device Reboot Parameters page 251 Update APSolute Vision Attack Description File Parameters page 252 Update RSA Signature Files for a Device page 253 Update Radware Signature Files for a Device page 254 Device Configuration Backup Parameters Note By default you can save up to five 5 configuration files per device on the APSolute Vision server You can change this para...

Page 251: ...n the specified day or days at the specified time Note Tasks run according to the time as configured on the APSolute Vision client Schedule Period Run Always When enabled the task is activated immediately and runs at the first time configured by the frequency To activate the task only between specific dates clear the checkbox and set the Start Date and Time and End Date and Time fields Devices The...

Page 252: ...Tasks run according to the time as configured on the APSolute Vision client Schedule Period Run Always When enabled the task is activated immediately and runs at the first time configured by the frequency To activate the task only between specific dates clear the checkbox and set the Start Date and Time and End Date and Time fields Devices The devices in the Selected Devices list will be rebooted ...

Page 253: ...the specified time Note Tasks run according to the time as configured on the APSolute Vision client Schedule Period Run Always When enabled the task is activated immediately and runs at the first time configured by the frequency To activate the task only between specific dates clear the checkbox and set the Start Date and Time and End Date and Time fields Parameter Description Basic Parameters Nam...

Page 254: ...n client Schedule Period Run Always When enabled the task is activated immediately and runs at the first time configured by the frequency To activate the task only between specific dates clear the checkbox and set the Start Date and Time and End Date and Time fields Devices The RSA signature files for DefensePro devices in the Selected Devices list will be updated The list of available devices con...

Page 255: ...ekly The task is performed every week on the specified day or days at the specified time Note Tasks run according to the time as configured on the APSolute Vision client Schedule Period Run Always When enabled the task is activated immediately and runs at the first time configured by the frequency To activate the task only between specific dates clear the checkbox and set the Start Date and Time a...

Page 256: ...DefensePro User Guide Managing Device Operations and Maintenance 256 Document ID RDWR DP V0602_UG1201 ...

Page 257: ... 260 Monitoring DefensePro CPU Utilization page 260 Monitoring and Clearing DefensePro Authentication Tables page 261 Monitoring Session Table Information page 264 Monitoring DefensePro SNMP Statistics page 262 Monitoring DME Utilization According to Configured Policies page 263 Monitoring DefensePro Syslog Information page 264 Monitoring DefensePro IP Statistics page 266 Monitoring DefensePro Ban...

Page 258: ...he device RSA Signatures Last Update When RSA is enabled this parameter can display the timestamp of the last update of RSA signatures received from Radware com and downloaded to the DefensePro device Values The timestamp in DDD MMM DD hh mm ss yyyy z format displayed according to the timezone of your APSolute Vision client No Feeds Received Since Device Boot Software Software Version The version ...

Page 259: ...ary member of a high availability cluster Secondary This device is configured as the secondary member of a high availability cluster Device State Values Active The device is in active The device may be a standalone device not part of a high availability cluster or the active member of a high availability cluster Passive The device is the passive member of a high availability cluster Last Baseline ...

Page 260: ... the Resource Utilization tab in the content pane 2 In the navigation pane select CPU Utilization The following information is displayed Parameter Description Source IP The IP address from which traffic was suspended Destination IP The IP address to which traffic was suspended 0 0 0 0 means traffic to all destinations was suspended Destination Port The application port to which traffic was suspend...

Page 261: ...lerator named HW Classifier is the string matching engine SME OnDemand Switch 3 S1 has no SME CPU ID The CPU number for the accelerator OnDemand Switch 2 and OnDemand Switch 3 S2 have two CPU cores OnDemand Switch 3 S1 has three CPU cores Forwarding Task The percentage of CPU cycles used Other Tasks The percentage of CPU resources used for other tasks such as aging and so on Idle Task The percenta...

Page 262: ...ber of MIB objects retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP GET Request and GET Next PDUs Number of SNMP Successful SET Requests The total number of MIB objects modified successfully by the SNMP protocol entity as the result of receiving valid SNMP SET Request PDUs Number of SNMP GET Requests The total number of SNMP GET Request PDUs accepted and pro...

Page 263: ...tity for which the value of the error status field is genErr Number of SNMP GET Responses Sent The total number of SNMP Get Response PDUs generated by the SNMP protocol entity Number of SNMP Traps Sent The total number of SNMP Trap PDUs generated by the SNMP protocol entity Parameter Description Policies Resources Utilization If any of the values in this group box is close to the maximum the resou...

Page 264: ...fine the Session Table information to display Information that matches any enabled Session table filter is displayed Note The filtered Session table is not automatically refreshed periodically The information is loaded when you select to display the Session Table pane and when you manually refresh the display To view Session table information 1 In the Monitoring perspective in the Session Table na...

Page 265: ...urce L4 Port The session source port Destination L4 Port The session destination port Protocol The session protocol Physical Interface The physical port on the device at which the request arrives from the client Life Time sec The time in seconds following the arrival of the last packet that the entry will remain in the table before it is deleted Aging Type The reason for the Lifetime value for exa...

Page 266: ... number of input datagrams discarded due to errors in their IP headers including bad checksums version number mismatch other format errors time to live exceeded errors discovered in processing their IP options and so on Number of Discarded IP Packets Total number of input datagrams discarded This counter does not include any datagrams discarded while awaiting re assembly Number of Valid IP Packets...

Page 267: ...could be found to transmit them to their destination Note This counter includes any packets counted in the Number of IP Packets Forwarded that meet the no route criterion This includes any datagrams which a host cannot route because all of its default gateways are down Number of IP Fragments Received The number of IP fragments received which needed to be reassembled at this entity Number of IP Fra...

Page 268: ...y direction in the last second Guaranteed Bandwidth Reached Specifies whether the guaranteed bandwidth was reached during the last second Maximum Bandwidth Reached Specifies whether the maximum bandwidth was reached during the last second New TCP Sessions The number of new TCP sessions the device detected in the last second New UDP Sessions The number of new UDP sessions the device detected in the...

Page 269: ...me of the displayed policy Matched Packets The number of packets matching the policy during the last specified period Matched Bandwidth The traffic bandwidth in Kilobits matching the policy during the last specified period Sent Bandwidth The volume of sent traffic in Kilobits in any direction in the last specified period Guaranteed Bandwidth Reached Specifies whether the guaranteed bandwidth was r...

Page 270: ...tbound Matched Bandwidth The volume of outbound traffic in Kilobits in the last specified period that matched the policy Outbound Sent Bandwidth The volume of outbound sent traffic in Kilobits in the last specified period Parameter Description Destination Network Destination network to which the route is defined Netmask Network mask of the destination subnet Next Hop IP address of the next hop tow...

Page 271: ...ge Entry to Static Monitoring MPLS RD Information You can monitor MPLS RD information and configure an MPLS RD Each MPLS RD is assigned two tags for the link on which the device is installed an upper tag and a lower tag On a different link the same MPLS RD can be assigned with different tags To display MPLS RD information for a selected DefensePro device 1 In the Monitoring perspective select the ...

Page 272: ...16 bit IP Address 2 Bytes IP Number 16 bit Upper Tag The upper tag for the link on which the device is installed Lower Tag The lower tag for the link on which the device is installed Table 127 L2 Interface Statistics Parameter Description Basic Parameters Port Name The interface name or index number Port Description A description of the interface Type The interface type number assigned by the Inte...

Page 273: ...f inbound transmission units that contained errors preventing them from being deliverable to a higher layer protocol Outgoing Bytes The total number of octets bytes transmitted out of the interface including framing characters Outgoing Unicast Packets The total number of packets that higher level protocols requested be transmitted and which were not addressed to a multicast or broadcast address at...

Page 274: ...DefensePro User Guide Monitoring DefensePro Devices and Interfaces 274 Document ID RDWR DP V0602_UG1201 ...

Page 275: ...ates a traffic baseline and uses this to identify abnormalities in traffic levels The following topics describe monitoring traffic and attacks in APSolute Vision Viewing the Security Dashboard page 275 Viewing Current Attack Information page 277 Viewing Real Time Traffic Statistics page 290 Monitoring Attack Sources Geographical Map page 293 Protection Monitoring page 293 HTTP Reports page 298 Vie...

Page 276: ...categories in the Security Dashboard are as follows DDoS Represents attacks identified by the following protection types Behavioral DoS SYN Flood and DoS Shield Server Cracking Represents attacks identified by Server Cracking Protection Intrusion Represents attacks identified by Intrusion Protection Application DDoS Represents attacks identified by HTTP Flood Protection Stateful ACL Represents att...

Page 277: ...ack footprint You can view information about a security event or a group of security events that belong to the same attack You can configure filter settings to display a subset of the current attack data Filter conditions are joined by AND meaning only attacks that match all the filter conditions are displayed To display a summary of current attack information 1 In the Security Monitoring perspect...

Page 278: ...erity level Values High Medium Low Info Used for very low risk or when it is not a real attack but an event reported to provide additional information Attack Name The name of the detected attack Source Address The source IP address of the attack If there are multiple IP sources for an attack this field displays Multiple The multiple IP addresses are displayed in the Attack Details window Destinati...

Page 279: ...ol1 The transmission protocol used to send the attack Values TCP UDP ICMP IP Source L4 Port1 The Layer 4 source port of the attack Physical Port1 The port on the device to which the attack s packets arrived Packet Count The number of identified attack packets from the beginning of the attack Bandwidth1 For most protections this value is the volume of the attack in kilobits from when the attack sta...

Page 280: ...isplayed only if the Attacks Description file has been uploaded on the APSolute Vision server For information about uploading the Attacks Description file see Updating the Attack Description File page 47 The following attack details are also displayed for the following attacks BDoS Attack Details page 281 DoS Attack Details page 283 Anti Scan Attack Details page 283 Server Cracking Attack Details ...

Page 281: ... A value of 0 indicates that fragmentation is allowed 1 indicates that fragmentation is not allowed Flow Label IPv6 only ToS Packet Size ICMP Message Type Displayed only if the protocol is ICMP Source IP Destination IP Source Ports Destination Ports DNS ID DNS Query DNS Query Count Note Some fields can display multiple values when relevant and available The values displayed depend on the current s...

Page 282: ...print rule achieving the narrowest effective mitigation rule Non attack Nothing was blocked because the traffic was not an attack no footprint was detected or the blocking strictness level was not met Sampled Data Opens the Sampled Data dialog box which contains a data on sampled attack packets Footprint Footprint Blocking Rule The footprint blocking rule generated by the Behavioral DoS Protection...

Page 283: ...relevant value or values Attack Info The attack information comprises the following parameters Action The protection Action taken Attacker IP The IP address of the attacker Protected Host The protected host Protected Port The protected port Attack Duration The duration of the attack Current Packet Rate The current packet rate Average Packet Rate The average packet rate Sampled Data Opens the Sampl...

Page 284: ...k started Sampled Data Opens the Sampled Data dialog box which contains a data on sampled attack packets Footprint Footprint Blocking Rule The footprint blocking rule generated by the anti scanning attack protection which provides the narrowest effective blocking rule against the scanning attack Scan Details Destination IP The destination IP address of the scan Destination L4 Port The destination ...

Page 285: ... Sampled Data Opens the Sampled Data dialog box which contains a data on sampled attack packets Application Requests When a server cracking attack is detected DefensePro sends to the management system sample suspicious attacker requests in order to provide more information on the nature of the attack The sample requests are sent for the protocols or attacks Values Web Scan Sample HTTP requests Web...

Page 286: ...protected port TCP Challenge HTTP Challenge Authentication Lists Utilization The Authentication Lists Utilization group comprises the following parameters TCP Auth List The current utilization in percent of the TCP Authentication table HTTP Auth List The current utilization in percent of the Table Authentication table Sampled Data Opens the Sampled Data dialog box which contains a data on sampled ...

Page 287: ...llenge Suspected Attackers The protection module is challenging HTTP sources that match the real time signature Challenge All Sources The protection module is challenging all HTTP traffic toward the protected server Block Suspected Attackers The protection module is blocking all HTTP traffic from the suspect sources that is sources that match the signature No Mitigation The protection module is in...

Page 288: ...P request URIs was configured to be bypassed is the value Bypassed Attack Statistics Table This table displays normal and actual traffic information Normal values represent the learned normal traffic baselines Real time values will display the actual values when an attack is triggered Attack Statistics Graph The graph displays the HTTP request URI size distribution The y axis shows the number of H...

Page 289: ... the attack based on the attack footprint created Through a closed feedback loop operation the Behavioral DoS Protection optimizes the footprint rule achieving the narrowest effective mitigation rule Non attack Nothing was blocked because the traffic was not an attack no footprint was detected or the blocking strictness level was not met Sampled Data Opens the Sampled Data dialog box which contain...

Page 290: ... also view graphs of connection rates and concurrent connections based on data from the Session Table By default all traffic is presented in these graphs and tables In each graph you can filter the display by protocol or traffic direction but not for concurrent connections The Connection Statistics are displayed only when the device is operating in Full Layer 4 Session Table Lookup mode You can mo...

Page 291: ...ation refreshes automatically Table 130 Traffic Utilization Display Settings for Graph and Table Parameter Description Units Select to display the traffic rate in Kilobits per second Kbps or packets per second Select Traffic Select the port pairs relevant for the network topology by moving the required port pairs to the Selected Port Pairs list All other port pairs should be in the Available Port ...

Page 292: ...d is 30 minutes by default and is dependent on the poll refresh time To display concurrent connections statistics 1 In the Security Monitoring perspective navigation pane select the device or site for which to display data 2 Select the Traffic Monitoring tab and in the navigation pane select Concurrent Connections 3 Select the traffic protocol from the Protocol list and click Go When you select Al...

Page 293: ... in the Location Attacks List table When no location is selected in the map this table is empty Protection Monitoring Protection Monitoring provides the real time traffic monitoring per network rule policy either for the network as a whole if BDoS is configured or for DNS traffic if DNS is configured The statistical traffic information that Protection Monitoring provides can help you better unders...

Page 294: ...an attack icon is displayed in the table click the icon to display the corresponding attack traffic information Monitoring Network Rule Traffic You can monitor the traffic for a network policy rule that includes BDoS protection Traffic information is displayed in the Statistics Graph and Last Sample Statistics table To display traffic information for a network policy rule that includes BDoS protec...

Page 295: ...per second QPS Queries per second Table 135 Statistics Graph Parameters Parameter Description IP Version The IP version of the traffic that the graph displays Values IPv4 IPv6 Protection Type The protection type to monitor Values TCP ACK FIN TCP FRAG TCP RST TCP SYN TCP SYN ACK UDP ICMP IGMP Scale The scale for the presentation of the information along the Y axis Values Linear Logarithmic Attack S...

Page 296: ...ed Edge dashed orange The traffic rate that indicates a change in traffic that might be an attack Attack Edge dashed red The traffic rate that indicates an attack Table 137 Last Sample Statistics Parameters Parameter Description Traffic Type The protection type Each specific traffic type and direction has a baseline that the device learns automatically Baseline The normal traffic rate expected by ...

Page 297: ...QPS Queries per second Table 139 Statistics Graph Parameters Parameter Description IP Version The IP version of the traffic that the graph displays Values IPv4 IPv6 Protection Type The DNS query type to monitor Values Other Text A AAAA MX NAPTR PTR SOA SRV Scale The scale for the presentation of the information along the Y axis Values Linear Logarithmic Attack Status Read only The status of the at...

Page 298: ... Last Sample Statistics Parameters Parameter Description Traffic Type The protection type Each specific traffic type and direction has a baseline that the device learns automatically Baseline The normal traffic rate expected by the device Total Traffic The total traffic rate that the DefensePro device sees for the specific traffic type and direction Baseline Portion An indication for the rate inva...

Page 299: ...oring perspective navigation pane select the device to monitor 2 Select the HTTP Reports tab 3 Select a report under the Continuous Learning Statistics node 4 In the selected report pane change display settings for the graph as required and click Go Table 142 Continuous Learning Statistics Reports Channel Description GET POST Requests Rate The rate of HTTP GET and POST requests sent per second to ...

Page 300: ...lect the IP address of the protected Web server for which to display information and click Go HTTP Request Size Distribution The HTTP Request Size Distribution graph displays the URI size distribution which shows how server resources are used and helps you to analyze resource distribution A large deviation from the normal probability distribution of one or more HTTP request sizes indicates that re...

Page 301: ...rvals of a few seconds To display the HTTP request size distribution 1 In the Security Monitoring perspective navigation pane select the DefensePro device to monitor 2 Select the HTTP Reports tab and in the navigation pane select HTTP Request Size Distribution 3 Change display settings for the graph as required and click Go Table 145 HTTP Request Size Distribution Settings Parameter Description Se...

Page 302: ...DefensePro User Guide Real Time Security Reporting 302 Document ID RDWR DP V0602_UG1201 ...

Page 303: ...s Command Line Interface Access to the Command Line Interface CLI requires a serial cable and a terminal emulation application Although each product has a slightly different list of commands the majority of the available options are the same You can also use CLI to debug When debugging is required DefensePro generates a separate file delivered in text format aggregating all the CLI commands needed...

Page 304: ...e the following command Manage telnet session timeout For the SSH authentication use the following command Manage ssh auth timeout For the Telnet authentication use the following command Manage telnet auth timeout CLI Capabilities You can use DefensePro CLI through console access Telnet or SSH The CLI provides the following capabilities Consistent logically structured and intuitive command syntax ...

Page 305: ...normal Send Traps To All CLI Users This option enables you to configure whether traps are sent only to the serial terminal or to SSH and Telnet clients as well Web Based Management Each DefensePro device can be managed using a Web based interface Web access can also be confined to SSL The administrator can specify the TCP port for Web Based Management WBM and Secure Web Based Management SWBM The W...

Page 306: ...d fine tuning of DefensePro for optimal application delivery based on external parameters Key features Control of Radware product features and functions from any external application API enabled network devices appear as software for applications resulting in true software native integration Comprehensive SDK for multiple development platforms and languages Extensive sample application code docume...

Page 307: ...s by means of the following CLI manage Web services status WBM Web Services window Services Web Web Services window APSolute Vision Access tab of Setup window You can enable Web Services only if either the Web or secure Web management interface is enabled on the device APSolute API Software Development Kit SDK The APSolute API SDK comes with all the necessary components and documentation to enable...

Page 308: ...DefensePro User Guide Administering DefensePro 308 Document ID RDWR DP V0602_UG1201 ...

Page 309: ... of the generated attack Source IP IPv6 Source IPv6 address of the generated attack ToS Type of Service value from the IP packet header Packet Size Size of the packet in bytes including the data link header Packet Size IPv6 Size of theIPv6 packet in bytes including the data link header Destination Port Destination TCP port of the attack Destination IP Destination IP address of the attack Destinati...

Page 310: ...IPv6 ID Number from the IPv6 packet header Frag Offset Indicates where this fragment belongs in the datagram The fragment offset is measured in units of 8 bytes 64 bits Frag Offset IPv6 Indicates where this IPv6 fragment belongs in the datagram The IPv6 fragment offset is measured in units of 8 bytes 64 bits Flow Label Used by a source to label those products for which it requests special handling...

Page 311: ...link header Destination Port Destination TCP port of the attack Destination IP Destination IP address of the attack Destination IP IPv6 Destination IPv6 address of the attack Fragment TCP fragmented packet TTL Time To Live value in the IP packet header TCP Fragmentation Bypass Type Description Sequence Number Sequence number value from the TCP Fragmentation packet header ID Number ID Number from t...

Page 312: ...ragment belongs in the datagram The fragment offset is measured in units of 8 bytes 64 bits Frag Offset IPv6 Indicates where this IPv6 fragment belongs in the datagram The IPv6 fragment offset is measured in units of 8 bytes 64 bits Flow Label Used by a source to label those products for which it requests special handling by the IPv6 router The flow is uniquely identified by the combination of a S...

Page 313: ... Flow 1 A client initiates an HTTPS session with the server 2 When DefensePro forwards the traffic to the server it replicates the HTTPS session to a preconfigured port where an AppXcel unit is connected 3 AppXcel operates in passive SSL mode decrypts the HTTPS session and returns it as an HTTP session 4 DefensePro inspects the HTTP traffic received from AppXcel based on its policies If an attack ...

Page 314: ...etworking tab navigation pane select SSL Inspection L4 Ports 2 Do one of the following To add an SSL inspection Layer 4 port click the Add button To edit a port double click the row 3 Configure SSL inspection Layer 4 port settings and click OK Table 146 SSL Inspection Physical Port Parameters Parameter Description Incoming Port The scanning port that was configured for one of the traffic direction...

Page 315: ...evice That is when the device reboots the status of the Capture Tool reverts to Disabled This section contains the following topics Traffic Capture Tool page 315 Trace Log page 316 Diagnostic Tools Files Management page 319 Diagnostics Policies page 320 Traffic Capture Tool The Traffic Capture tool captures packets that enter the device leave the device or both The captured traffic is in TCPDUMP f...

Page 316: ...s of the Capture Tool reverts to Disabled Output To File Specifies the location of the stored captured data Values RAM Drive and Flash The device stores the data in RAM and appends the data to the file on the CompactFlash drive Due to limits on CompactFlash size DefensePro uses two files When the first file becomes full the device switches to the second until it is full and then it overwrites the ...

Page 317: ...mat pane is displayed 2 Configure the parameters and then click Set Trace Log Tool Configuration Parameters Parameter Description Status Specifies whether the Trace Log tool is enabled Values Enabled Disabled Default Disabled Output To File Specifies the location of the stored data Values RAM Drive and Flash The device stores the data in RAM and appends the data to the file on the CompactFlash dri...

Page 318: ...e that the message was generated is included in the Trace Log message Platform Name Specifies whether the platform MIB name is included in the Trace Log message File Name Specifies whether the output file name is included in the Trace Log message Line Number Specifies whether the line number in the source code is included in the Trace Log message Packet Id Specifies whether an ID assigned by the d...

Page 319: ...Pro stores the information in the second temporary file When the second temporary file reaches the limit 1 MB DefensePro overwrites the first file and so on When you download a CompactFlash file the file contains both temporary files Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or CompactFlash Severity The lowest severity of the events that the Trace Log ...

Page 320: ... configure a diagnostics policy using Web Based Management 1 Select Services Diagnostics Policies The Diagnostics Policies pane is displayed 2 Click Create The Diagnostics Policies Create pane is displayed 3 Configure the parameters and then click Set Parameter Description File Name The name of the file File Size The file size in bytes Action The action that you can take on the data stored Values ...

Page 321: ...e service whose packets the policy classifies that is captures Values None Basic Filter AND Group OR Group Default None Destination MAC Group The Destination MAC group whose packets the policy classifies that is captures Source MAC Group The Source MAC group whose packets the policy classifies that is captures Maximal Number of Packets The maximal number of packets the policy captures Once the pol...

Page 322: ...typically needs to diagnose a problem with a DefensePro device The data comprises the collected output from various CLI commands auditLog log Contains record of each configuration change to the device by any management interface A device begins storing these records when the device receives its first command The records are sorted by date in ascending order When the size of the data exceeds the ma...

Page 323: ...G1201 323 To generate and download the technical support file using Web Based Management 1 Select File Support The Download Tech Support Info File pane is displayed 2 Click Set A File Download dialog box opens 3 Click Open or Save and specify the required information ...

Page 324: ...DefensePro User Guide Troubleshooting 324 Document ID RDWR DP V0602_UG1201 ...

Page 325: ...ng table lists predefined basic filters that DefensePro supports The list may vary depending on the product version You can view the entire list of basic filters and their properties in the Modify Basic Filter Table pane using Web Based Management Classes Modify Services Basic Filters ...

Page 326: ...dp_1 Ares_FT_udp UDP 40 ff000000 bearshare_download_tcp_0 BearShare_Download_tcp TCP 0 ffffffff bearshare_download_tcp_1 BearShare_Download_tcp TCP 4 ffffffff bearshare_request_file_udp_0 BearShare_Request_File_udp UDP 0 ffffffff bearshare_request_file_udp_1 BearShare_Request_File_udp UDP 4 00ffffff bittorrent_command_1_0 BitTorrent TCP 0 ffffffff bittorrent_command_1_1 BitTorrent TCP 4 ffffffff b...

Page 327: ..._4_2 BitTorrent TCP 11 ff000000 bittorrent_udp_1_0 BitTorrent_UDP_1 UDP 8 ffffff00 bittorrent_udp_1_1 BitTorrent_UDP_1 UDP 12 ffff0000 citrix admin Citrix Admin TCP 0 0 citrix ica Citrix ICA TCP 0 0 citrix ima Citrix IMA TCP 0 0 citrix ma client Citrix MA client TCP 0 0 citrix rtmp Citrix RTMP TCP 0 0 diameter Diameter TCP 0 0 directconnect_file_transfer_0 DirectConnect_File_transfer TCP 0 ff00000...

Page 328: ...oogleTalk_FT_1 UDP 32 ffffffff googletalk_ft_1_3 GoogleTalk_FT_1 UDP 36 ffff0000 googletalk_ft_2_0 GoogleTalk_FT_2 UDP 24 ffffffff googletalk_ft_2_1 GoogleTalk_FT_2 UDP 28 ffffffff googletalk_ft_4_0 GoogleTalk_FT_4 UDP 67 ffffffff googletalk_ft_4_1 GoogleTalk_FT_4 UDP 71 ffffffff groove_command_1_0 Groove TCP 6 ffffffff groove_command_1_1 Groove TCP 10 ffffffff groove_command_1_2 Groove TCP 14 fff...

Page 329: ... TCP 0 ffffffff icq_aol_ft_1 ICQ_AOL_FT TCP 0 ffffffff icq_aol_ft_2 ICQ_AOL_FT TCP 2 ffff0000 imap Internet Message Access TCP 0 0 imesh_download_tcp_0 iMesh_Download_tcp TCP 0 ffffffff imesh_download_tcp_1 iMesh_Download_tcp TCP 4 ffffffff imesh_request_file_udp_0 iMesh_Request_File_udp UDP 0 ffffffff imesh_request_file_udp_1 iMesh_Request_File_udp UDP 4 00ffffff ip IP Traffic IP 0 0 itunesdaap_f...

Page 330: ...ansfer_0_0 Manolito TCP 0 ffffffff manolito_file_transfer_0_1 Manolito TCP 0 ffffffff manolito_file_transfer_0_2 Manolito TCP 0 ffffffff manolito_file_transfer_1_0 Manolito TCP 4 ff000000 manolito_file_transfer_1_1 Manolito TCP 4 ff000000 manolito_file_transfer_2_0 Manolito TCP 4 ff000000 manolito_file_transfer_2_1 Manolito TCP 4 ff000000 mdc1 Medium Drop Class 1 IP 1 fc000000 mdc2 Medium Drop Cla...

Page 331: ... TCP 20 ffffffff meebo_post_6 MEEBO_POST TCP 24 ffffffff meebo_post_7 MEEBO_POST TCP 28 ffffff00 msn any MSN Messenger Chat TCP 0 ffffffff msn msg MSN Messenger Chat TCP 0 0 msn_msgr_ft_0 MSN_MSGR_FT TCP 0 ffffffff msn_msgr_ft_1 MSN_MSGR_FT TCP 48 ffffffff mssql monitor Microsoft SQL traffic monitor TCP 0 0 mssql server Microsoft SQL server traffic TCP 0 0 nntp Network News TCP 0 0 nonip Non IP Tr...

Page 332: ...ff skype 80 l 56 Skype signature for port 80 TCP 2 ffff0000 skype 80 proxy Skype signature for port 80 TCP 0 ffffffff skype 80 pshack Skype signature for port 80 TCP 13 ff000000 skype ext l 54 Skype signature TCP 2 ffff0000 skype ext pshack Skype signature TCP 13 ff000000 smtp Simple Mail Transfer TCP 0 0 snmp SNMP UDP 0 0 snmp trap SNMP Trap UDP 0 0 softethervpn443 SoftEther Ethernet System TCP 0...

Page 333: ...oip_sign_3 VOIP signature UDP 28 c03f0000 voip_sign_4 VOIP signature UDP 28 c03f0000 voip_sign_5 VOIP signature UDP 28 c03f0000 voip_sign_6 VOIP signature UDP 28 c03f0000 voip_sign_7 VOIP signature UDP 28 c03f0000 voip_sign_8 VOIP signature UDP 28 c03f0000 voip_sign_9 VOIP signature UDP 28 c03f0000 yahoo_ft_0 YAHOO_FT TCP 0 ffffffff yahoo_ft_1 YAHOO_FT TCP 10 ffff0000 yahoo_get_0 YAHOO_GET TCP 0 f...

Page 334: ...D RDWR DP V0602_UG1201 yahoo_post_1 YAHOO_POST TCP 4 ffffffff yahoo_post_2 YAHOO_POST TCP 8 ffffffff yahoo_post_3 YAHOO_POST TCP 12 ffffffff yahoo_post_4 YAHOO_POST TCP 16 ffff0000 Table 148 Predefined Basic Filters Name Description Protocol OMPC Offset OMPC Mask ...

Page 335: ...tack Signature Database Radware s Attack signature database contains signatures of known attacks These signatures are included in the predefined groups and profiles supplied by Radware to create protection policies in the Connect and Protect Table Each attack group consists of attack signatures with common characteristics intended to protect a specific application or range of IPs Behavioral DoS BD...

Page 336: ...ary loss of service Exploit An exploit is a program or technique that takes advantage of a software vulnerability The program can be used for breaking security or otherwise attacking a host over the network Heuristic analysis Heuristic analysis is behavior based analysis targeted to provide a filter blocking the abnormal phenomena Heuristic analysis is the ability of a virus scanner to identify a ...

Page 337: ...hich traffic is routed Server Cracking Protection Radware s Server Cracking Protection is a behavioral server based technology that detects and prevents both known and unknown application scans and brute force attacks This behavioral protection is part of Radware s DefensePro Full Spectrum Protection Technology The technology includes An adaptive behavioral network based protection that mitigates ...

Page 338: ...on of the client IP address and port number the server IP address and port number and t This choice of sequence number complies with the basic TCP requirement that sequence numbers increase slowly the server s initial sequence number increases slightly faster than the client s initial sequence number A server that uses SYN cookies does not have to drop connections when its SYN queue fills up Inste...

Page 339: ...om bad ones SYN ACK Reflection Attack Prevention SYN ACK Reflection Attack Prevention is intended to prevent reflection of SYN attacks and reduce SYN ACK packet storms that are created as a response to DoS attacks When a device is under SYN attack it sends a SYN ACK packet with an embedded Cookie in order to prompt the client to continue the session Threat A threat in Internet security terms is a ...

Reviews: