Acl violations alarm example, Packet filtering, Land attack – Enterasys Networks Security Router X-PeditionTM User Manual

Features

16-2 Configuring Security on the XSR

To configure ACLs, you define them by number only then apply them to an interface. Any number
of entries can be defined in a single ACL and may actually conflict, but they are analyzed in the
order in which they appear in the

show access-lists

command.

Input and output filters are applied separately and an interface can have only one ACL applied to
its input side, and one to its output side. Also, the ACL netmask is complemented. For example,
0.0.0.255 indicates that the least significant byte is ignored.

The XSR implementation of ACLs is limited by the following conditions:

•

The total number of ACL entries allowed is 500.

•

For crypto maps and ACLs applied to the same interface, the XSR gives precedence to the
crypto map, which is always consulted before the ACL on a port for both inbound and
outbound traffic. If IPSec encrypts or decrypts packets due to the crypto map configuration
then the ACL is ignored.

The XSR can log ACL violations on a per-source IP, per-ACL group basis and periodically display
a packet counter with the

access-list log

command. ACL violations logging is updated every

five minutes but, as an alternative, you can control the log based on the number of packets denied
or permitted with the

access-list log-update threshold

command. The functionality is

applied to both standard and extended control lists. After the update is reported, the log is cleared
for the entry with that source IP and ACL group.

Be aware that router performance will be affected by copying packet information for logging
alarms and displaying alarms once every five minutes. Also, when reporting is enabled for every
packet and too many packets must be logged, some message loss may occur due to flooding.

ACL Violations Alarm Example

The ACL violations alarm displays the ACL group (encompassing all ACL entries for that number),
permit/deny action, source IP address and number of packets that arrived in the last five minutes.
For example, if 11 packets originate from the server at IP address 15.15.15.2 and 20 packets derive
from the server at IP address 21.21.7.5 with the following CLI configuration:

XSR(config)#access-list 101 deny ip 15.15.15.0 0.0.0.255 16.16.16.0 0.0.0.255 log
XSR(config)#access-list 101 permit ip 21.21.0.0 0.0.255.255 any any log

The first alarms logged will display as follows:

XSR(config)#access-list 101 deny 15.15.15.2 1 packet
XSR(config)#access-list 101 permit 21.21.7.5 1 packet

After five minutes, the alarms logged will display as follows:

XSR(config)#access-list 101 deny 15.15.15.2 10 packets
XSR(config)#access-list 101 permit 21.21.7.5 19 packets

Packet Filtering

Packet filtering is configured via standard and extended

access-list

commands. For more

information, refer to the XSR CLI Reference Guide.

LANd Attack

Protection against LANd attacks is triggered when a packet arrives with the IP source address
equal to the IP destination address. This is an illegal IP packet and it is discarded by the XSR when
the protection is enabled with the

HostDos

command. See the Firewall section for more details.