1 / 143

E.09.xx software update for the ProCurve 5300 series switch products

Technical Training. E.09.xx software update for the ProCurve 5300 series switch products. Dec 2004. E.09.xx firmware update for the ProCurve 5300 series switch products. New Features Connection Rate Filtering (Virus Throttling).

garima
Download Presentation

E.09.xx software update for the ProCurve 5300 series switch products

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Technical Training E.09.xx software update for the ProCurve 5300 series switch products Dec 2004

  2. E.09.xxfirmware update for the ProCurve 5300 series switch products • New Features • Connection Rate Filtering (Virus Throttling)

  3. E.09.xxfirmware update for the ProCurve 5300 series switch products • New Features • Connection Rate Filtering (Virus Throttling) • Multiple 802.1X users per port • Concurrent 802.1X and MAC Auth or Web Auth • 802.1X Guest Vlan • Radius authentication for switch manager login

  4. E.09.xxfirmware update for the ProCurve 5300 series switch products • New Features • Connection Rate Filtering (Virus Throttling) • Multiple 802.1X users per port • Concurrent 802.1X and MAC Auth or Web Auth • 802.1X Guest Vlan • Radius authentication for switch manager login • UDP directed broadcast forwarding

  5. E.09.xxfirmware update for the ProCurve 5300 series switch products • New Features • Connection Rate Filtering (Virus Throttling) • Multiple 802.1X users per port • Concurrent 802.1X and MAC Auth or Web Auth • 802.1X Guest Vlan • Radius authentication for switch manager login • UDP directed broadcast forwarding • 802.1ab Link Layer Discovery Protocol (LLDP)

  6. E.09.xxfirmware update for the ProCurve 5300 series switch products • New Features • Connection Rate Filtering (Virus Throttling) • Multiple 802.1X users per port • Concurrent 802.1X and MAC Auth or Web Auth • 802.1X Guest Vlan • Radius authentication for switch manager login • 802.1ab Link Layer Discovery Protocol (LLDP) • UDP directed broadcast forwarding • Multiple configuration files

  7. The Geek Translation hp Sushi

  8. The Geek Translation Cold Raw Dead Fish hp Sushi

  9. The Geek Translation Cold Raw Dead Fish hp Virus Throttling Sushi

  10. The Geek Translation Connection Rate Filtering Cold Raw Dead Fish hp Virus Throttling Sushi

  11. Connection Rate Filtering • Most anti-virus software works by preventing infection • Works well but occasionally fails • When it fails, the virus can spread very rapidly and cause lots of damage • Many infected machines • Clogged networks • Example – SQLSlammer, MS-Blaster, SASSER

  12. Connection Rate Filtering 05:29 Jan 25 ‘03 – 0 infected • Most anti-virus software works by preventing infection • Works well but occasionally fails • When it fails, the virus can spread very rapidly and cause lots of damage • Many infected machines • Clogged networks • Example – SQLSlammer, MS-Blaster, SASSER

  13. Connection Rate Filtering 05:29 Jan 25 ‘03 – 0 infected • Most anti-virus software works by preventing infection • Works well but occasionally fails • When it fails, the virus can spread very rapidly and cause lots of damage • Many infected machines • Clogged networks • Example – SQLSlammer, MS-Blaster, SASSER 06:00 Jan 25 ‘03 – 74855 infected

  14. Connection Rate Filtering • What does CRF do to reduce the threat?

  15. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only

  16. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only • Does not look inside packets for signatures

  17. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only • Does not look inside packets for signatures • Functions only on routed traffic (NOT on switched traffic)

  18. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only • Does not look inside packets for signatures • Functions only on routed traffic (NOT on switched traffic) • Many valid nodes will create false positives

  19. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only • Does not look inside packets for signatures • Functions only on routed traffic (NOT on switched traffic) • Many valid nodes will create false positives • Must be manually configured

  20. Connection Rate Filtering • What does CRF do to reduce the threat? • Filter function based on connection rate only • Does not look inside packets for signatures • Functions only on routed traffic (NOT on switched traffic) • Many valid nodes will create false positives • Must be manually configured • Must configure Sensitivity and Response

  21. Connection Rate Filtering Sensitivity

  22. Connection Rate Filtering Sensitivity

  23. Connection Rate Filtering Sensitivity Example: At medium sensitivity, a host may be trigger the filter by issuing 37 new outbound connections in a 36 second period if the gap between any two new connections does not exceed 1 second. When there is a gap that exceeds 1 second, the counter is reset.

  24. Connection Rate Filtering • Response • notify-only • Generates event log entry and trap event when sensitivity threshold exceeded

  25. Connection Rate Filtering • Response • notify-only • Generates event log entry and trap event when sensitivity threshold exceeded • throttle • Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity • After penalty period the function is reset and routing resumes

  26. Connection Rate Filtering • Response • notify-only • Generates event log entry and trap event when sensitivity threshold exceeded • throttle • Generates event log and trap and then blocks routing of traffic from offending host for penalty period defined by sensitivity • After penalty period the function is reset and routing resumes • block • Generates event log and trap and then blocks routing of traffic from offending host until manually reset by administrator

  27. Connection Rate Filtering • Typical deployment scenario • (not set and forget)

  28. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode

  29. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low

  30. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low • Monitor the nodes that are triggering

  31. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low • Monitor the nodes that are triggering • Determine the characteristic of valid traffic from those nodes

  32. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low • Monitor the nodes that are triggering • Determine the characteristic of valid traffic from those nodes • Increase sensitivity, or create an exception ACL for nodes generating false positives

  33. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low • Monitor the nodes that are triggering • Determine the characteristic of valid traffic from those nodes • Increase sensitivity, or create an exception ACL for nodes generating false positives • Activate throttling or blocking

  34. Connection Rate Filtering • Typical deployment scenario (not set and forget) • Deploy in notify-only mode • Set sensitivity to low • Monitor the nodes that are triggering • Determine the characteristic of valid traffic from those nodes • Increase sensitivity, or create an exception ACL for nodes generating false positives • Activate throttling or blocking • Monitor and adjust

  35. Connection Rate Filtering • What to do with nodes generating legitimate traffic that triggers the CRF? • Use of connection-rate ACLs provides the option to apply exceptions to the configured connection-rate filtering policy. • ■ A trusted server exhibiting a relatively high IP connection rate due to heavy demand • ■ A trusted traffic source on the same port as other, untrusted traffic sources.

  36. Connection Rate Filtering • Basic CLI commands • [no] connection-rate-filter sensitivity < low | medium | high | aggressive > • Global enable/disable and global sensitivity

  37. Connection Rate Filtering • Basic CLI commands • [no] connection-rate-filter sensitivity < low | medium | high | aggressive > • Global enable/disable and global sensitivity • Reboot the switch after running this command to enable/disable or change CRF sensitivity!

  38. Connection Rate Filtering • Basic CLI commands • [no] filter connection-rate [eth] port-list <notify-only | throttle | block> • Port based configuration of the response

  39. Connection Rate Filtering • Basic CLI commands • [no] ip access-list connection-rate-filter name-str < ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask > < ignore | filter > < udp | tcp > < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask > < source-port | destination-port | all-ports >

  40. Connection Rate Filtering • Basic CLI commands • [no] ip access-list connection-rate-filter name-str < ignore | filter > ip < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask > < ignore | filter > < udp | tcp > < any | host src-ip-addr | src-ip-addr src-ip-mask | src-ip-addr/mask > < source-port | destination-port | all-ports > ACLs are ONLY required as exceptions to the CRF policy

  41. Connection Rate Filtering • Config Example

  42. Connection Rate Filtering • Config example Connection Rate ACL

  43. Connection Rate Filtering - Summary • CRF is not set and forget

  44. Connection Rate Filtering - Summary • CRF is not set and forget • Operates ONLY on routed traffic

  45. Connection Rate Filtering - Summary • CRF is not set and forget • Operates ONLY on routed traffic • Requires a switch reboot after enabling, disabling or changing sensitivity of CRF

  46. Connection Rate Filtering - Summary • CRF is not set and forget • Operates ONLY on routed traffic • Requires a switch reboot after enabling, disabling or changing sensitivity of CRF • Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly

  47. Connection Rate Filtering - Summary • CRF is not set and forget • Operates ONLY on routed traffic • Requires a switch reboot after enabling, disabling or changing sensitivity of CRF • Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly • CRF is host based (host is blocked, not port)

  48. Connection Rate Filtering - Summary • CRF is not set and forget • Operates ONLY on routed traffic • Requires a switch reboot after enabling, disabling or changing sensitivity of CRF • Once a host has been blocked, it remains in this state regardless of the port setting – must unblock explicitly • CRF is host based (host is blocked, not port) • Sensitivity is set globally, response is set per port, filtering is host based

  49. Connection Rate Filtering - Benefits • Behavior based

  50. Connection Rate Filtering - Benefits • Behavior based • Handles unknown worms

More Related