Configuring a security filter, Configuring a generic rule – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 139

Advertising
background image

ServerIron ADX Security Guide

125

53-1002440-03

DDoS protection

5

Configuring a security filter

Configuring a a security filter requires you to define it by name and configure rules within it as
shown in the following.

ServerIronADX(config)# security filter filter1

ServerIronADX(config-sec-filter1)#rule xmas-tree drop

Syntax: security filter <filter-name>

The <filter-name> variable specifies the filter being defined that will then be bound to a port.

The rule command defines the attack method that is being filtered for. For each rule, you can
configure whatever action needs to be taken if an attack occurs. The ServerIron ADX can log the
attack and drop the attacking packet. Rules that can be used are described in Tables 12 thorugh
17 of this chapter.

Some rules are hardware-based and are programmed in the CAM. For these rules, the default
action is to drop the packet. These rules cannot be logged, and no message can be logged when an
attack occurs. But there are counters that you can check to determine if an attack has occurred.

Example

ServerIronADX(config)# security filter filter1

ServerIronADX(config-sec-filter1)# rule xmas-tree log

ServerIronADX(config-sec-filter1)# rule address-sweep 1 3 drop log

NOTE

There is no set limit on the number of filters that can be configured on a ServerIron ADX but a
maximum of 10 rules can be bound to a single interface. The global limit depends upon the available
memory.

Configuring a Generic Rule

Apart from regular rules, such as those configured above, there is also a generic rule. A generic rule
needs to be defined before it can be bound to a filter. In the following example, a rule (gen1) is
configured to match a tcp packet with source-ip greater than 10.10.1.101, a tcp dest-port greater
than 20 and a string "400" at the 3rd byte offset from l4-data.

ServerIronADX(config)# security generic gen1

ServerIronADX(config-sec-gen-gen1)# ip-source gteq ip 10.10.1.101

ServerIronADX(config-sec-gen-gen1)# tcp-dest gt val 20

ServerIronADX(config-sec-gen-gen1)# l4-data 3 eq str "400"

Syntax: {no} security generic <generic-rule-name>

The <generic-rule-name> variable specifies the generic rule defined that will then be bound to a
filter.

The following conditions can be applied to any of the fields in the mac-header, ip-header, l4-header
(TCP/UDP), and l4-data offset to create generic rules:

eq

equals

gt

greater-than

gteq

greater-than-or-equals

Advertising
Popular Brands
Popular manuals