sdf LinkProof User Guide Software Version 5.22 Document ID: 8261 July, 2008 LinkProof User Guide 2 Doc. No.: 8261 LinkProof User Guide Important Notice This guide is delivered subject to the following conditions and restrictions: Copyright Radware Ltd. 2006 - 2007. All rights reserved. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. The user guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and management and operation of the LinkProof product, and may not be used for any other purpose. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without the prior written consent of Radware. Copyright Notices This product contains code developed by the OpenSSL Project This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit. (http://www.openssl.org/). Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. This product contains the Rijndael cipher The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: @version 3.0 (December 2000) Optimised ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> This code is hereby placed in the public domain. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product contains code developed by the OpenBSD Project Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Doc. No.: 8261 3 LinkProof User Guide 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes software developed by Markus Friedl This product includes software developed by Theo de Raadt This product includes software developed by Niels Provos This product includes software developed by Dug Song This product includes software developed by Aaron Campbell This product includes software developed by Damien Miller This product includes software developed by Kevin Steves This product includes software developed by Daniel Kouril This product includes software developed by Wesley Griffin This product includes software developed by Per Allansson This product includes software developed by Nils Nordman This product includes software developed by Simon Wilkinson Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 4 Doc. No.: 8261 LinkProof User Guide Safety Instructions CAUTION Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that involve opening panels or changing components must be performed by qualified service personnel only. To reduce the risk of fire and electrical shock, disconnect the device from the power line before removing cover or panels. SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so. There are no serviceable parts inside the unit. HIGH VOLTAGE Any adjustment, maintenance, and repair of the opened instrument under voltage should be avoided as much as possible and, when inevitable, should be carried out only by a skilled person who is aware of the hazard involved. Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply. GROUNDING Before connecting this device to the power line, the protective earth terminals of this device must be connected to the protective conductor of the (mains) power cord. The mains plug shall only be inserted in a socket outlet provided with a protective earth contact. Do not use an extension cord (power cable) without a protective conductor (grounding). LASER This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be made inoperative and be secured against any unintended operation. LINE VOLTAGE Before connecting this instrument to the power line, make sure the voltage of the power source matches the requirements of the instrument. Refer to the Specifications for information about the correct power rating for the device. TRADEMARKS LinkProof and APSolute Insite are trade names of Radware Ltd. This document contains trademarks registered by their respective companies. SPECIFICATION CHANGES Specifications are subject to change without notice. Doc. No.: 8261 5 LinkProof User Guide Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules and EN55022 Class A, EN 50082-1 For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. Special Notice for North American Users For North American power connection, select a power supply cord that is UL Listed and CSA Certified 3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A], with a minimum length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply cord that is internationally harmonized and marked "<HAR>", 3 - conductor, 0,75 mm2 minimum mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated 250 V, 3 A.". RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area. INSTALLATION CODES This device must be installed according to country national electrical codes. For North America, equipment must be installed in accordance to the US National Electrical Code, Articles 110-16, 110-17, and 110-18 and the Canadian Electrical Code, Section 12. INTERCONNECTION OF UNITS Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or DP-2. (Note- when residing in non LPS circuit) OVERCURRENT PROTECTION A readily accessible listed branch-circuit over current protective device rated 15 A must be incorporated in the building wiring. DC POWER CONNECTION 1. The equipment shall be connected directly to the DC Supply System earthing electric conductor. 2. All equipment in the immediate vicinity shall be earthed in the same way, and shall not be earthed elsewhere.The DC supply system is to be local, i.e. within the same premises as the equipment. 3. There shall be no disconnect device between the earthed circuit conductor of the DC source (return) and the point of connection of the earthing electrode conductor REPLACEABLE BATTERIES If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type, then an explosion may occur. This is the case for some Lithium batteries and the following is applicable: • If the battery is placed in an Operator Access Area, there is a marking close to the battery or a statement in both the operating and service instructions. • If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a statement in the service instructions. This marking or statement includes the following text warning: CAUTION 6 Doc. No.: 8261 LinkProof User Guide RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. Caution - To Reduce the Risk of Electrical Shock and Fire 1. This equipment is designed to permit connection between the earthed conductor of the DC supply circuit and the earthing conductor equipment. See Installation Instructions. 2. All servicing should be undertaken only by qualified service personnel. There are not user serviceable parts inside the unit. 3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit. 4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED. 5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet, housing the fuse. 6. Do not operate the device in a location where the maximum ambient temperature exceeds 400 C / 1040 F. 7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and/or check the main power fuse. Attention: Pour Reduire Les Risques d'Electrocution et d'Incendie 1. Toutes les operations d'entretien seront effectuees UNIQUEMENT par du personnel d'entretien qualifie. Aucun composant ne peut etre entretenu ou remplace par l'utilisateur. 2. NE PAS connecter, mettre sous tension ou essayer d'utiliser un ensemble qui est defectueux de maniere evidente. 3. Assurez vous que les ouvertures de ventilation du chassis NE SONT PAS OBSTRUEES. 4. Remplacez un fusible qui a saute, SEULEMENT par un fusible du meme type et de meme capacite, comme indique sur l'etiquette de securite proche de l'entree de l'alimentation qui contient le fusible. 5. NE PAS UTILISER l'equipement dans des locaux dont la temperature maximale depasse 40×C. 6. Assurez vous que le cordon d'alimentation a ete deconnecte AVANT d'essayer de l'enlever et / ou verifier le fusible de l'alimentation generale. Massnahmen zum Schutz vor elektrischem Schock und Feuer 1. Alle Wartungsarbeiten sollten ausschliesslich von geschultem Wartungspersonal durchgefuehrt werden. Keine im Geraet befindlichen Teile duerfen vom Benutzer gewartet werden. 2. Offensichtlich defekte oder beschaedigte Geraete duerfen nicht angeschlossen, eingeschaltet oder in Betrieb genommen werden. 3. Stellen Sie sicher, dass die Belueftungsschlitze am Geraet nicht blockiert sind. 4. Ersetzen Sie eine defekte Sicherung ausschliesslich mit Sicherungen laut Sicherheitsbeschriftung. 5. Betreiben Sie das Geraet nicht in Raeumen mit Temperaturen ueber 40C. 6. Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung pruefen oder austauschen. About This Guide The Linkproof User Guide is intended for system administrators and network installers who are responsible for maintaining and configuring the network. Doc. No.: 8261 7 LinkProof User Guide This user guide is designed to provide you with an in depth knowledge of SecureFlow that will enable you to incorporate and configure LinkProof in to your network. Each chapter provides feature overviews, step by step configuration instructions as well as configuration examples where appropriate — Chapter 1 - Introduction and Overview: This chapter provides an explanation of how LinkProof is used to improve the quality of service and to optimize utilization of the existing resources as well as providing a explanation of LinkProofs capabilities and a brief description of its main characteristics. — Chapter 2 - Device Management: This chapter provides information about the LinkProof management and maintenance processes. This chapter describes the management interfaces and methods by which LinkProof devices are accessed, configured and operated. — Chapter 3 - Routing: This chapter provides theoretical explanations about switching and routing in general, describes how LinkProof participates in the processes of switching and routing, and presents several aspects of the practical implementation of LinkProof. — Chapter 4 - Basic Application Switching: This chapter introduces the farm management concept and guides you through the farm related features. It also provides you with the examples of common configurations of the application switching and load balancing schemes. — Chapter 5 - Advanced Features: This chapter presents LinkProof advanced capabilities and provides common configuration examples of the described features. — Chapter 6 - Redundancy: This chapter introduces the redundancy concept and provides examples of common LinkProof redundancy configurations. — Chapter 7 - Security: provides a general overview of the Synapps Security modules and the sub modules within as well as an explanation of the signatures data base and Radware Security update service (SUS). Also provided in this chapter is an explanation of the tuning process. — Chapter 8 - Bandwidth Management : This chapter presents the capabilities of the Bandwidth Management module including BWM classes, BWM Policies as well as providing some example configurations. — Chapter 9 - Health Monitoring : This chapter describes the LinkProof Health Monitoring module included in the Radware SynApps architecture. — Chapter 10 - Application Switching Platforms : This chapter provides an explanation of Radwares Application Swithching Platforms as well as an explanation of Device Management also a list of specifications and Serial Cable Pin Assignment and a trouble shooting section. — Appendix A - Glossary: The glossary provides explanations of terms and concepts used in network configurations. — Appendix B - Loopback Interfaces : This appendix defines how different operating systems differ when performing loopback aliases. — Appendix C - Regular Expressions: This appendix provides an overview of the basic syntax of regular expressions used in LinkProof modules. — Index: • Document Conventions This guide uses the following documentation conventions: • 8 Command paths in the GUI are presented as: File > Save As. Doc. No.: 8261 LinkProof User Guide • • • Windows systems use a two-button mouse. To drag and drop an object, click and hold the left mouse button on the object, drag the object to the target location, then release the button. Screen displays can differ slightly from those included in this guide, depending on the system you use. For example, Microsoft Windows screens are different from X-Windows screens. Various icons are used through the document to indicate the following: Note: Important information that requires additional attention. Tip: A recommendation, or an optimum way to perform an action. Configuration Guidelines: General description of the configuration process. To Statement: Detailed operating instructions that explain the step by step configuration process. Example: An example configuration of an actual scenario. Doc. No.: 8261 9 LinkProof User Guide 10 Doc. No.: 8261 Table of Contents Important Notice ......................................................................... 3 Copyright Notices ....................................................................... 3 Safety Instructions ...................................................................... 5 About This Guide ........................................................................ 7 Document Conventions .............................................................. 8 Chapter 1 - Introduction .................................................... 19 Introducing LinkProof ............................................................... 19 LinkProof Overview ..................................................................... LinkProof Main Concepts ............................................................ The Role of LinkProof in the Network ......................................... LinkProof Products ...................................................................... 19 20 22 22 LinkProof Modules Overview .................................................... 22 LinkProof Modules ...................................................................... 22 Management Tools ..................................................................... 24 Chapter 2 - Device Management...................................... 25 Configuring Device IP Host Parameters ................................... 25 Device IP Host Parameters Introduction ..................................... 25 Erasing the Configuration file ...................................................... 28 Device Configuration Options ................................................... 28 Management Interfaces .............................................................. Configuring SNMP ...................................................................... Telnet and SSH ........................................................................... Ping Physical Port Permissions .................................................. APSolute Insite ........................................................................... Command Line Interface ............................................................. Web Based Management ........................................................... 29 29 41 43 43 43 45 Device Security ........................................................................ 45 Bandwidth Management Access ................................................. 46 Users Table ................................................................................. 46 RADIUS Authentication ............................................................... 47 Version Management and Device Upgrading ........................... 48 Introducing Upgrades .................................................................. Software Version Update ............................................................ Saving and Restoring Configuration Files ................................... Upgrading Licenses .................................................................... Upgrading Boot Versions ............................................................ Resetting Devices ....................................................................... 49 49 52 53 55 56 Device Tuning ......................................................................... 56 LinkProof User Guide Tuning Tables Introduction .......................................................... 56 Tuning Memory Check ................................................................ 65 Device Notifications ................................................................. 65 Notifications - General ................................................................. 65 E-mail Notification ....................................................................... 66 Utilities ..................................................................................... 66 DNS Client .................................................................................. 67 Chapter 3 - Basic Switching & Routing ............................ 69 Port Settings ............................................................................ 69 Port Mirroring .............................................................................. Port Trunking ............................................................................... Port Rules ................................................................................... Port Load Balancing Status ......................................................... 69 70 72 72 Virtual LAN .............................................................................. 72 What is a Virtual LAN? ............................................................... LinkProof VLAN Types ................................................................ Bridging ...................................................................................... VLAN Configuration .................................................................... Redundancy ................................................................................ 72 72 73 74 76 VLAN Tagging ......................................................................... 76 VLAN Tagging Support ............................................................... 76 Using VLAN Tagging ................................................................... 76 VLAN Tagging Enhancements .................................................... 78 IP Addressing & Routing ......................................................... 78 IP Addressing .............................................................................. Routing ........................................................................................ Routing Information Protocol ....................................................... Open Shortest Path First ............................................................. 79 79 80 82 Chapter 4 - Basic Application Switching ......................... 83 LinkProof Multihoming Overview ............................................. 83 Cluster Support ........................................................................ 86 Farm Management .................................................................. 88 Farm Concept ............................................................................. Farm Load Balancing .................................................................. Router Farm Load Balancing ...................................................... Firewall Farm Load Balancing ..................................................... Default Farm ............................................................................... Farm Connectivity Checks .......................................................... 88 89 94 95 99 99 Server Management .............................................................. 100 Servers Overview ...................................................................... 100 Farm Servers ............................................................................ 101 12 Doc. No.: 8261 LinkProof User Guide Server Parameters .................................................................... 101 Physical Servers ........................................................................ 103 Network Address Translation ................................................ 105 Network Address Translation (SmartNAT) - Introduction .......... Dynamic NAT ............................................................................ Static NAT ................................................................................. No NAT ...................................................................................... Basic NAT ................................................................................. One IP Support .......................................................................... Static Port Address Translation ................................................. 106 107 108 109 110 111 112 Proximity ................................................................................ 115 Proximity Introduction ................................................................ 116 Proximity Configuration ............................................................. 116 DNS ....................................................................................... 118 DNS Introduction ....................................................................... Mapping URLs to local IP Addresses ........................................ DNS Response Parameters ...................................................... DNS for Local Users .................................................................. DNS Redundancy ...................................................................... DNS Client ................................................................................. 118 119 120 120 122 122 Basic Load Balancing ............................................................ 123 Simple Router Load Balancing Configuration ........................... Simple Router Load Balancing Configuration with VLAN .......... One-leg (lollipop) Configuration ................................................. Sandwich Configuration ............................................................ Single Device Installation .......................................................... 123 127 131 136 143 Flow Management ................................................................. 146 Flow Concept ............................................................................ 146 Flow Policies ............................................................................. 147 Typical Flow Configurations ...................................................... 148 VPN Load Balancing ............................................................. 154 Multicast Dispatch ..................................................................... 156 Clear Client Table ...................................................................... 157 Client Table Overwrite ............................................................... 158 Client Table ........................................................................... 159 Client Table Management ......................................................... 159 Client Table Global Parameters ................................................ 163 Client Table Views ..................................................................... 166 Chapter 5 - Advanced Features ...................................... 169 Content Load Balancing ........................................................ 169 Content Load Balancing Overview ............................................ 169 Content Load Balancing Configuration ...................................... 171 Content Rule Configuration Example ........................................ 174 Doc. No.: 8261 13 LinkProof User Guide Virtual Tunneling .................................................................... 179 Virtual Tunneling Introduction ................................................... 179 Virtual Tunneling Terms ............................................................ 181 Virtual Tunneling Configuration ................................................. 181 Integrated VPN Gateway ....................................................... 188 Integrated VPN Gateway Introduction ....................................... 189 IPSec ......................................................................................... 189 Configuring VPN Gateways ...................................................... 191 Cost Based Load Balancing .................................................. 194 Data Compression ................................................................. 196 Data Compression Overview .................................................... 196 Chapter 6 - Redundancy .................................................. 203 LinkProof Redundancy .......................................................... 203 Introducing LinkProof Redundancy ........................................... Active / Backup Setup ............................................................... Interface Grouping .................................................................... Mirroring .................................................................................... 203 204 205 206 Proprietary ARP Redundancy ............................................... 207 Proprietary ARP ........................................................................ 207 Backup Fake ARP ..................................................................... 208 Advanced Forwarding ............................................................... 213 VRRP Redundancy ............................................................... 213 Introducing VRRP ..................................................................... VRRP Redundancy Notes ......................................................... VRRP nxn Redundancy ............................................................ Direct Server Connection with VRRP ........................................ 213 215 219 219 Chapter 7 - Security ......................................................... 231 Security Overview ................................................................. 231 Security Introduction ................................................................. 231 Security Modules ....................................................................... 232 Configuring Security Modules ................................................... 234 Configuring Security Policies .................................................... 235 Enabling Protection and Setting up General Security Parameters 235 Defining Connectivity ................................................................ 239 Intrusions ............................................................................... 241 Introduction to Intrusions ........................................................... Intrusion Prevention Profiles ..................................................... How to use the Intrusion Prevention Module ............................ Creating a New User Defined Intrusion Prevention Profile ....... 241 246 246 255 DoS/DDoS ............................................................................. 258 Introduction to DoS/DDoS ......................................................... 258 DoS Shield Profiles ................................................................... 259 14 Doc. No.: 8261 LinkProof User Guide Application Security Profiles ...................................................... 270 SYN Flood Protection ............................................................ 275 Introduction to SYN Flood Protection ........................................ Before Setting Up SYN Flood Protection .................................. SYN Flood Protection General Settings .................................... Creating Custom SYN Attacks .................................................. SYN Flood Reporting ................................................................ 275 277 278 280 283 Protocol Anomalies ................................................................ 283 Introduction to Protocol Anomalies ............................................ 284 How to Use the Anomalies Module ........................................... 284 Stateful Inspection ..................................................................... 290 Anti-Scanning ........................................................................ 293 Introduction to Anti-Scanning .................................................... 293 How to Use the Anti-Scanning Module ...................................... 293 Managing Signatures Database ............................................ 299 Application Security Signature File Update ............................... Manual Update .......................................................................... Downloading and Updating ....................................................... Scheduled Downloading and Updating ..................................... 299 299 301 301 Security Tuning ...................................................................... 305 Tuning Introduction .................................................................... Security Tuning ......................................................................... Session Table Tuning ................................................................ SYN Table Tuning ..................................................................... 305 306 308 309 Security Events ...................................................................... 310 Events and Event Reporting ...................................................... 311 Reporting Channels ................................................................... 311 Security Reports .................................................................... 314 Security Reports Overview ........................................................ Security Reports Main Window ................................................. Generating Attack Reports ........................................................ Attack Logs ................................................................................ Executive Reports ..................................................................... Dashboard ................................................................................. 314 316 320 325 330 331 Chapter 8 - Bandwidth Management .............................. 335 Bandwidth Management Overview ....................................... 335 Bandwidth Management Policies .......................................... 336 What is Bandwidth Management Policy? .................................. 337 Bandwidth Management Classification Criteria ......................... 337 Bandwidth Management Rules ................................................. 338 BWM Classes ........................................................................ 340 Services ..................................................................................... 341 Networks ................................................................................... 343 Doc. No.: 8261 15 LinkProof User Guide Port Groups ............................................................................... 344 VLAN Tag Groups ..................................................................... 344 BWM Example Configuration ................................................ 344 Protocol Discovery ................................................................. 348 What is Protocol Discovery? ..................................................... 348 Protocol Discovery Policies ....................................................... 349 Interface Classification .......................................................... 349 Port Bandwidth .......................................................................... 350 Interface Classification .............................................................. 350 Chapter 9 - Health Monitoring ....................................... 353 Health Monitoring - Introduction ............................................ 353 Module ...................................................................................... Checked Element ...................................................................... Health Check ............................................................................. Method ...................................................................................... Binding and Groups .................................................................. 353 354 354 354 354 Health Check Configuration ................................................... 355 Global Configuration ................................................................. Global Parameters Setup .......................................................... Health Checks Database .......................................................... Bindings and Groups ................................................................. Regular Health Check ............................................................... Group Health Check .................................................................. Farm Health Check ................................................................... 355 355 356 359 360 362 363 Health Check Methods .......................................................... 364 Predefined Methods .................................................................. 364 User Defined Methods .............................................................. 372 Chapter 10 - Application Switching Platforms .............. 375 Introduction to Intelligent Application Switches ..................... 375 Application Switch 1 .................................................................. Application Switch 2 .................................................................. Application Switch 3 .................................................................. Application Switch 4 ................................................................. Compact Application Switch ...................................................... 375 376 376 377 377 Getting Started ...................................................................... 377 Application Switches Physical Description ................................ 378 Compact Application Switch ...................................................... 384 Device Installation ..................................................................... 385 Device Interfaces ................................................................... 387 Boot Level Commands .......................................................... 390 CLI Installation Wizard .......................................................... 392 16 Doc. No.: 8261 LinkProof User Guide Application Recovery Procedure ........................................... 396 Specifications ........................................................................ 397 Specification Table .................................................................... 398 Serial Cable Pin Assignment ..................................................... 400 Trouble Shooting for AS1 & AS2. .......................................... 400 Appendix A – Glossary.................................................... 403 Commonly Used Terms ......................................................... 403 List of Abbreviations .............................................................. 404 Appendix B – Loopback Interfaces ................................ 407 AIX ......................................................................................... 408 HP-UX ................................................................................... 408 Linux ...................................................................................... 409 Solaris .................................................................................... 410 Windows NT .......................................................................... 410 Appendix C – Regular Expressions ............................... 413 Appendix D – Index .......................................................... 415 Doc. No.: 8261 17 LinkProof User Guide 18 Doc. No.: 8261 LinkProof User Guide Chapter 1 - Introduction This chapter provides an introduction to LinkProof and explains how LinkProof is used to improve the quality of service and to optimize utilization of the existing resources as well as providing a explanation of LinkProofs capabilities and a brief description of its main characteristics. This chapter includes the following sections: • • Introducing LinkProof, page 19 LinkProof Modules Overview, page 22 Introducing LinkProof This section provides a general introduction to LinkProof and explains the main concepts and capabilities of LinkProof and its role in the network. This section includes the following topics: • • • • LinkProof Overview, page 19 LinkProof Main Concepts, page 20 The Role of LinkProof in the Network, page 22 LinkProof Products, page 22 LinkProof Overview LinkProof by Radware is an intelligent application switch that manages all links across multihomed networks, enabling full link availability, highest link performance and complete link security for uninterrupted user access to web-enabled applications and cost effective connectivity at main offices and data centers. LinkProof eliminates link bottlenecks and failures from enterprise multi-homed networks, for fault tolerant connectivity and continuous user access to IP applications, web-enabled databases, online services, corporate web-sites and e-commerce. By intelligently routing traffic and moderating bandwidth levels across all enterprise links, LinkProof maximizes link utilization, driving application performance, economically scaling link capacities and controlling connectivity service costs. Securing all enterprise entry points and cleansing all link traffic, LinkProof delivers Denial of Service Protection and Intrusion Prevention to protect distributed applications, resources and users. Multi-homing Overview The term "multi-homing" generally refers to a network that utilizes multiple connections to the Internet, usually through multiple ISPs. Multi-homed networks are increasing in popularity because they provide networks with better reliability and performance. Better reliability comes from having more stable networks that are protected in case one of the Internet links or access routers fails. The performance gain is a result of the network's bandwidth to the Internet that is the sum of the bandwidths available through each of the access links. It should be noted, that better performance is only achieved if all the links are used collectively. However a multi-homed network create various design complexities that involve addressing schemes, routing protocols, and DNS. It also provides for some benefits that are never fully utilized, such as: Doc. No.: 8261 19 LinkProof User Guide • Even with the most sophisticated routing protocols, true load balancing will never be achieved through the multiple links for outbound traffic. Any load balancing decisions that a routing protocol makes will be crude at best, and can be classified as "load sharing", but nothing more • Some Internet resources are better accessible through one ISP rather than another. Routing protocols may know basic proximity information, but they generally have no knowledge of dynamic link conditions. • For inbound traffic, for example, Internet hosts trying to access a Web server on the multi-homed network, one ISP may provide a better path into the network than another ISP. Again, there is no way to factor in dynamic link conditions for choosing the best path into the network at any given time. LinkProof eliminates all complexities of the multi-homing design, providing a single, easy to manage "appliance" that intelligently optimizes and utilizes all Internet links. Multi-Homed Network LinkProof provides the following advantages for a multi-homed network: • LinkProof intelligently manages the IP address ranges assigned to the network from various ISPs. • LinkProof ensures that all ISP links are optimized by intelligently load balancing all outgoing traffic through the available links, while at the same time managing the address spaces used for the outgoing traffic. • LinkProof uses Radware's patented proximity detection algorithms to choose the best ISP for outbound traffic. • LinkProof ensures that all ISP links are used for all incoming traffic, and no address from a failed ISP link is ever advertised to the Internet. • LinkProof's proximity detection can also be used to ensure that the optimal path is used for inbound traffic. In essence, LinkProof becomes a single, easy to administer, traffic manager for the multihomed network, eliminating the complexities of routing protocols and uncertain traffic patterns. It also optimizes the multiple ISP connections of the multi-homed network to ensure that all links are used to the best of their potential, thereby making the entire network more efficient, for inbound and outbound traffic. In addition to the multi-homing LinkProof can also load balance firewalls/VPN gateways thus providing not only continuous, but secure connectivity. LinkProof Main Concepts LinkProof performs load balancing of the outgoing and incoming traffic through the access routers and via the firewall. During this process LinkProof is responsible for the following: • • • Forwarding the traffic to a server (router or firewall) that can provide the required service. Selecting the most available server from the servers that provide each required service. Ensuring that all the packets of a single request for service are forwarded to the same server. Farms A farm is a group of servers that collectively provide the same service. Servers are grouped in farms according to the type of service that they provide. For each service you can define a farm on LinkProof. When a new request for service arrives, LinkProof identifies the required service and selects the most available server within the farm that provides this service. In that manner LinkProof optimizes the server operation and improves the level of the service. 20 Doc. No.: 8261 LinkProof User Guide Servers The purpose of LinkProof is to load balance the traffic that must pass via routers and firewalls in order to optimize their operation. To achieve this purpose, LinkProof works with farms of servers. By that way, each service provided by the physical server is represented by a logical entity on LinkProof and each logical entity participates in a farm. Content Rules A Content Rule is an entity that allows LinkProof to load balance between different farms of the same type or different servers within the same farm based on HTTP content - MIME type, URLs, cookies, and so on. NAT To save public IP addresses, LinkProof uses Network Address Translation (NAT), which is the translation of an IP address used within one network to a different IP address known within another network. NAT is typically used to translate private IP addresses into public IP addresses. The purpose of NAT is to hide the source IP address. LinkProof incorporates the following NAT options: • • Static NAT is used to ensure delivery of specific traffic from the WAN to a particular server on the internal network and hide server IP addresses for outgoing traffic. This allows all ISP links to be used for all incoming traffic, and no address from a failed ISP link to ever be advertised to the Internet. Dynamic NAT is used to hide IP addresses of internal hosts for outbound traffic. LinkProof will choose an IP address that is associated with the router/ISP that was selected for this session. By choosing translated source IP addresses according to the selected router, return delivery issues will not be encountered. Proximity In order to optimize outbound and inbound traffic, LinkProof can also optionally perform proximity calculations. If an internal host wants to access a specific Web site, it is possible that the route through one ISP is more efficient than the route through the other ISP for that specific content. So, LinkProof performs proximity calculations through all available ISPs to the destination. For future traffic to this destination, LinkProof will choose the best ISP connection, according to the results derived from these proximity calculations. Similarly, if an Internet host needs to access an internal resource then it is likely that this Internet host can get to the multi-homed network more efficiently through one ISP versus the other. To accomplish this, LinkProof calculates proximity from its network to all networks with hosts trying to access internal resources. DNS Load Balancing To provide load balancing for inbound traffic, LinkProof can take control of particular URLs. To achieve this, LinkProof must become the authoritative name server for a particular URL through proper configuration in an organization's master DNS servers. This causes all DNS queries from the Internet for the particular URL to arrive at LinkProof. When LinkProof receives a DNS query asking it to resolve a particular URL to an IP address, it resolves the query to the static NAT address corresponding to the best link available for the user's request. This means different responses may be provided to different clients requesting the same URL. Redundancy LinkProof redundancy mechanism enables you to define a backup LinkProof in case of failure. Each pair of LinkProofs can function in an Active / Backup Setup. To achieve redundancy between LinkProof devices, the following methods can be used: • • Proprietary ARP VRRP Doc. No.: 8261 21 LinkProof User Guide The Role of LinkProof in the Network LinkProof is installed in the path of a user community to the Internet. LinkProof must be defined as default gateway for both inbound and outbound traffic. LinkProof can be installed into a network as a bridge or as a router. When installed as a router, LinkProof supports the following protocols: • • • • RIP RIPII OSPF VRRP LinkProof Products LinkProof family runs on all Application Switch platforms (1, 2 and 3) providing the same functionality with different performance. For more details on the Application Switch platforms, please refer to Application Switching Platforms, page 375. In addition the LinkProof family includes the following models: • • LinkProof Entry Level Product: LinkProof Entry Level is a basic model of the LinkProof running on the Application Switch I/8FE platform. It supports all functionalities of the LinkProof family and only differs with regard to its bandwidth limitations. LinkProof Branch Product: LinkProof Branch is a model of the LinkProof built on the Compact Application Switch platform. It supports all functionalities of the LinkProof family and only differs with regard to its bandwidth limitations. LinkProof Modules Overview This section provides a general overview of LinkProof capabilities including a general description of the modules that LinkProof comprises of, as well as an explanation of management tools that allow you to manage the LinkProof device. This section includes the following topics: • • LinkProof Modules, page 22 Management Tools, page 24 LinkProof Modules In order to provide high availability, optimal performance and maximum-security levels, LinkProof offers a solution that successfully combines powerful functional modules. LinkProof's advanced Health Monitoring guarantees availability of the entire transaction path. The Traffic Redirection module works closely with the Health Monitoring module and performs Layer 4-7 switching based on resource availability. Traffic Redirection optimizes the usage of the routers by applying intelligent dispatching algorithms. In case of failures of any of the network elements, Traffic Management allows the traffic to bypass faulty elements. Thus, optimization and full utilization of the existing resources guarantee 24/7 application availability, security, provide high performance and translate into better return on investment. Further optimization of network resources is performed by the means of Bandwidth Management. This module allows you to translate your business strategy and priorities into Bandwidth Management policies. For example, you can assign high priority to mission critical applications such as ERP and CRM, while limiting the bandwidth consumption of nonbusiness applications like KAZAA and e-donkey. 22 Doc. No.: 8261 LinkProof User Guide The explosion in the number of application level attacks that are tunneling their way into organizations' networks through firewalls cause severe losses by compromising the availability and the performance of mission critical applications. The advanced Security modules constitute an integral part of the LinkProof intelligent application switching process, providing protection against various attacks, worms, and viruses. Health Monitoring The Health Monitoring module constantly checks the health of the entire transaction path. This includes the availability of all the network elements required for the successful transaction completion, such as routers, servers, applications, and so on. The Health Monitoring module provides you the flexibility to create any type of a Layer 2 Layer 7 health check on any network element. Using the wide variety of predefined health checks enables easy customizing to meet the requirements of your network. Traffic Redirection The Traffic Redirection module provides Layer 4 - Layer 7 switching capability. This module performs server selection in a local farm on the basis of availability, load and content considerations. To select a server within a local farm, LinkProof uses various dispatch algorithms based on traffic load of the servers and available server resources. When it is required, you can define server persistency. In that case all the sessions with same predefined characteristics are forwarded to the same server. A variety of traffic settings available in the Traffic Redirection module allows you to optimize the process according to the conditions of your network environment and to maximize utilization of the existing resources. With Traffic Redirection, you can add network elements without any service interruption and in that manner achieve transparent scalability. Bandwidth Management The Bandwidth Management module allows administrators to have full control over their available bandwidth. Using the Bandwidth Management module Radware devices can classify traffic that passes through them according to pre-defined criteria and can enforce a set of actions on that traffic. Bandwidth Management enables you to differentiate or classify user traffic according to a wide array of criteria and then apply to each classified packet or session the user-defined action: either block traffic or shape traffic. For example, bandwidth management allows you to give HTTP traffic a higher priority over SMTP traffic, which in turn may have higher priority over FTP traffic. At the same time, the device can track the actual bandwidth used by each application and set limits as to how much each classified traffic pattern can utilize, see Bandwidth Management, page 335. Security The Security modules detect, block and prevent application attacks, thereby protecting against viruses, worms, DoS and intrusions for immediate high capacity application security. These modules provide secure Internet connectivity with high performance, maintaining the legitimate traffic of end users and customers. Using the Security modules, LinkProof performs deep packet inspection at multi-Gigabit speed, to provide security from the network layer up to the application layer, see Security, page 231. The multi-layer security approach combines a set of security services for attack detection with advanced mitigation tools, such as: • • • Application Security DoS Shield SYN Flood Protection Doc. No.: 8261 23 LinkProof User Guide Management Tools All network elements can be managed and monitored by the network management system, APSolute Insite that allows you to manage your network using a user friendly GUI. APSolute Insite provides you with a comprehensive perspective in configuring the Intelligent Application Switching (IAS) environment by managing the site through a graphical representation. Once the site configuration appears in a graphic form, configuration is significantly more intuitive and relationships between IAS devices and related network elements can be understood with ease. Connecting elements through the site map, relieves the administrators from having to set parameters of related network elements, for example firewalls and other security devices, more than once, when a new device is connected to the same network elements. In addition to APSolute Insite that allows you to manage the entire network, you can control a single LinkProof device using: • • 24 Web Based Management (WBM), using HTTP or HTTPS. Command Line Interface (CLI), using Telnet, SSH, or Console access. Doc. No.: 8261 LinkProof User Guide Chapter 2 - Device Management This chapter provides an explanation of the LinkProof management and maintenance processes. This chapter describes the management interfaces and methods by which LinkProof devices are accessed, configured and operated. The maintenance procedures presented here include information about upgrading and tuning of LinkProof devices. Also provided in this chapter is an explanation of system notifications regarding possible system failures. This chapter includes the following sections: • • • • • • • Configuring Device IP Host Parameters, page 25 Device Configuration Options, page 28 Device Security, page 45 Version Management and Device Upgrading, page 48 Device Tuning, page 56 Device Notifications, page 65 Utilities, page 66 Configuring Device IP Host Parameters This section explains how to establish connection with the device as well as how to erase the configuration file. This section includes the following topics: • • Device IP Host Parameters Introduction, page 25 Erasing the Configuration file, page 28 Device IP Host Parameters Introduction The Device IP host parameters enables you to establish communication with the device via: • • • • • Web Based Management SNMP (Simple Network Management Protocol) Network Management Station (NMS). Telnet SSH Client To manually configure the Devices IP host parameters for the first time: To manually configure the Devices IP host parameters in the Application Switch I and Application Switch II platforms: 1. Connect the serial console to the device. Open a terminal emulation program with the following parameters: Bits per second: 19200 Data bits: 8 Parity: None Stop bits: 1 Flow Control: None Doc. No.: 8261 25 LinkProof User Guide 2. Ensure that the ASCII terminal is connected to the device. 3. Turn on the power to the device. After the Boot process is complete the following startup menu appears: Select the @ symbol to access the Startup Configuration window as shown below in Table 1 on page 26. Table 1: Startup Configuration # Description Enable 0 IP Address 1 IP subnet mask 2 Port number 3 Default router IP address 4 RIP version (0,1,2) [0] 5 Enable OSPF (y/n) [n] 6 OSPF area ID 7 User Name 8 User Password 9 Enable Web Access (y/n) [n] 10 Enable Secure Web Access (y/n) [n] 11 Enable Telnet Access (y/n) [n] 12 Enable SSH Access (y/n) [n] 13 SNMP Configuration Table 2: SNMP Startup Configuration # Description Enable 0 Supported SNMP versions [1 2 3] 1 Community [Public] 2 SNMP Root User 3 Privacy Protocol 4 Privacy Password 5 Authentication Protocol 6 Authentication Password 7 NMS IP Address 8 Configuration File Name (NONE/DES) [NONE] (NONE/SHA/ MD50 [NONE] 4. Enter the number of the parameter for which you require to define the information. 26 Doc. No.: 8261 LinkProof User Guide 5. Enter the parameters configuration and click Enter. The value of the parameter is displayed on the screen. If you do not require to access this command line, the Startup Configuration window is automatically displayed. Startup Configuration Parameter List The following list defines the parameters in the Startup Configuration window: — IP Address: The IP address of the interface is the only mandatory parameter. This address is used to access the device. — IP Subnet Mask: The IP subnet mask address of the device. The default value of this parameter is the mask of the IP address class. — Port Number: Device port number to which the IP interface is defined. The default value is 1. — Default Router IP Address: The IP Address of the router through which the NMS can be reached. The default value for this parameter is 0.0.0.0, which means that no default router is configured. — RIP Version: The RIP version used by the network router. The default value for this parameter is: disable. — OSPF Enable: This parameter enables or disables the OSPF protocol. The default value is: disable. — OSPF Area ID: When the OSPF protocol is enabled, you can enter an area ID other than the default value. Enter an ID in the form of an IP address. The default value is 0.0.0.0. — User Name: A user name which is added to the Users Table. The default user name is ‘radware’. — User Password: The password used to access the device remotely using WBM, Telnet or SSH. The default password is ‘radware’. — Web Access: Indicates whether Web access to the device is enabled. The default is No. — Secure Web Access: Indicates whether Secure Web access to the device is enabled. The default is No — Telnet Access: Indicates whether Telnet access to the device is enabled. The default is No. — SSH Access: Indicates whether Web access to the device is enabled. The default is No — SNMP Configuration: Enters the SNMP Configuration sub menu. SNMP Startup Configuration Parameter List The following list defines the SNMP Startup Configuration: • • • • • • Supported SNMP Versions: Indicates which versions of the SNMP protocol are supported by the device. Default value 1&2&3. possible values: 1 or 2 or 3 or 1,2 or 1,3 or 2,3 Community Name: Device Community name. Enter the selected community name. The default community name is public. SNMP Root User: Defines the use for SNMPv3. default value is "radware" Privacy Protocol: Indicates whether to enable privacy or disable. Possible values: NONE or DES. Default value is "NONE" . Privacy Password: Defines the password for the SNMPv3 User. Default – no password. Authentication Protocol: Defines whether to use authentication and the authentication protocol. Must be use in conjunction with privacy. Default value – "None". Possible values "NONE" / "SHA" / "MD5. Doc. No.: 8261 27 LinkProof User Guide • • • Authentication Password: Defines the password for the SNMPv3 authentication. Default – no password. NMS IP address: The required NMS IP address. Enter a value if you require to limit the device to a single specified NMS. The default value is 0.0.0.0 (any NMS). Configuration file name: The name of the file, in a format required by the server, which contains the configuration. Select this parameter when you require to download a configuration file as NMS. The file must be located on the NMS, and the NMS must be located on a TFTP server. When you exit the Startup Configuration window, the device loads the configuration file from the NMS, resets and starts operating with the new configuration. The default value is: no name. Notes: i The device enters a default value for the incomplete parameters, with the exception of the IP Address, which is mandatory. A validity check of all the parameters is then performed. ii An initial default configuration is provided. When a device boots up for the first time, if the Start-Up is not used for 30 seconds, and a bootup server is not found within another 30 seconds, default settings are assigned to the device. The initial default configuration consists of a private IP Address (192.168.1.1), a subnet mask (255.255.255.0) port 1, an NMS IP Address (0.0.0.0, allowing any station to manage the device using SNMP), community string of public, Telnet, SSH, SSL and WBM are enabled with a default user of radware with password radware. Erasing the Configuration file You may require to erase the configuration in order to restore the factory default. To erase the configuration file: 1. Reboot the device and hit any key to stop the auto-boot process. CPU: RadWare BOOMER - MPC740/750 DRAM size: 128M Flash size: 16M BSP version: 5.33 Creation date: Jan 30 2005, 12:49:26 Press any key to stop auto-boot... 2. In order the erase the configuration file, press "q0" and press enter and then "q1". 3. Press "@" to reboot the device. Device Configuration Options This section describes the management interfaces and methods for the LinkProof device configuration and permissions. This section includes the following topics: • • 28 Management Interfaces, page 29 Configuring SNMP, page 29 Doc. No.: 8261 LinkProof User Guide • • • • • Telnet and SSH, page 41 Ping Physical Port Permissions, page 43 APSolute Insite, page 43 Command Line Interface, page 43 Web Based Management, page 45 Management Interfaces APSolute Insite is the main management interface for all Radware products. Additional management interfaces that allow you to configure and operate Radware devices include: • Web Based Management (WBM) • Command Line Interface (CLI) You can connect a LinkProof device to the management interfaces through the network physical interface or through the serial port. LinkProof supports the following port types: • In the network connection: SNMP, HTTP, HTTPS, Telnet, SSH. • In the serial port connection: RS-232 up to 115 Kbps (default is 19.2 Kbps). The following table lists the LinkProof physical interfaces and the supporting management interfaces: Port SNMP V1, V3 APSolute Insite Web Based Management Command Line Interface + HTTP + Secure Web: + Telnet + SSH + RS-232 + Configuring SNMP The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. SNMP is a part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. Radware devices work with SNMPv1, SNMPv2 and SNMPv3. Network management systems contain two primary elements: managers and agents. The Manager is the console through which the network administrator performs network management functions. Agents are the entities that interface to the actual device being managed allowing changing or retrieving objects in the device.These objects are arranged in what is referred to as management information base (MIB). SNMP is the protocol that allows managers and agents to communicate for the purpose of accessing these objects. This section explains how to configure SNMP on LinkProof. Configuration examples for SNMP versions 1, 2 and 3 are included. SNMPv3 is composed of 2 layers of communication between the manager and the agent: • • User Security Model (USM), which provides Secure Communication, including message integrity and privacy. View-Based Access Control Model (VACM), which provides granular access permissions. For example, a user can have write access to limited portions or the MIB, and read access to wider portions. Doc. No.: 8261 29 LinkProof User Guide Note: By default, APSolute Insite connects to the LinkProof device using SNMPv1. To connect to device using SNMPv3: 1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the map. 2. Double-click the LinkProof icon. The Connect LP to Device window appears. 3. In the Connect LP to Device window, type the Device IP Address and select the SNMPv3 check box. The SNMPv3 pane opens. 4. Set the Authentication and Privacy parameters as defined in the Users Table, see Defining SNMP Users, page 30. 5. Click Ok. The LinkProof device is connected using SNMPv3. To view the SNMP parameters: 1. From the main window, select General > Device Permissions. The Device Permissions window appears. 2. From the Device Permissions window, click the SNMP tab. The SNMP pane appears, displaying the current permissions. Defining SNMP Users With SNMPv3 user-based management each user can have different permissions based on the user name and connection method. You can create a new user by cloning the definitions of one of the existing users. In the User Based Security Model window, you can define users who can connect to the device and you can store the access parameters for each SNMP user. define a new SNMP user: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, click the SNMP tab. The SNMP pane appears, displaying the current permissions. 3. From the SNMP pane, click Users. The User Based Security Model window appears. 4. From the User Based Security Model window, click Add, and set the following parameters according to the explanations provided: Clone From User: Select the existing user from which you want to clone the definitions. User Name: Type the name of the new user, up to 18 characters. Type the protocol to be used during the authentication process. Authentication Protocol: Authentication Password: 30 Default: None, meaning using clear text during the session. Possible values are MD5 and SHA. Type the password to be used during the authentication process. Doc. No.: 8261 LinkProof User Guide Type the algorithm to be used for encryption. User Privacy Protocol: Privacy Password: Default: None, which means that the data is not encrypted. Possible value is DES. Type the password required to use privacy. Notes: 5. i Privacy is only supported in conjunction with authentication. ii The User Name parameter is also called Security Name. Click Ok to apply the Setup and exit the window. A new user is defined for access to SNMP. Note: The Configuration file of the device that contains SNMPv3 users with authentication can only be used by the specific device that the users configured. When exporting the configuration file to another device, the passwords need to be re-entered, since passwords (of SNMPv3 users) cannot be exported from one device to another. Therefore there must be at least one user in the device‘s user table (to be able to change the password) in case the configuration file is uploaded to another device. Note that this is according to SNMPv3 RFC. SNMP - VACM Edit Security to Group SNMPv3 permissions are defined for groups of users. In cases that there is a need to grant to the same user different permissions based on the connection method, it is possible to associate the same user to more than one group. For example, if user A connects to a Radware device using SNMPv3 with authentication and privacy, the user gets Read-Write permissions, while if the same user A connects to a Radware device with authentication and without privacy (data is not encrypted), then this user gets Read-Only permissions. You can associate users with groups listed in the VACM Edit Security to Group window. Access rights are defined for groups of users. To configure VACM Edit Security to Group: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, select the SNMP tab. The SNMP pane appears. 3. In the SNMP pane, click Add. The VACM Edit Security Name to Group window appears. 4. In the VACM Edit Security Name to Group window, set the following parameters according to the explanations provided: Table 3: Security Model: Security Name: Doc. No.: 8261 Select the SNMP version to be associated with this group. Possible values: SNMPv1, SNMPv2 or User Based (SNMPv3). Select a relevant security name, that is the name as defined in the Users Table. 31 LinkProof User Guide Table 3: Group Name: Select a name from a list of all the available group names. 5. Click Ok to save the Setup and to exit the window. VACM - MIB View The View Table defines subnets of the MIB tree. Those views are used to allow Read - Write access based on the MIB tree. The same Family View Name can be used for multiple entries to allow maximum flexibility; each entry can include or exclude parts of the entire MIB tree. For example, you can grant Read access to all MIBs starting with 1.3.6.1 but not to MIBs that start with 1.3.6.1.2 and yet, to give access to MIBs that start with 1.3.6.1.2.1 and 1.3.6.1.5. To set the parameters of the VACM MIB Tree: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, select the SNMP tab. The SNMP pane appears. 3. In SNMP pane, click Access. The VACM Group Access window appears. 4. In the VACM Group Access window, click View. The VACM MIB View window appears. 5. In the VACM MIB View window, set the following parameters according to the explanations provided: Family View Name: Type the name of this entry as explained above. Family Subtree: Type the object ID of the MIB subtree. Type: Define whether the object of this entry is included or excluded in the MIB view. 6. Click Update to apply the Setup and click Ok to exit the window. SNMP - Access The Access Table binds the groups, views and security models. This is the table that grants permissions to the groups, based on the SNMP version. You can define the access rights for each group and Security Model in the VACM Group Access window. Range of objects which can be accessed for a read, write or notify action is specified through the Read View Name, Write View Name and the Notify View Name parameters and depends on the defined Security Model. The Read, Write, and Notify permissions are configured for Family View names, which are defined in the VACM - MIB View window, see VACM - MIB View, page 32. To set the parameters of the SNMP Access Table: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. From the Device Permissions window, select the SNMP tab. The SNMP pane appears. 3. In the SNMP pane, click Access. The VACM Group Access window appears. 4. In the VACM Group Access window, click Add. The VACM Edit Group Access window appears. 32 Doc. No.: 8261 LinkProof User Guide 5. In the VACM Edit Group Access window, set the following parameters according to the explanations provided: Group Name: Type the name of your group. Select the SNMP version that represents the required Security Model. Security Model: The security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Possible values: SNMPv1, SNMPv2 or User Based (SNMPv3). Select the security level: • No Authentication: No authentication or privacy are required. Security Level: • Auth Not Private: Authentication is required, but Privacy is not required • Auth Private: Both authentication and privacy are required Default: No Authentication. Read View Name: Select an item from a list of all the available views that are configured in the VACM - MIB View window and provide the Read access to the Object IDs specified in the selected view. Write View Name: Select an item from a list of all the available views that are configured in the VACM - MIB View window and provide the Write access to the Object IDs specified in the selected view. Notify View Name: Select an item from a list of all the available views that are configured in the VACM - MIB View window and provide the Notify access to the Object IDs specified in the selected view. 6. Click Ok to save the Setup and exit from the window. SNMP - Target Address In SNMP v3, this table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP version 1 and 2 this table is used to restrict the range of addresses from which SNMP requests are accepted. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table. To add a new SNMP Target Address: 1. From the main window select Device > Device Permissions. The Device Permissions window appears. 2. In Device Permissions window, select SNMP. The SNMP pane appears. 3. In the SNMP pane, click Targets. The Target Address window appears. 4. In the Target Address window, click Add. The Edit Target Address window appears. Doc. No.: 8261 33 LinkProof User Guide 5. In the Edit Target Address window, set the following parameters according to the explanations provided: Name: Type the name of this entry. Target Address: Type the IP address of the management station that is used: • To provide access to the specified IP address only • To send SNMP traps to that IP address. Type the number of the Target Port. The TCP port to be used: 161 for SNMP Access and 162 for SNMP Traps. Target Port: Default:162. A list of tags separated by spaces. This tag must be the same tag as the Community Transport Tag in the Community Table. Tag List: Default: v3Traps. The name of the entry in the Parameters Table to be used when sending the SNMP Traps. Parameters: 6. Click Ok to save the Setup and to exit the window. Tip: The SNMP Target Address window also allows you to access the SNMP Target Parameters window, see SNMP - Target Parameters, page 34. SNMP - Target Parameters The Target Parameters table contains parameters to be used in generating a message. Entries in this table are referenced in the Target Address table. To set the Target Parameters: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, click SNMP. The SNMP pane appears. 3. From the SNMP pane, click Targets. The Target Address window appears. 4. In the Target Address window, click Parameters.The Target Parameters window appears. 5. In the Target Parameters window, click Add. The Edit Target window appears. 6. In the Edit Target Parameters window, set the following parameters according to the explanations provided: Name: Name of the new parameter for the Target Address. Message Processing Model: Select the model from: SNMP Ver 1; SNMPVer 2c; SNMP Ver 3 Security Model: 34 Select the security model as explained in Security Model:, page 33. Possible values: SNMP Ver 1; SNMP Ver 2c; User Based. Doc. No.: 8261 LinkProof User Guide Security Name: Type the security name of the user. Select the security level: • No Authentication: No authentication or privacy are required. Security Level: • Auth Not Private: Authentication is required, but Privacy is not required • Auth Private: Both authentication and privacy are required Default: No Authentication. 7. Click Ok to save the Setup and click Ok to exit the Target Parameters and Target Address windows. SNMP - Community Table The purpose of the community table is to allow backwards compatibility with SNMPv1 and SNMPv2. The Community Table maps community strings to users. Once a user is connected to Radware device with SNMPv1 or SNMPv2, the device checks the Community String sent in the SNMP packet. Based on the Community String, the device maps the Community Sting to a pre-defined user, which belongs to a group, with certain access rights. Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined as well. Note: The SNMP Community Table is used only for SNMP v1 and v2. To configure the SNMP Community Table: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, select SNMP. The SNMP pane appears. 3. In the SNMP pane, click Community. The Community window appears. 4. in the Community window, click Add and set the following parameters according to the explanations provided: Index: Type a descriptive name for this entry. Community Name: Type the string for community. Security Name: Type the user name associated with the community string. Community Transport Tag: Doc. No.: 8261 This string specifies a set of target addresses from which the SNMP agent accepts SNMP requests and to which traps may be sent. The target addresses identified by this tag are defined in the Target Address Table, see SNMP - Target Address, page 33. If this string is empty, addresses are not checked when an SNMP request is received or when a trap is sent. If this string is not empty, the transport tag must be contained in the value of the Tag List parameter of at least one entry in the Target Address Table. 35 LinkProof User Guide 5. Click Ok to save the Setup and to exit the window. SNMP - Notify Table Using the SNMP Notify Table you can select management targets that receive notifications including the type of notification to be sent to each selected management target. The Tag parameter contains a string that is used to select entries in the Target Address table, see SNMP - Target Address, page 33. An entry in the Target Address table whose tag list contains the tag of one or more entries of the notification table, is selected for reception of notifications. To set the notifications for the target Address: 1. From the main window, select Device > Device Permissions and from the Device Permissions window, click SNMP. The SNMP pane appears. 2. In SNMP pane, click Targets. The Target Address window appears. 3. In the Target Address window, click Notify. The Notify Table window appears. 4. In the Notify Table window, click Add. The Edit Notify Table appears. 5. In the Edit Notify Table window, set the following parameters according to the explanations provided: Name: Type the name of the entry. Tag: This string selects one or more entries in the Target Address table. All entries in this table whose tag list contains this tag are selected for reception of notifications. Type: Select the type of notification, for example trap. 6. Click Ok to apply the Setup and click Ok twice again to exit the Notify Table window and the Target Address window. Example: Privacy SNMPv3 Access To the Device With Authentication and The following example shows how to configure a Radware device to allow access using only SNMPv3, MD5 as the authentication protocol and DES as the privacy protocol. Since the user with limited access privileges cannot create a user with unlimited access, the first user must be created via the CLI or WBM. Configuration: 1. From Web Based Management, select Security > SNMP > User Table and create a new entry by configuring the following parameters according to the explanations provided: User Name: administrator Authentication Protocol: MD5 Authentication Password: password Privacy Protocol: DES Privacy Password: password 2. Open APSolute Insite. 36 Doc. No.: 8261 LinkProof User Guide 3. From the LinkProof main toolbar, click Add and select LinkProof. The LinkProof icon appears on the map. 4. Double-click the LinkProof icon. The Connect LP to Device window appears. 5. In the Connect LP to Device window, type the Device IP Address and select the SNMPv3 check box. The SNMPv3 pane opens. 6. The pre-configured User Name for SNMPv3 is "radware". When connecting using this User Name, neither Authentication nor Privacy are required. 7. Click Ok. The device is connected using SNMPv3. 8. From the main menu, select Device > Device Permissions. The Device Permissions window appears. 9. In the Device Permissions window, click SNMP. The SNMP pane appears containing the following configuration options: Targets, Views, Users, Community, Access. 10. In the SNMP pane, click Access. The VACM Group Access window appears. 11. in the VACM Group Access window, click Add, and set the following parameters according to the explanations provided: Group Name: admin Security Model: USM Security Level: AuthPrivate Read View Name: iso Write View Name: iso Notify View Name: iso 12. Click Ok and Ok again. 13. To associate the user administrator with the admin group, from the SNMP pane, click Add. The VACM - Edit Security Name To Group window appears. 14. In the VACM - Edit Security Name to Group window, set the following parameters according to the explanations provided: Security Model: USM Security Name: administrator Group Name: admin 15. Click Ok and Ok again to close all the windows. 16. Reconnect to the device using SNMPv3, User Name "admin" and Password "password" both for Authentication and Privacy protocols. — To create additional users with the same access rights, open the Users window, and add a new user. The new user can be cloned from the existing logged in user, or from a different user, see Defining SNMP Users, page 30. — To associate a new user with a group, from the SNMP window, click Add and associate the new user with its group. — To restrict SNMPv1 and SNMPv2 access to the device, remove the "public" community entry from the Community window, see SNMP - Community Table, page 35. Doc. No.: 8261 37 LinkProof User Guide Example:Configuring Read-Only Permissions for SNMPv1 and Full Access for SNMPv3 This example shows how to allow SNMPv1 access to the device by adding an entry in the Community Table using the configuration of the example on SNMPv3 Access To the Device With Authentication and Privacy, page 36. Configuration: 1. From the LinkProof main toolbar, click + and select LinkProof. The LinkProof icon appears on the map. 2. Double-click the LinkProof icon. The Connect LP to Device window appears. 3. In the Connect LP to Device window, type the Device IP Address and select the SNMPv3 check box. The SNMPv3 pane opens. 4. Define SNMPv3 parameters as explained in the previous example, see SNMPv3 Access To the Device With Authentication and Privacy, page 36. 5. Click Ok. The device is connected using SNMPv3. 6. From the main menu, select Device > Device Permissions. The Device Permissions window appears. 7. In the Device Permissions window, click SNMP. The SNMP pane appears, containing the following configuration options: Targets, Views, Users, Community, Access. These options are explained throughout this configuration example. 8. In the SNMP pane, click Community. The Community window appears. 9. In the Community window, click Add, and set the following parameters according to the explanations provided: Index: SNMPv1 Access Community Name: password Security Name: administrator 10. Click Ok and Ok again to close the Community window. 11. In the SNMP window, click Access. The VACM Group Access window appears. 12. In the VACM Group Access window, click Add, and set the following parameters according to the explanations provided: Group Name: admins Security Model: SNMPv1 Security Level: No Authentication Read View Name: iso Write View Name: None Notify View Name: iso 13. Click Ok and Ok again to return to the SNMP window. 14. To create a VACM entry for User Administrator and Security Module SNMPv1, from the SNMP window, click Add. The VACM Edit Security To Group dialog box appears. 38 Doc. No.: 8261 LinkProof User Guide When the SNMPv1 session is initiated to the device with the community name "password", the device associates the user name "administrator" with the Group "admins" based on the information from the VACM Edit Security To Group window. According to the settings of the VACM Group Access window, only Read permissions are set for the User Administrator in SNMPv1. Note: APSolute Insite supports only SNMPv3 and SNMPv1. Example:Changing the Default Community Name When Using SNMPv1 and SNMPv2 According to the default configuration of the device, the default Community Name is "public". This example shows how to change the default Community Name from "public" to any other name. Configuration: 1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the map. 2. Double-click the LinkProof icon. The Connect LP to Device window appears. 3. In the Connect LP to Device window, type the Device IP Address, use the default Device Community Name and click Ok. The device is connected using SNMPv1. 4. From the main menu, select Device > Device Permissions. The Device Permissions window appears. 5. In the Device Permissions window, select SNMP. The SNMP pane appears. 6. In the SNMP pane, click Community. The Community window appears. 7. To add a new entry to the Community table, from the Community window, click Add. The Edit Community window appears. 8. In the Edit Community window, set the following parameters for the new entry according to the explanations provided: Index: a descriptive text Community Name: new_community Security Name: public 9. Click Ok and return to the main map. 10. Right-click the device icon and click Connect. The Connect LP to Device window appears. 11. In the Connect LP to Device window, type the new Community Name and click Ok. 12. Repeat steps 4-8, and this time delete the old public entry from the Community Table. Example: Allowing SNMPv1 and SNMPv2 Access to Predefined Management Stations This example shows how to restrict management access to a Radware device for SNMPv1 and SNMPv2, allowing only the predefined Network Management Stations to access the device. Doc. No.: 8261 39 LinkProof User Guide Configuration: 1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the map. 2. Double-click the LinkProof icon. The Connect LP to Device window appears. 3. In the Connect LP to Device window, type the Device IP Address, use the default Device Community Name and click Ok. The device is connected using SNMPv1. 4. From the main menu, select Device > Device Permissions. The Device Permissions window appears. 5. In the Device Permissions window, click the SNMP tab. The SNMP pane appears. 6. In the SNMP pane, click Community. The Community window appears. 7. In the Community window, select the required entry and click Edit. The Edit Community window appears. 8. In the Edit Community window, in the Community Transport Tag text box, type "nms", click Ok and Ok again to return to the SNMP window. 9. In the SNMP window, click Targets. The Target Address window appears. 10. In the Target Address window, click Notify. The Notify window appears. 11. From the Notify window, click Add. The Edit Notify Table window appears. 12. In the Edit Notify Table window, set the following parameters according to the explanations provided: Name: Type a descriptive name. NMS Tag: Note: The value must be the same as the Community Transport Tag in the Community Table. 13. Click Ok and return to the Target window. 14. In the Target window, click Add to add a new entry to the table by setting the following parameters according to the explanations provided: Name: Type a descriptive name. Target Address: Type the IP address of the NMS. Target port: 161 Tag List: nms Parameters: public-v1 15. Click Ok to close the Target window. Example: Sending Secured SNMP Traps to Specific Users The following example shows how to configure a Radware device to send SNMP traps using secure channel over SNMPv3. This example is based on the example on SNMPv3 Access To the Device With Authentication and Privacy, page 36. Configuration: 1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the map. 40 Doc. No.: 8261 LinkProof User Guide 2. Double-click the LinkProof icon. The Connect LP to Device window appears. 3. In the Connect LP to Device window, type the Device IP Address and select the SNMPv3 check box. The SNMPv3 pane opens. 4. In the User Name text box, type: administrator. 5. Click Ok. The device is connected using SNMPv3. 6. From the main menu, select Device > Device Permissions. The Device Permissions window appears. 7. In the Device Permissions window, select SNMP. The SNMP pane appears containing the following configuration options: Targets, Views, Users, Community, Access. 8. In the SNMP pane, click Target. The Target Address window appears. 9. In the Target Address window, click Parameters. The Target Parameters window appears. 10. In the Target Parameters window, click Add. The Edit Target Parameters window appears. 11. In the Edit Target Parameters window, set the following parameters according to the explanations provided: Name: Secure Traps Message Processing Model: SNMP Ver 3 Security Model: User Based Security Name: Administrator Security Level: Auth Private 12. Click Ok twice, and return to the Target Address window. 13. In the Target Address window, click Add and set the following parameters according to the explanations provided: Name: Admins_NMS Target Address: 10.204.100.18 Target Port: 162 Tag List: V3Traps Parameters: Secure Traps 14. Click Ok to apply the Setup and Ok again to close all windows. 15. From the main menu, click Options > Events & Traps. The Traps and Events window appears. 16. Using an interface other that APSolute Insite (CLI or WBM), connect to the device. The Traps and Events window displays SNMP traps that the device sends using SNMPv3 with Authentication and Privacy. Telnet and SSH Radware products support both Telnet and SSH management access. Telnet is enabled from Device > Management Application >Telnet SSH is enabled from Device > Management Application >SSH Doc. No.: 8261 41 LinkProof User Guide You can specify the TCP port for Telnet management and SSH. Note: LinkProof supports up to two simultaneous Telnet or SSH sessions. Time-outs are added for logging into CLI through Telnet and SSH. After establishing a CLI session with the device, user name and password must be inserted within 30 seconds. If 3 incorrect logins are entered, the terminal is locked for 10 minutes and no further logins are accepted from that IP address. Once a login is successful and fully completed, the CLI session closes after 5 minutes of idle time. not sure if this info here or on page 41 Enabling Management Applications on Specific Physical Ports The Enabling Telnet and Web Based Management on Specific Port feature makes it possible to launch configuration tools such as SNMP based applications, Telnet and Web Based Management, only through those physical ports which are defined by the user. In the same manner, it is also possible to disable launching Telnet or WBM through specific ports. To enable web managed ports: 1. From the main window, select Device > Device Permissions > Management Settings. The Management Settings tab appears, showing the current device in the Device drop-down list. 2. From the Device drop-down list, select the device. 3. From the Management Ports dropdown list, select the required management application. Management applications are: SNMP; Telnet; SSH; Web; SSL Default: SNMP; Enable All. 4. To select the specific physical ports for the application, check the ports you wish to enable or disable or check Enable All or Disable All. 5. Click Apply to save the Setup. The window remains open. 6. To configure ports for another web management application, from the Management Ports parameter select the application and the active ports, as in steps 2 and 3. 7. Click Apply to save the Setup and Ok to exit the window. 42 Doc. No.: 8261 LinkProof User Guide Enabling Management Application on Non-Standard TCP UDP Ports Management Applications can be configured to use non standard ports. For example on port 8081 which is not the standard HTTP Port. Ping Physical Port Permissions LinkProof allows you to define which physical interfaces can be pinged. When a ping is sent to an interface for which ping is not allowed, the packet is discarded. By default, all interfaces of the device allow ping. To define the ports to be pinged 1. From the main toolbar, click the Panel View icon. The Front Panel view appears. 2. Right-click the port you wish to ping and from the drop-down menu that appears, check the Ping Port State option. APSolute Insite APSolute Insite is the main management interface for all Radware devices. This application allows the system administrator to configure, modify and manage all types of Radware devices in an enterprise network. Rather than focusing on a single device, APSolute Insite presents the entire network configuration in a graphical format, with settings and configuration options organized in a logically related manner. Notes: i For further information regarding APSolute Insite, refer to the APSolute Insite User Guide. ii For an explanation of how to access statistics about device performance, and how to work with statistical graphs, refer to the APSolute Insite User Guide. Command Line Interface Access to the Command Line Interface (CLI) requires a serial cable and a terminal emulation application. Although each product has a slightly different list of commands, the majority of the available options are the same: bwm Policy management and classification classes Configures traffic attributes used for classification device Device Settings healthmonitoring Advanced Health Monitoring help Displays help for the specified command login Login into the device logout Logout of the device LinkProof LinkProof parameters manage Device management configuration Doc. No.: 8261 43 LinkProof User Guide net Network configuration ping Sends echo requests reboot Reboot the device redundancy Redundancy settings security Security settings services General networking services statistics Device statistics configuration system System parameters CLI Supported Capabilities Radware's Command Line Interface can be used through console access, Telnet, or SSH. CLI provides the following capabilities: • Consistent, logically structured and intuitive command syntax. • A system config command to view the current configuration of the device, formatted as CLI command lines. • Pasting the output of system config, or part of it, to the CLI of another device, using the system config set command. This option can be used for easy configuration replication. Help and command completion keys. Command line editing keys. Command history. Configurable prompt. Configurable banner for Telnet and SSH. Ping: Ping other hosts on the network to test availability of the other hosts. Traceroute: Use the command trace-route <destination IP addr>. Output format: • • • • • • • DP#trace-route www.radware.com trace-route to host 209.218.228.203: 1: 50ms 50ms 50ms 212.150.43.130 2: 50ms 50ms 50ms 80.74.101.129 3: 50ms 50ms 50ms 192.116.214.2 4: * 5: 50ms * 50ms * 50ms 80.74.96.40 • Telnet client: to initiate a telnet session to remote hosts. Use the CLI command telnet <IP address>. • SSH client: to initiate a telnet session to remote hosts. Use the CLI command ssh <IP address>. • DNS Client: uses configured DNS servers to query IP addresses of a hostname. Use the command services dns nslookup <hostname>. Make sure to enable DNS and set DNS servers appropriately, using the services dns client commands. The DNS client also enables using host names rather than IP addresses in commands such as trace-route, ping, telnet, and so on. The DNS client is configurable also from APSolute Insite. Notes: i 44 For description of the DNS Client, refer to DNS Client, page 67. Doc. No.: 8261 LinkProof User Guide ii For more information concerning CLI commands, refer to the Radware CLI Reference Manual. Web Based Management Each Radware device can be managed using a web-based interface enabled from the Access pane of the Setup window. Web access can also be confined to SSL; administrator can specify the TCP port for the Web Based Management and the secure Web Based Management (WBM). Web Based Management graphical user interface (GUI) does not require any installation on a client, and is designed for easy and fast single device management. When using Web Based Management, On-line help is also available from the Radware corporate Web site. However, you can specify a custom location for the help files Web Based Management is supported using the following Internet browsers: • • Internet Explorer version 6 (when using Windows operating systems) Mozilla when using Linux operating systems. . Note: In WBM, Online Help is available by clicking on the? Help icon that appears in every screen. Web Based Management Features • • • HTTP Summary Page: Using the Device Monitoring summary page, you can get a quick view of the farm and server health. The summary page also provides a launching point from which to 'drill down' to more specific health and configuration information. You can configure an interval during which the page is refreshed (any number of seconds between 10 to 3600). The Device Monitoring window is accessible from the WBM Device menu. HTTP Button to Switch Between Active and Backup Device: Using the Web-based interface, you can switch between the active device and the associated backup device. This functionality is also accessed from the Device Monitoring window. Secure Web Based Management: An HTTPS session. By default, the device has selfsigned Radware SSL certificates. However, you can specify your own self-signed SSL certificate. To create a new SSL certificate: 1. From the Services menu, select SSL > Certificates. 2. Click Create. The Create Self Signed Certificate window appears. 3. Fill in the relevant parameters and then click Ok. Note: SSL Keys and certificates are not exported as part of the configuration. Device Security This section describes the interfaces and methods related to device security. Doc. No.: 8261 45 LinkProof User Guide All Radware devices are equipped with a variety of security features and settings that help prevent unauthorized access and tampering with units. In addition to the predefined security, you can use the BWM and Intrusion license to upgrade the security level for your network. This section includes the following topics: • • • Bandwidth Management Access, page 46 Users Table, page 46 RADIUS Authentication, page 47 Bandwidth Management Access Radware devices also provide a packet-filtering database, which can be configured to control access to the unit and through the unit, based on a variety of factors, such as protocol, port, and source or destination addresses. To access Bandwidth Management Configuration: From the main window, select APSolute OS > BWManagement. Management Ports Access to any of the devices can be limited to specified physical interfaces. Interfaces connected to insecure segments of a network can be configured to discard some or all kinds of management traffic directed at the device itself. Administrators may wish to allow certain types of management traffic to a Radware device, such as SSH, while denying others (such as SNMP or Telnet). If an intruder attempts to access the device through a disabled port, the Radware unit does not allow access and generates syslog and CLI traps as notification. To access Port Management Configuration: From the main menu select; Device > Device Permissions > Management Settings. Users Table You can create a list of personnel authorized to access the device. Entries in this table allow access to the Radware device through any enabled access method (Web, Telnet, SSH, SWBM). When Trace Status is enabled, users can receive e-mail notifications of changes made to the device. To set the Users Table: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Device Permissions window, click Users Table > Add. The Edit Device Users window appears. 3. In the Edit Device Users window, set the following parameters according to the explanations provided: 46 Device Name: Select the device name. User Name: Type the name of the user. Doc. No.: 8261 LinkProof User Guide Password: Type the password for the user. E-mail: Type the e-mail address of the user. Define the minimum severity level of traps that are sent to this user. Values: None (the user receives no traps); Info; Warning; Error; Fatal (the user receives traps with severity info or higher). Notification: Default: None Enable this option to notify users of configuration changes made in the device. For more information see Configuration Trace, page 66. Trace Status: Values: Administrator; Operator. Default: Operator. 4. Click Ok to apply the Setup and exit the window. The new device permission is listed in the Users Table. Note: User and Password can be up to 19 characters. RADIUS Authentication With RADIUS Authentication, you can use RADIUS servers to determine whether a certain user may or may not gain access to DP management, using CLI, Telnet, SSH or Web Based Management. You can also select whether to use the User Table when RADIUS servers are not available. Radware devices provide additional security by authenticating the users who access the device for management purposes. Before a management session starts, the Radware device can authenticate the user with a RADIUS server. To set the RADIUS Authentication: 1. From the main window, select Device > Device Permissions. The Device Permissions window appears. 2. In the Management Permissions window, click RADIUS. The RADIUS pane appears. 3. In the RADIUS pane, set the following parameters according to the explanations provided: Define the Authentication method. Authentication Method: Main RADIUS IP Address: Doc. No.: 8261 Values: Local Users Table; RADIUS: RADIUS & Local Users Table. Note: The last option means that RADIUS servers are used but when unavailable, the Local Users Table is used. Define the IP address of the primary server. 47 LinkProof User Guide Main RADIUS Port: The access port number of the primary RADIUS server. Values: 1645;1812. Default: 1645. Main RADIUS Secret: Type the authentication password for the primary RADIUS server. Backup RADIUS IP Address: Define the backup IP address of the RADIUS server. Backup RADIUS Port: Define the backup access port number of the primary RADIUS server. Values: 1645;1812. Default:1645. Backup RADIUS Secret: Type the authentication password for the backup RADIUS server. RADIUS Timeout: Define the length of time the device waits for a reply from the RADIUS server before a retry, or (if the RADIUS Retries value is exceeded) before the device acknowledges that the server is offline. Default: 5. Define the number of connection retries to the RADIUS server, when the RADIUS server does not respond to the first connection attempt. RADIUS Retries: Note: Once the RADIUS Retries value to the main RADIUS server is exceeded, and if all connection attempts have failed (RADIUS Timeout), then the backup RADIUS server will be used. Default: 3. 4. Click Apply and Ok to apply the Setup and to exit the window. Notes: i The RADIUS Authentication feature is available for CLI, Telnet, SSH and Web Based Management and Secure Web but not for APSolute Insite. ii Radware devices must have access to the Radius Server and must allow Radware device access. Version Management and Device Upgrading This section describes the interfaces and methods for LP device upgrading and includes the following topics: • • • • • • 48 Introducing Upgrades, page 49 Software Version Update, page 49 Saving and Restoring Configuration Files, page 52 Upgrading Licenses, page 53 Upgrading Boot Versions, page 55 Resetting Devices, page 56 Doc. No.: 8261 LinkProof User Guide Introducing Upgrades You can upgrade all Radware devices to newer versions with a straightforward FLASH process. Depending on the maintenance contract, you may be eligible for new versions with new features or only for the maintenance versions. Performing the LP device upgrade involves two steps: • Save the current device configuration. • Upgrade the device software. Radware releases the updated versions of LP software that can be uploaded to your device. You can upgrade a device using one of these methods: • APSolute Insite • Web Based Management A Device Upgrade enables the new features and functions on the device without altering the existing configuration. In exceptional circumstances, new firmware versions are incompatible with legacy configuration files from earlier firmware versions. This most often occurs when users attempt to upgrade from very old firmware to the most recently available version. New firmware versions require a password. This password can be obtained from the Radware corporate Web Site. You must obtain this password before you load the upgrade file onto the Radware device. If you do not supply the correct password during the upgrade process, you cannot proceed. In case of a maintenance-only upgrade, the password is not required. The password is based on the firmware version file and on the Base Mac Address of the LP unit. Notes: i Before upgrading to a newer software version, it is recommended to save the existing configuration file. ii Before performing the upgrade process refer to the “Upgrading Notes” from MRN and RN. Software Version Update For product versions prior to the ones listed in Table 4 on page 49 a single software version was loaded on Application Switch I, Application Switch 2 or Compact Application Switch. The software was burnt in duplicate on the internal flash. Table 4: Product Version Product Version DP 2.10 CSD 4.10 FP 3.21 LinkProof 4.21 WSD 8.10 Doc. No.: 8261 49 LinkProof User Guide From these versions forward and for all Application Switch III product versions, the way in which flash memory space is managed was changed to a File System mechanism. This allows for the following: • • • • • Use of compact flash in Application Switch 2 and Application Switch 3. More flexible memory management Prevent boot version changes caused by different memory allocation requirements (main reason for boot version changes). Security upgrades Two different software versions in the memory (only one may be active) - with the possibility to change active version by toggling between the two. To display list of software versions loaded on the device: — From the Command Line Interface use command — system file-system software — From Web-based management click File menu > Software List option. — From APSolute Insite, in the device Setup (double-click the device icon), click Device Updates > Downloads table. To change active software version: — From the command line interface use command system file-system config actappl set X, where X is the application index as displayed previously. — From Web-based management click File menu and choose the Software List option. Select the inactive version (Active Field has value False) and change the Active Parameter to True and click Set to record your preferences. You will be prompted to reboot the device. Note: Each software version has its own configuration file. Flash Memory Management Table 5 on page 50 shows the Flash Memory for the Application Switches Table 5: Flash Memory Management 50 Switch Internal Flash Compact Flash AS1 2 Application Software versions Not available AS2 Backup Application version 2 Application Software versions AS3 Backup Application version 2 Application Software versions CAS 2 Application Software versions Not available Doc. No.: 8261 LinkProof User Guide On AS2 and AS3 a copy of an application software version is loaded in the internal flash for backup purposes. On the internal flash only IP host parameters are saved to allow communication with the device in case of compact flash problems. Note: Do not power up or reboot Application Switch 2 or Application Switch 3 when the compact flash card is not inserted. Software Version Update You can download a new software version by using either WBM or via APSolute Insite.For versions using File Systems mechanism the firm ware file is in TAR format, while for previous versions it appears in binary (BIN) format. Note: Before initiating software version update on Application Switch 3 or Application Switch II running file system version, ensure that a back-up application is installed in the internal flash * see Backup Version Update, page 52. To upgrade the software version via Web Based Management: 1. From the File menu select Software Upgrade. The Update Device Software window appears. 2. In the Update Device Software window, set the following parameters according to the explanations provided: Password: Enter the case-sensitive password you have obtained from Radware corporate Web Site for this upgrade: http://www.radware.com/ content/support/pwordgen/default.asp Software Version: Specify the actual version to be loaded using X.XX.XX format. File: Select the appropriate firmware file. Select the Enable New Version check box to apply the recent upgrade. Enable New Version: 3. Note: The device operates according to the new version after the software download process is complete, otherwise the device operates according to the previous version. To accept your preferences, click Set. You will be prompted to reset the device. Note: Doc. No.: 8261 When upgrading from a minor version or bug fix version AB,CD,EF to version AB,CX,XX a password is not required, for example when upgrading from 8.21.05 to 8.23.12 a password is not required. 51 LinkProof User Guide To update software version via APSolute Insite: 1. From the main window, double-click the device icon. The Device Setup window appears. 2. In the Setup pane, click Device Upgrades. The Device Upgrades dialog box appears. 3. From the Device Upgrades dialog box, in the File Name text box, type the name of the file, OR click Browse to find the desired file. 4. In the Password text box, type the password received with the new software version. Note: The password is case sensitive 5. In the New Version text box, type the software version number as specified in the new software documentation. Note: If the Enable New Version check box is selected (default) the device operates according to the new version after the software download process is complete, otherwise the device operates according to the previous version. 6. Click Set. The status of the upload is displayed in the Progress Status bar. You are prompted to restart the device. Backup Version Update On Application Switch 2, the backup application version (internal flash) is updated automatically when a new application version that includes a new boot version is downloaded to the device. On Application Switch 3 it is not necessary to update backup application version when there is a new boot version - compact flash and internal flash have separate boot memories. If however you wish to manually update the backup application version or install it, it is possible via the CLI command: system file-system files copy-to-flash x, where x is the index of the new application you want to use (existing applications and their indexes are displayed by: system file-system config act-appl command). Saving and Restoring Configuration Files It is recommended to save existing configurations on each Radware device. If a change to the configuration results in problems, administrators can restore a previous configurations to the unit. Files are stored locally on the desktop or laptop running APSolute Insite in a binary format. You can perform this procedure also from WBM. Notes: i When downloading a configuration file using WBM, the configuration can not be downloaded to a device that was configured to use only to SNMPv3. ii When downloading a configuration file using CWI and SNMPv3, the configuration can not be downloaded to a device that supports only SNMPv1. iii The Configuration file of the device, that contains SNMPv3 users with authentication, can only be used by the specific device that the users configured. When exporting the configuration file to another device, the 52 Doc. No.: 8261 LinkProof User Guide passwords need to be re-entered, since passwords (of SNMPv3 users) can not be exported from one device to another. Therefore there must be at least one user in the user table (to be able to change the password) in case the configuration file is uploaded to another device. Note that this is relevant for SNMPv3 RFC. To save an existing configuration: 1. From the main window, select Device > Configuration File > Download. 2. Click the Browse button and navigate to the file you wish to save. 3. Select the required configuration file and click Ok. The current configuration is saved. To restore an existing configuration file: 1. From the main window, select Device > Configuration File > Upload. 2. Click the Browse button and navigate to the file to restore. 3. Select the required configuration file and click Ok. The selected configuration is restored. 4. After the restored configuration has been applied to the Radware device, reboot the unit. The downloaded configuration file appears in BER format. If you wish to view the BER format file, you must convert it to ASCII format. However, the configuration file that is being uploaded to the device, must be in BER format. To convert a BER file to ASCII format: 1. From the main window, select Device > Configuration File > Edit. The Edit window opens. 2. From the Edit window, select Convert from BER to ASCII. 3. Click the Browse button and navigate to the BER file you wish to convert to ASCII. 4. Select the required configuration file and click Ok. The file format is converted to ASCII. Upgrading Licenses You can upgrade the software capabilities of LinkProof by means of the licensing mechanism; for example to add BWM and IPS support. Note: For more information regarding obtaining licenses, please contact the Radware Technical Support. The Licensing Mechanism In order to change license, you need to insert a new license code. The license provided to you, is a one-time license, meaning that once this license is changed, the old license code cannot be re-used. For example, if a license that includes the BWM and IPS activation key was given to you on a trial basis and not purchased, Radware provides you with another license, without the BWM and IPS activation key, the old license cannot be reused. Doc. No.: 8261 53 LinkProof User Guide Each license is based on the MAC address of the device and on a license ID that is changed every time a new license is inserted. To obtain a license upgrade, you need to send the MAC address and the current license ID of the device. To perform a license downgrade, you have to send the MAC address and the current license ID of the device. Once you receive and insert the new license, a screen capture of the License Upgrade window or the output of system license get CLI command must be sent to Radware to prove that you are using the new license. After that, Radware ensures that the old license cannot be reused. To upgrade a software license: 1. From the main window, double-click the device icon. The LinkProof Setup window appears. 2. In the Setup pane, click Device Upgrades. The Device Upgrades window appears. 3. In the Device Upgrades window, click Licence Upgrade. The Licence Upgrade pane appears, displaying the current license in the New Licence Code text box. 4. In the New Licence Code text box, type your new license code. Note: The license code is case sensitive. 5. Click Ok. An Information box prompts you to reset the device in order to validate the license. 6. Click Ok to perform the reset. The reset may take a few minutes. A success message is displayed on completion. Upgrading Hardware Licenses Note: For Application Switch 3, you can add support for 10 Gigabit Ethernet Port by means of the hardware licensing mechanism. This feature is only available for Application Switch 3. To upgrade a hardware license: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. In the Setup pane, click Device Upgrades. The Device Upgrades window appears. 3. In the Device Upgrades window, select Hardware Licence. The Licence Upgrade pane appears displaying the current license in the New Licence Code text box. 4. In the New Licence Code text box, type your new license code. Note: The license code is case sensitive. 5. Click Ok. The Information box prompts you to reset the device in order to validate the license. 54 Doc. No.: 8261 LinkProof User Guide 6. Click Ok to perform the reset. The reset may take a few minutes. A success message is displayed on completion. Upgrading Licenses Using CLI The following procedure enables you to upgrade your software and hardware licenses using the command line interface. To upgrade a software license using CLI: 1. In the command line interface, type system license get. 2. Click Enter. The current license code is displayed. 3. Type system license set <new license code>. 4. Click Enter. The license updated message is displayed in the command line. Note: 5. To implement the upgrade, the device must be reset. Type reboot in order to reset the device, then type yes to confirm the reset. To upgrade a hardware license using CLI: 1. In the command line interface, type: system hardware license 2. Click Enter. The current license code is displayed. 3. Type: system hardware license set <new license code> 4. Click Enter. A license updated message is displayed in the command line. Note: 5. To implement the upgrade, the device must be reset. Type reboot in order to reset the device, then type yes to confirm the reset. Upgrading Licenses Using WBM You can perform license upgrades using Web Based Management. To upgrade a license using WBM: 1. From the Device menu, select License Upgrade. The License Upgrade window appears. 2. From the License Upgrade window, in the Insert your License Code text box, type the code of the new license and click Set. Upgrading Boot Versions It may become necessary to upgrade a device's Boot Code to support new firmware. To support new firmware, you may need to upgrade a device's Boot Code. For information regarding upgrading boot versions, refer to Boot Version Update, page 389. Doc. No.: 8261 55 LinkProof User Guide Resetting Devices You can reset the device at any time. To reset the device: 1. From the main window, click Device. 2. From the Device drop-down menu, select Reboot. 3. Select the device you wish to reboot, then click Ok. Device Tuning This section describes the interfaces and methods for LP device tuning, and includes the following topics: • • Tuning Tables Introduction, page 56 Tuning Memory Check, page 65 Tuning Tables Introduction The Tuning Tables store information about sessions passing through the device and their sizes which are correlated to the actual amount of sessions. Some of the tables store information for every source-destination address pair of traffic going through the device, Layer-3 information. These pairs require an entry for each combination. Some of the tables need to keep information about Layer-4 sessions, which means that every combination of source-address, source-port, destination address and destination port requires its own entry in the table. Note: Layer-4 tables are usually larger than Layer-3 tables. For example, a typical TCP client, using HTTP, opens several TCP sessions to the same destination address. Each tuning table has its own Free-Up mechanism, which is responsible for clearing the tables of old entries that are no longer required, and ensuring that all detected attacks are reported properly so that the attack can be logged. The Free-Up Frequency for each table determines how often the device clears unnecessary entries from the table and stores information about newly detected security events in a dedicated internal alerts buffer. The alerts are then distributed to the logfile, SNMP management station, and syslog server, as required by the configuration. The alerts buffer ensures that the device is not overloaded with alerts distribution For LinkProof you can determine the maximum number of entries allowed in the following Device Tuning tables: • Advanced Settings, page 57 • Virtual Tunneling Settings, page 62 • SYN Flood Protection Settings, page 63 • Session Table Settings, page 64 You can also define the security parameters for your previously defined security policy. The values in the fields are synchronized and any changes are implemented after the device reset. 56 Doc. No.: 8261 LinkProof User Guide To view the Device Tuning Tables from APSolute Insite: 1. Double-click on the LinkProof icon. The Setup window appears. 2. In the Setup window, select Global. The Global pane opens. Check the services group which you want to tune on the device and click Edit Settings. The device tuning settings table for the selected category opens. Note: It is strongly advised that Device Tuning only be carried out after consulting with the Radware Technical Support. Tuning Tables On-Line You may view a list of values for LinkProof Tuning tables by logging on to the Radware Website>Support > Documentation > Product (LinkProof) > Document Type (Tuning Table). Advanced Settings You can tune the Advanced Settings tables according to your needs. Table 6 on page 57 provides descriptions of the Advanced Settings tables and provides their tuning parameters. Table 6: Advanced Tuning Parameters Table Bridge Forwarding Table IP Forwarding Table ARP Forwarding Table Doc. No.: 8261 Description Platform Default Max The maximum amount of entries in the Bridge Forwarding Table. AS1 1,024 32,767 AS2 1,024 32,767 The Bridge Forwarding Table contains the bridging ports per destination MAC address. AS3 1,024 32,767 CAS 256 32,767 The maximum amount of entries in the IP Forwarding Table. AS1 4,096 256,000 AS2 8,192 512,000 The IP Forwarding Table contains the destination MAC address and port per destination IP address. AS3 8,192 512,000 CAS 2,048 256,000 The maximum amount of entries in the ARP Forwarding Table. AS1 1,024 32,767 AS2 1,024 32,767 The ARP Forwarding Table contains the destination MAC address per destination IP AS3 1,024 32,767 CAS 1,024 32,767 57 LinkProof User Guide Table 6: Advanced Tuning Parameters Table Client Table Extension Client Table Routing Table 58 Description Platform Default Max The maximum amount of entries in the Client Table Extensions. AS1 8,192 NA AS2 16,384 NA Client Extension Table size = (max number of farms in a flow, as configured on the device) AS3 16,384 NA CAS 8,192 NA The maximum amount of entries in the Client Table. AS1 8,192 NA AS2 16,384 NA When setting the Client table size you must also configure Client Extension Table size. The relationship between the two table sizes is as follows: AS3 16,384 NA CAS 8,192 NA The maximum amount of entries in the Routing Table. AS1 512 32,767 AS2 512 32,767 The Routing Table stores information about the destinations and how they can be reached. By default, all networks directly attached to AppDirector are registered in this table. Other entries to the table can either be statically configured or dynamically created through the routing protocol. AS3 512 32,767 CAS 32 32,767 Client Extension Table size = (max number of farms in a flow, as configured on the device) *Client Table size. For example, in case SecureFlow load balances routers only, the Client Table Extension size should be the same as the Client Table Size Doc. No.: 8261 LinkProof User Guide Table 6: Advanced Tuning Parameters Table Description Platform Default Max AS1 512 8,192 AS2 512 8,192 Static NAT The maximum number of Static NAT address that can be configured on the device. Static NAT is used to ensure delivery of specific traffic to a particular server on the internal network. AS3 512 8,192 CAS 128 8,192 The maximum number of No NAT addresses that can be configured on the device. AS1 512 20,000 AS2 512 20,000 AS3 512 20,000 CAS 64 20,000 AS1 NA NA AS2 NA NA AS3 NA NA CAS NA NA AS1 1,024 1,000,00 0 AS2 1,024 1,000,00 0 AS3 1,024 1,000,00 0 CAS 64 512 No NAT No NAT enables a simple configuration where internal hosts have IP addresses that belong to a range of one of the farm servers. Traffic from these hosts should not be translated if the traffic is forwarded to this farm server. The maximum number of Basic NAT addresses that can be configured on the device Basic NAT Fragmentatio n Table Doc. No.: 8261 Basic NAT enables a one-to-one NAT mapping for occasional users, based on local IP ranges and destination applications. The maximum amount of entries in the Fragmentation table. 59 LinkProof User Guide Table 6: Advanced Tuning Parameters Table Flow Policies FW Tracking Table Farm Persistency Table 60 Description Platform Default Max The maximum number of entries in the Flow Policies table. AS1 16 5,000 AS2 16 5,000 A flow policy defines the criteria used to select a specific flow for a specific type of traffic. When a new session arrives to the SecureFlow, the device scans through the flow policies list looking for a match. Once a match is found the packet is redirected according to the flow attached to this policy. AS3 16 5,000 CAS 16 5,000 The number of current entries in the Firewall Tracking Table. This table ensures that for inbound traffic received via a certain Firewall, the related outbound traffic is sent via the same Firewall. AS1 128 4,096 AS2 128 4,096 AS3 128 4,096 CAS 128 4,096 The maximum number of entries in the Farm Persistency Table. AS1 8,192 50,000 AS2 8,192 140,000 SecureFlow allows you to determine when a new server will be selected for each farm, by allowing persistency mode configuration per farm.The default persistency mode is Layer 3. Persistency per farm can be kept according to any session identification parameter or combination of them that is less than the Client Table mode (for example source IP or destination IP if Client Table mode is Layer3) or according to Client Table mode. AS3 16,384 320,000 CAS 16,384 170,000 Doc. No.: 8261 LinkProof User Guide Table 6: Advanced Tuning Parameters Table SYN Protection Triggers Table Delayed Bind Table Description Platform Default The maximum number of entries in the SYN ProtectioN Triggers Table. AS1 NA AS2 NA NA AS3 NA NA CAS NA NA The maximum number of entries in the Delayed Bind table. AS1 64 13,658 AS2 64 32,768 Delayed Binding is a process in which the device alters fields such as the sequence number of the TCP stream from the client to the destination server. The subsequent session fetches the information that was requested in the original session, and only when that information is gathered, it is returned to the client via the original session. AS3 64 32,768 CAS 64 32,768 SYN Protection Triggers Counts incomplete TCP sessions for detecting SYN Floods from the Session Table. Max To set the LinkProof Advanced Tuning Parameters: 1. Double click on the Linkproof icon. The Setup window appears. 2. In the Setup window, select Global. The Global pane appears. 3. From the Global pane, select Advanced Settings and then click Edit Settings. The LinkProof Advanced Settings window appears. 4. From the LinkProof Advanced Settings window, set the parameters as described in Table 6 on page 57. Note: Doc. No.: 8261 It is strongly advised that device tuning only be carried out after consulting with the Radware Technical Support. 61 LinkProof User Guide Virtual Tunneling Settings Virtual Tunneling tables are used to define the Virtual Tunneling tuning parameters are presented in Table 7 on page 62. Table 7: Virtual Tunneling Settings Table Local Service Table Remote Service Table Tunnels per Remote Service Local Station Table Remote Station Table Note: Description The maximum entries in the Local Service Table. The maximum entries in the Remote Service Table. The maximum entries in the Tunnels per Remote Service Table. The maximum entries in the Local Station table. The maximum entries in the Remote Station Table. Platform Default Max AS1 4 8 AS2 4 8 AS3 4 8 CAS 4 8 AS1 12 32 AS2 12 32 AS3 12 32 CAS 12 32 AS1 12 100 AS2 12 100 AS3 12 100 CAS 12 100 AS1 24 32 AS2 24 32 AS3 24 32 CAS 24 32 AS1 250 1,024 AS2 250 1,024 AS3 250 1,024 CAS 250 1,024 In order to view LP Virtual Tunneling Tuning parameters you must first enable the Virtual Tunneling Admins Status To enable Virtual Tunneling Admin Status: 1. From the main window, select APSolute OS > Traffic Redirection > Virtual Tunneling. The Virtual Tunneling pane appears. 2. In the Virtual Tunneling pane, enable Virtual Tunneling Admin Status. 62 Doc. No.: 8261 LinkProof User Guide Note: It is strongly advised that device tuning only be carried out after consulting with the Radware Technical Support. To set the Virtual Tunneling Tuning Parameters: 1. Double click on the LinkProof icon. The Setup window appears. 2. In the Setup window, select Global. The Global pane appears. 3. In the Global pane, select Virtual Tunneling Settings and then click Edit Settings. The Virtual Tunneling Settings window appears. 4. From the Virtual Tunneling Settings window, set the parameters as described in Table 7 on page 62. SYN Flood Protection Settings SYN tables are used to define the SYN Flood protection. SYN Flood protection tuning parameters are presented in Table 8 on page 63. Table 8: SYN Flood Tuning Parameters Table Description SYN Protection Table The current number of entries in the SYN Protection Table that stores data regarding the delayed binding process. An entry in the table exists from the time the client completes the handshake until the handshake is complete. SYN Protection Requests Table The current number of entries in SYN Protection Requests Table that stores the ACK or data packet that the client sends, until the handshake with the server is complete and the packet is sent to the server. Note: The Request table and the Syn Protection table must be about the same size. The triggers table should be much smaller. SYN Protection Triggers Table SYN Protection Policies Table Session Table L3 SYN Flood Reports Doc. No.: 8261 The current number of entries in SYN Protection Triggers Table that stores the active triggers - the destination IPs/ports on which the devices identifies an ongoing attack. The current number of entries in the SYN Protection Policies Table, which stores policies that control the Syn Protection behavior for different types of traffic. For each traffic type the user can configure whether to: • Always apply SYN protection. • Apply SYN protection only when an attack is detected. • Never apply SYN protection. Currently the parameter is not used. 63 LinkProof User Guide Table 8: SYN Flood Tuning Parameters Table Description Session Table SYN Triggers Creation The current number of entries in the Session Table SYN Triggers Creation table that counts incomplete TCP sessions for detecting SYN Floods from the Session Table. To set the LinkProof SYN Flood parameters: 1. Double click on the LinkProof icon. The Setup windows appears. 2. In the Setup window, select Global. The Global pane appears. 3. In the Global pane, select SYN Flood Settings and then click Edit Settings. The SYN Flood Protections Settings window appears. 4. In the SYN Flood Protection Settings window, set the parameters as described in Table 8 on page 63. Note: It is strongly advised that device tuning only be carried out after consulting with the Radware Technical Support. Session Table Settings The Session Table tuning parameters are presented in Table 9, “Session Table Tuning parameters,” on page 64. Table 9: Session Table Tuning parameters Name Session Table Session Passive Protocol Description The Session Table keeps track of sessions that were not recorded in the Client Table The maximum amount of entries in the Session table. The maximum amount of Session Passive Protocol table. Records passive protocols port commands, so that all related sessions. To set the Session Table Tuning parameters: 1. Double click on the LinkProof icon. The Setup window appears. 2. In the Setup window, select Global. The Global pane appears. 3. In the Global pane, select Session Table Settings and then click Edit Settings. The Session Table Settings window appears. 4. In the Session Table Settings window, set the parameters as described in Table 9 on page 64. 64 Doc. No.: 8261 LinkProof User Guide Note: It is strongly advised that device tuning only be carried out after consulting with the Radware Technical Support. Tuning Memory Check The Device Tuning Table enables you to pre-check whether the configured values will not cause memory allocation problems. For every value you update in a LinkProof table, the device can check whether sufficient memory is available. This is done automatically when you update tuning values in APSolute Insite. However, following the tuning changes, you can perform a manual check using Web Based Management or CLI. In Web Based Management, select: Services >Tuning > Memory Check. In CLI, use the command: system tune test-after-reset-values. Device Notifications This section describes the LinkProof Notifications feature which distributes warning messages about failures and problems in network elements. Notification distribution methods and configuration are described. This section includes the following topics: • • Notifications - General, page 65 E-mail Notification, page 66 Notifications - General Most administrators prefer to receive a warning message about a network or server outage. To help minimize the impact of failure in devices such as firewalls, routers or application servers, all Radware devices provide a choice of notification methods: CLI Traps, Syslog, E-mail. To send traps by CLI, Telnet and SSH, the command is: manage terminal traps-outputs set-on For console only: manage terminal traps-outputs set normal CLI Traps When connected to any Radware product through a serial cable, the device generates traps when events occur. For example, if a Next Hop Router fails, LinkProof generates the following error: 10-01-2003 08:35:42 WARNING NextHopRouter 10.10.10.10 Is Not Responding to Ping. Send Traps To All CLI Users This option enables you to configure whether traps will be sent only to the serial terminal or also to SSH and Telnet clients. Syslog Event traps can also be mirrored to a syslog server. On LinkProof, as on all Radware products, you can configure the appropriate information, using the Options > Preferences > Traps and SMTP option. Any traps generated by the Radware device will be mirrored to the specified syslog server. Doc. No.: 8261 65 LinkProof User Guide The current Radware syslog mechanism enables you to define the status and the event log server address. You can also define additional notification criteria such as Facility and Severity, which are expressed by numerical values. Facility indicates the type of device of the sender, while Severity indicates the importance or impact of the reported event. The user defined Facility value is used when the device sends Syslog messages. The default value is 21, meaning “Local Use 6", which is the value used by previous LinkProof versions. The Severity value is determined dynamically by the device for each message that is sent. E-mail Notification You can configure the device to send e-mail messages to users listed in the device's User Table. For each user, you can set the level of SNMP Traps notification the user receives. This is done in the Users table; each user is assigned a level of severity and receives traps according to that severity or higher. The severity levels are: Info, Warning, Error and Fatal, see Users Table, page 46. When assigned the severity level of Error, the user receives e-mail traps of events with severity levels of Error and Fatal. This configuration applies both for SNMP traps and for SMTP email notifications. SMTP notifications are enabled globally for the device. In addition to the SNMP traps, another method of notification has been added to the device. Using the Send E-mail on Errors option, you can configure traps to be sent by e-mail to predefined users with different levels of severity. To configure E-mail Notifications: From the main window, select; Options > Preferences > Traps and SMTP. Configuration Trace LinkProof is able to monitor any configuration changes on the device, and report those changes by sending out e-mail notifications. Every time the value of a configuration variable changes, information about all the variables in the same MIB entry is reported to users. Configuration reports are enabled for each user in the following table; see Table , “Users Table,” on page 46. Note: LinkProof optimizes the mailing process by gathering reports and sending them in a single notification message once the buffer is full or once a timeout of 60 seconds expires. The notification message contains the following details: • • • • • Name of the MIB variable that was changed New value of the variable Time of configuration change Configuration tool that was used (APSolute Insite,Telnet, SSH, WBM). User name, when applicable. Utilities This section describes additional device-related LinkProof utilities. This section includes the following topics: • 66 DNS Client, page 67 Doc. No.: 8261 LinkProof User Guide DNS Client You can configure LinkProof to operate as DNS client. When the DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, IP addresses can be resolved in the following ways: • • Using the configured DNS servers to which DNS client sends queries about IP addresses of a hostname. Using the pre-defined static table that includes hostnames and IP addresses. To display the DNS table: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select DNS. The DNS pane appears. 3. To enable the DNS client, select the Client DNS checkbox. 4. In the DNS Primary Address text box, type the address of the primary DNS server that is used to query IP addresses of hostnames. 5. In the DNS Alternate Address text box, type the address of the backup DNS server that is used to query IP addresses of hostnames in case the primary server is not in service. 6. To display the dynamic DNS table in the CLI, type the following command: 7. services dns nslookup <hostname> 8. The DNS table is displayed. To define the static DNS table: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select DNS . The DNS pane appears. 3. To enable the DNS client, select the Client DNS checkbox. 4. From the DNS pane, select the Static DNS option. The Static DNS Table window appears. 5. In the Static DNS Table window, set the following parameters according to the explanations provided: Host Name: The URL name for which you want to set the IP address. IP Address: The IP address of the URL. 6. Click Add to apply. The new client is listed in the Static DNS Table. 7. Click Ok to apply the Setup and exit. Doc. No.: 8261 67 LinkProof User Guide 68 Doc. No.: 8261 LinkProof User Guide Chapter 3 - Basic Switching & Routing This chapter explains switching and routing in general and describes how LinkProof participates in this processes as well as presenting several aspects of the practical implementation of LinkProof. This chapter includes the following sections: • • • • Port Settings, page 69 Virtual LAN, page 72 VLAN Tagging, page 76 IP Addressing & Routing, page 78 Port Settings This section provides information about LinkProof features which assist with traffic and port management. This section includes the following topics: • • • • Port Port Port Port Mirroring, page 69 Trunking, page 70 Rules, page 72 Load Balancing Status, page 72 Port Mirroring Port Mirroring enables the LinkProof device to duplicate traffic from one physical port on the device to another physical port on the same device. This is useful, for example when an Intrusion Detection System (IDS) device is connected to one of the ports on the LinkProof device. You can configure port mirroring for received traffic only, for transmitted traffic only, or for both. You can also decide whether to duplicate the received broadcast packets. To configure Port Mirroring: 1. From the main window double-click on the LinkProof device icon. the Setup window appears. 2. In the Setup window, select Networking > Port Mirroring. The Port Mirroring Table window appears listing the current Input and Output Ports. You can set up the mirroring options for each port. 3. In the Port Mirroring Table window, select the port to configure and click Edit. The Edit Port Mirroring window appears. 4. In the Edit Port Mirroring window, choose the Receive/Transmit mode for the port you selected: Receive only; Transmit only or Both. 5. To receive a broadcast packet, select Receive Broadcast. 6. Click Add to apply the Setup and click Ok to exit the window. Doc. No.: 8261 69 LinkProof User Guide Notes: The following notes regarding Port Mirroring apply to all Application Switching Platforms: i It is possible to copy traffic from one Input Port to multiple Output Ports, or from many Input Port s to one Output Port. ii The Input Port, from which traffic is mirrored, must be an interface with a configured IP address, or an interface, which is part of a VLAN (Regular or Switched) with a configured IP address. iii The Output Port, to which the traffic is mirrored, cannot have an IP address, or be part of a VLAN (Regular or Switched) with a configured IP address. iv When mirroring traffic from a port which is a part of Switched VLAN, traffic between hosts on this VLAN is switched by the ASICs of the device. This type of traffic is not mirrored. v When mirroring traffic is received on a port which is a part of Switched VLAN, and the mirrored port is configured to mirror Received Broadcast packets, then these packets are mirrored from all ports on the Switched VLAN. vi Traffic generated by the device itself such as Connectivity checks or management traffic, is not mirrored. vii Regular VLAN traffic with destination multicast MAC is not always mirrored. Port Trunking Port Trunking (also known as Link Aggregration) is a method of increasing bandwidth by combining physical network links into a single logical link. Link aggregation increases the capacity and availability of the communications channel between devices - both switches and end stations - by using the Fast Ethernet and Gigabit Ethernet technology. Multiple parallel physical links between two devices can be grouped together to form a single logical link. Link aggregation also provides load balancing where processing and communications activities are distributed across several links in a trunk, to prevent single link overloading. Treating multiple LAN connections as one aggregated link, ensures the following advantages: • Higher link availability • Increased link capacity • Improvements in existing hardware Upgrading to higher-capacity link technology is not necessary. Radware devices support port trunking according to the IEEE 802.3ad standard for link aggregation. Link Aggregation is supported on the following: • Links using the IEEE 802.3 MAC • Point-to-point links • Links operating in full duplex mode Aggregation is permitted only among links with same speed and direction. On Radware devices, bandwidth increments are provided in units of 100Mbps and 1Gbps respectively. MAC Client traffic can be distributed across multiple links. To guarantee the correct ordering of frames at the receiving-end station, all frames belonging to one conversation must be transmitted through the same physical link. The algorithm for assigning frames to a conversation depends on the application environment. Radware devices can define conversations upon Layer 2, 3 or 4 information, or on combined layers. The failure or replacement of a single link within a Link Aggregation Group does not cause failure from the perspective of a MAC client. 70 Doc. No.: 8261 LinkProof User Guide Radware port trunking function allows you to define up to eight trunks. Up to eight physical links can be aggregated into one trunk. All trunk configuration is Static. Notes: Trunks cannot be a part of switch VLAN for AS4. Port Trunking Limitations: i ii A port belonging to a trunk may not be copied to another port (copy port. A trunk cannot be mirrored. iii Ports that are part of a trunk cannot be used in port rules; the entire trunk however can be used in port rules. To configure Link Aggregation: 1. In the main window, right-click the device icon and select SetUp. The SetUp window appears. 2. In the SetUp window, click Networking > Link Aggregation. The Link Aggregation window appears. 3. In the Link Aggregation window, define the trunk’s algorithm for Layer 2, Layer 3, and Layer 4 according to the explanations provided: Ignore: Ignore the headers of that layer. Source Address: Consider packet’s source only. Destination Address: Consider packet’s destination only. Both Addresses: Consider packet’s source and destination. Note: The same algorithm must be applied on the other switch participating in the trunk. 4. To associate ports with trunks, select a trunk from the list of trunks and click Edit. The Edit Link Aggregation window appears. 5. In the Edit Link Aggregation window, select the ports that you want to associate with the trunk and click OK. 6. To apply a new trunk definition to your device, add a new interface using the new trunk. In the SetUp window, click Add. The Interface window appears. Set the parameters according to the explanations provided: If Num: Select a trunk from the dropdown list, for example, T-1. IP Address: Trunk’s IP address. Network Mask: Trunk’s network mask. Broadcast Type: The broadcast address can be: • ONEFILL: full of ones. • 7. ZEROFILL: full of zeros. Click Ok. A new trunk appears in the Interface table. Doc. No.: 8261 71 LinkProof User Guide Port Rules Port Rules enables the LinkProof device to ensure that traffic received from a specific physical port on the device exits only via another specific physical port on the same device and vice-versa. This is useful for simplified configuration process, without flow definitions, when LinkProof needs to load balance both router and firewall servers. To configure Port Rules: For security reasons the Port Rules feature is configured via CLI only, using the command: lp port-rules set <inport> <outport> Port Load Balancing Status You can configure for each physical port on the device whether the traffic incoming through this port should be load balanced or not. When the load balancing status is enabled, the traffic coming through this port is load balanced or routed according to flow policies and destination address. When the load balancing status is disabled, the traffic coming through this port is always routed. Port Load Balancing Status may be configured via WBM or CLI • • Via Web Based Management: From the LinkProof menu, select LinkProof > Global Configuration > Port LB Status. Via CLI: lp global port-lb-status command. Virtual LAN This section explains the concept of Virtual LANs, their functionality, and how to configure them in conjunction with LinkProof. This section includes the following topics: • • • • What is a Virtual LAN?, page 72 LinkProof VLAN Types, page 72 VLAN Configuration, page 74 Redundancy, page 76 What is a Virtual LAN? A Virtual LAN (VLAN) is a group of devices that share the same broadcast domain within a switched network. Broadcast domains describe the extent that a network propagates a broadcast frame generated by a device. Some switches may be configured to support single or multiple VLANs. When a switch supports multiple VLANs, the broadcast domains are not shared between the VLANs. • • • The device learns the Layer 2 addresses on every VLAN port. Known unicast frames are forwarded to the relevant port. Unknown unicast frames and broadcast frames are forwarded to all ports. LinkProof VLAN Types LinkProof VLAN provides bridging functionality among ports assigned to the same VLAN. LinkProof supports the following types of VLAN: Regular VLAN and Switched VLAN. 72 Doc. No.: 8261 LinkProof User Guide Regular VLAN A Regular type VLAN can be described as an IP Bridge (a software bridge) between multiple ports that incorporate all the traffic redirection of the passing traffic at all layers (Layer 2Layer 7). Two Protocols can be used with Regular VLANs: IP Protocol: The VLAN must be assigned an IP address. All of the traffic between the ports is intercepted transparently by the LinkProof application. Packets that need intelligent intervention are checked and modified by LinkProof and then forwarded to the relevant port. Other packets are simply switched by LinkProof as if they were on the same wire. Other Protocol: A VLAN with the protocol "Other" cannot be assigned an IP address. This type of VLAN is used to bridge the non-IP traffic through LinkProof. Note that this option can be defined also with the Switched type VLAN (Switched VLAN protocol) for wire-speed performance. Switched VLAN Switched VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric of the LinkProof device. Depending on the Protocol defined for the Switched VLAN, frames are treated accordingly: Switched VLAN Protocol: Frames arriving at VLAN port are switched according to Layer 2 information. LinkProof application does not intercept any traffic. IP Protocol: Frames arriving at VLAN port are switched according to Layer 2 information, except for frames with Layer 2 address same as LinkProof port Layer 2 address. Frames with LinkProof Layer 2 destination are processed by the LinkProof application and then forwarded accordingly. Bridging Once a VLAN is defined, LinkProof performs bridging among interfaces assigned to the same VLAN. Bridging within a VLAN means that LinkProof learns the MAC addresses of frames arriving from each physical interface, and maintains a list of MAC addresses per interface. When a frame arrives from one interface, LinkProof looks for the frame destination addresses within its address list according to the following conditions: • • • If the destination address is listed in the same interface of the source address, LinkProof discards the frame. If the destination address is listed in another interface, LinkProof forwards the frame to the relevant interface. If the address is not listed in any interface, LinkProof broadcast the frame to all interfaces participating the VLAN. Note: LinkProof enables users to modify the Address lists by registering additional MAC addresses per interface. This is done from the Bridge Setup menu. To add a MAC address to a port: 1. Double-click the LinkProof device icon. The Setup window appears. 2. In the Setup window, click Networking > VLAN. The Virtual LAN window appears. 3. From the Virtual LAN window, select Bridge Setup and select the port to which you wish to add a MAC address and click Add. The Edit Global Forwarding Table appears. 4. From the Edit Global Forwarding Table, type the relevant MAC address and click Ok. Doc. No.: 8261 73 LinkProof User Guide VLAN Configuration In the Transparent LinkProof Configuration using VLAN example, LinkProof is configured with two VLANs: Network side VLAN (with address 100003) and User side VLAN (address 100005). Both VLANs are defined as Switched type, to gain wire-speed throughput. To enable LinkProof to perform Traffic Redirection policies on traffic destined to the Internet, VLAN protocol is set to IP. This requires clients to configure LinkProof as their default router. Internet Users Router 10.1.1.20 Port 1 Network Side Virtual Address 10.1.1.100 LinkProof IP VLAN Interface 10.1.1.10 Port 2 Server Side Server 10.1.1.1 Figure 1 - Server 10.1.1.2 Transparent LinkProof Configuration using VLAN Table 10: VLAN Definitions in LinkProof Interface Number Protocol VLAN Type 100003 IP Switched 100005 IP Switched To create a VLAN: 1. From the Setup window, select Networking > VLAN. The Virtual LAN window appears. 2. In the Virtual LAN window, select Setup and connect a physical port on the device to the VLAN you are creating, in the Assign Port to VLAN pane, select the checkboxes of the ports you want to assign to VLAN. 74 Doc. No.: 8261 LinkProof User Guide 3. Set the remaining parameters according to the explanations provided: Interface Number: Type the interface number of the VLAN, to be automatically assigned by the management station. Select the required VLAN type: Type: Regular: The device acts as a bridge. Switched VLAN: The Switched type is a Layer 2 VLAN. Switched VLAN can be stand-alone or part of a Regular VLAN. Select the required VLAN protocol. Protocol: 4. Note: You can choose IP or swVLAN only when the VLAN type is Switched. Otherwise, the protocol is IP or other. Click Add. The new VLAN appears in the VLAN Table. To configure VLAN parameters: 1. From the Setup window, select Networking > VLAN. The Virtual LAN window appears. 2. In the Virtual LAN window, click Parameters. Set the following parameters according to the explanations provided: 802.1q Environment (check box): VLAN Tag Handling: Enables or disables VLAN tagging. The handling method of VLAN Tagging (enabled only if the 802.1q Environment checkbox is selected). The possibilities are: • Overwrite: The device performs VLAN Tagging of outgoing traffic in accordance with IP Interface configuration. The device sets tags for packets according to the following parameters: destination IP of the packet if it is on the same local subnet with the device, OR MAC address of the firewall that is configured on the device and through which the packet is sent. • Auto Config Aging Time: Ethernet Type: (for user defined VLANs) Ethernet Type Mask: (for user defined VLANs) Doc. No.: 8261 Retain: The device preserves existing VLAN Tags on the incoming traffic that passes through the device. Traffic generated by the device is tagged according to IP Interface configuration. Define the ports refresh time when using VLAN Auto configuration. Define the Ethernet type for user-defined VLANs. With this parameter, you can configure the VLAN to forward other types of protocols. Define the mask on Ethernet type for user defined VLANs. 75 LinkProof User Guide Bridge Address: • Type the MAC Address used by the device. Bridge Type: • Define the types of bridging the device can perform. • Indicate how long unused entries are to remain in the Forwarding Table (in seconds). The counter is reset each time the entry is used. When Aging Time period expires, the entries are deleted from table. • Minimum value: 10 seconds. Bridge Forwarding Table Aging Time: 3. Click Apply to save the configuration and click Ok to close the window. Tip: From the Bridge Setup tab, you can monitor, add to and edit the bridge forwarding nodes. See "IP Addressing & Routing" on page 3-78. Redundancy When working with VLANs, two LinkProofs can be configured in an Active / Backup redundancy Setup. For more information about LinkProof Redundancy settings, see Redundancy, page 203. VLAN Tagging This section explains VLAN Tagging support, how VLAN tags are used in configurations with LinkProof and about VLAn Tagging enhancements. This section includes the following topics: • • • VLAN Tagging Support, page 76 Using VLAN Tagging, page 76 VLAN Tagging Enhancements, page 78 VLAN Tagging Support VLAN Tagging is an IEEE standard (802.1q) for supporting multiple VLANs associated with the same switch port. Each VLAN is tagged with a unique identifier to allow the identification of different VLANs traffic on the same physical port. VLAN Tagging provides an indication in the Layer 2 header by which a switch decides through which port to connect to the VLAN on another switch. When two VLANs are configured across two different switches, usually there is a connection between each of the VLANs on one switch, to the corresponding VLAN on a second switch. This is done by a single cable connecting the two switches. The ports that inter-connect the switches, for example port 10 on each, belong to all of the VLANs on that switch. In this case, the switch needs to know to which VLAN to send traffic coming from port 10, as this port belongs to all the VLANs. Using VLAN Tagging VLAN Tagging (802.1q) support can be used with LinkProof, where LinkProof is connected to multiple VLANs on the same switch, and different servers are assigned to different VLANs. 76 Doc. No.: 8261 LinkProof User Guide The VLAN tagging support is based on the local subnet to which the traffic is sent, or on the destination MAC of the packet. Therefore, LinkProof cannot tag packets by the destination subnet if it is not local to the LinkProof. The switch connected to the LinkProof must be configured consistently with the LinkProof tagging configuration. Each IP interface can have a VLAN tag associated with it. LinkProof recognizes an IP interface as a physical port/IP address combination. Note: LinkProof determines the tag that is used according to the destination IP of the packet after LinkProof has made all the required modifications to the packet. For example, when using Local Triangulation, LinkProof forwards packets to servers with destination IP of the farm, hence these packets are tagged according to the tag in the configuration of the IP interface associated with the farm IP. Using LinkProof with VLAN tagging, all packets that are sent to a destination MAC address of a Next Hop Router (whose IP address is on a local subnet that is associated with a tagconfigured IP interface), carry the VLAN tag, regardless of the destination IP address of the packet. In addition, all packets sent to any destination host on a tag-configured IP interface carry the VLAN tag. This includes: • All Health Check packets from the LinkProof to the Next Hop Routers, including Full Path Health Monitoring. • ARP requests and responses from the LinkProof to the Next Hop Routers. • Unicast ARPs between redundant LinkProofs. • Gratuitous ARPs, as part of the redundancy mechanism. If an IP interface does not have a VLAN tag configured, then the packets are sent without a tag (standard Layer 2 MAC header). Configurable VLAN ID values range from 1 to 4063. LinkProof automatically sets the 802.1p portion of the tag (the first 3 bits) to 000. In VLAN Tagging Configuration, page 78, Tag 101 is associated to IP interface 10.1.1.10 and tag 102 is associated to IP Interface 20.1.1.10. LinkProo 10.1.1.10 Tag 101 20.1.1.10 Tag 102 Servers Servers 10.1.1.x Doc. No.: 8261 20.1.1.x 77 LinkProof User Guide Figure 2 - VLAN Tagging Configuration P1: 10.1.1.10 Tag: 101 P1: 20.1.1.10 Tag: 102 All traffic to 10.1.1.x servers is tagged with the VLAN tag 101, while all traffic to 20.1.1x servers is tagged with the VLAN tag 102. Note: VLAN tagging is supported for AS1 and AS2 platforms. To set a VLAN tag for an IP Interface: 1. Double-click the LinkProof device icon. The Setup window appears. 2. In Setup window, select an existing interface and click Edit, or click Add. The Interface window appears, see Setting Up Interface IP Addresses, page 79. 3. In the Interface window, set the VLAN Tag parameter as required. Value of 0 indicates that no tag is used. 4. Click Ok to apply changes and to exit all windows. VLAN Tagging Enhancements In addition to configuring which VLAN Tags should be set according to destination local subnet or according to the Next Hop Router (NHR) you may also retain the existing VLAN Tags on the incoming traffic that passes through the device. In APSolute Insite, users can configure this feature using the VLAN Parameters window. In Web Based Management, users can configure this feature using the VLAN Tagging window from the Device menu. Users can also configure this feature using the CLI command: net vlan-tag-handling 1. Set 802.1q Environment to Enable. 2. Set VLAN Tag Handling to Retain (the default value is Overwrite). Note: If a packet arrives without a VLAN tag, LinkProof sets a tag according to the destination local subnet Additional Features: • • You may configure the same VLAN Tag on multiple interfaces. You may configure a VLAN Tag on a VLAN interface. IP Addressing & Routing This section explains the configuration of VLAN addressing and routing, and includes the following topics: • • 78 IP Addressing, page 79 Routing, page 79 Doc. No.: 8261 LinkProof User Guide • • Routing Information Protocol, page 80 Open Shortest Path First, page 82 IP Addressing IP addresses are actually 32-bit binary numbers (for example, 11000000101010000000000100010100). Each 32-bit IP address consists of two subaddresses, one identifying the network and the other identifying the host to the network, with an imaginary boundary separating the two. The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask. A subnet mask is another 32-bit binary number that acts like a filter when it is applied to the 32-bit IP address. By comparing a subnet mask with an IP address, systems determine which portion of the IP address relates to the network, and which portion relates to the host. Anywhere the subnet mask has a bit set to "1", the underlying bit in the IP address is part of the network address. Anywhere the subnet mask is set to "0", the related bit in the IP address is part of the host address. Setting Up Interface IP Addresses LinkProof performs routing between all the defined IP interfaces. Using the main Setup window, you can define the IP addresses for LinkProof interfaces, assigning an IP address and IP Network Mask for each defined interface. Routing Routing is LinkProofs ability to forward IP packets to their destination using an IP routing table. The IP Routing Table stores information about the destinations and how they can be reached. By default, all networks directly attached to LinkProof are registered in the IP Routing Table. Other entries to the table can either be statically configured or dynamically created through the routing protocol. • • • • • When LinkProof forwards an IP packet, the IP Routing Table is used to determine the next-hop IP address and the next-hop interface. For a direct delivery (the destination is a neighboring node), the next-hop MAC address is the destination MAC address for the IP packet. For an indirect delivery (the destination is not a neighboring node), the next-hop MAC address is the address of an IP router according to the IP Routing Table. The destination IP address does not change on the path from source to destination; the destination MAC (Layer 2 information) is manipulated to move a packet across networks. The MAC of the destination host is applied once the packet arrives on the destination network. Setting up the Routing Table LinkProof supports IP routing compliant with RFC1812 router requirements. Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency is maintained. The IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations. The LinkProof Routing Table allows you to configure routing and to define the default gateway. To configure routing: 1. Double-click the LinkProof device icon. The Setup window appears. Doc. No.: 8261 79 LinkProof User Guide 2. In the Setup window, click Networking > Routing Table. The Routing Table window appears. 3. In the Routing Table window, click Add. The Edit Physical Route window appears. 4. In the Edit Physical Route window, set the following parameters according to the explanations provided: Destination IP Address: Type the destination network to which the route is defined. Network Mask: Type the network mask of the destination subnet. Next Hop: Type the IP address of the next hop towards that destination subnet. The next hop must reside on a subnet which is local to the device. If Num: Type the interface Index number for the local interface or VLAN through which the next hop of this route is reached. Metric: Define the number of hops to the destination network. Type: Define the type of remote routing: • Remote (Forwards packets) • Reject (Discards packets) • Local (Read-only) 5. Click Ok to apply the Setup and to exit the window. To configure a default gateway: 1. Follow steps 1-3 as explained in configure routing:, page 79 2. In the Edit Physical Route window (see step 3 above), type the relevant values for the Next Hop parameter and for the If Num parameter. For the Destination IP Address and Network Mask parameters use default values (0.0.0.0). 3. Click Ok to apply the Setup and to exit all windows. Note: You can set a backup default gateway for LinkProof. Routing Information Protocol Routing Information Protocol (RIP) is a commonly-used protocol for managing router information within a self-contained network such as a corporate local area network or an interconnected group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several internal gateway protocols (Interior Gateway Protocol). RIP is intended for small homogeneous networks. Using RIP, a gateway host (with a router) sends its entire routing table, which lists all the other hosts that it recognizes to its closest neighbor host every 30 seconds. The neighbor host then passes the information on to its next available neighbor and so on until all hosts within the network have the same knowledge of routing paths, this is known as network convergence. RIP uses a hop count as means to determine network distance. Other protocols use more sophisticated algorithms including timing. Each host with a router in the network uses the routing table information to determine the next host to route a packet to a specified destination. LinkProof supports RIP version 1 and RIP version 2. 80 Doc. No.: 8261 LinkProof User Guide The RIP protocol is configured from the LinkProof RIP Parameters window. To view the LinkProof RIP Parameters window: 1. From the Setup window, select Networking > RIP. The RIP Parameters window appears, which contains the following protocol options: Leak OSPF Routes: (checkbox) Controls redistribution of routes from OSPF to RIP. When this parameter is enabled, all routes learned through OSPF are advertised into RIP. Leak Static Routes: (checkbox) Controls redistribution of routes from static routes to RIP. When this parameter is enabled, you define all the static routes in the Routing Table. 2. Select the RIP parameter and click Edit. The RIP Parameters window appears. 3. From the RIP Parameters window, set the following parameters according to the explanations provided: IP Address: Type the IP address of the current interface. Define the type of RIP to be sent: Outgoing RIP: RIP version 1: Sending RIP updates compliant with RFC 1058. RIP version 2: Multicasting RIP-2 updates. Do Not Send: No RIP updates are sent. Define the type of RIP to be received: Incoming RIP: RIP 1: Accepting RIP 1. RIP 2: Accepting RIP 2. Do Not Receive: No RIP updates are accepted. Default Metric: Metric for the default route entry in RIP updates originated on this interface. 0 (Zero) indicates that no default route must be originated; in this case, a default route through another router may be propagated. Virtual Distance: Define the virtual number of hops assigned to the interface. This enables fine-tuning of the RIP routing algorithm. Status: Define the status of the RIP in the router. Enable this option to minimize network traffic when LinkProof is the only router on the network. Note: Auto Send: 4. When this parameter is enabled, this device advertises RIP messages with the default metric only. This allows some stations to learn the default router address. If the device detects another RIP message, Auto Send is disabled. Click Ok to apply the configuration and to exit all windows. Doc. No.: 8261 81 LinkProof User Guide Open Shortest Path First Open Shortest Path First (OSPF) is an interior gateway routing protocol developed for IP networks and based on the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information to all nodes in a network by calculating the shortest path to each node based on a topography of the Internet constructed by each node. After sending the routing information, each router sends the portion of the routing table (keeping track of routers to particular network destinations) that describes the state of its own links, as well as sending the complete routing structure (topography). Shortest path first algorithms allow performing more frequent updates. Note: Shortest path first algorithms require a lot of CPU power and memory. With the OSPF, you can build a more stable network, since fast convergence prevents such problems as routing loops and Count-to-Infinity (when routers continuously increment the hop count to a particular network). The OSPF protocol is configured from the LinkProof OSPF window. To view the OSPF window: 1. Double-click the LinkProof device icon. The Setup window appears. 2. In the Setup window, click Networking > OSPF. The OSPF window appears. 82 Doc. No.: 8261 LinkProof User Guide Chapter 4 - Basic Application Switching This chapter introduces farm management and guides you through farm related features. It also provides you with the examples of common configurations of the application switching and load balancing schemes. This chapter includes the following sections: • • • • • • • • • • • LinkProof Multihoming Overview, page 83 Cluster Support, page 86 Farm Management, page 88 Server Management, page 100 Network Address Translation, page 105 Proximity, page 115 DNS, page 118 Basic Load Balancing, page 123 Flow Management, page 146 VPN Load Balancing, page 154 Client Table, page 159 LinkProof Multihoming Overview LinkProof Multihoming Overview explains how LinkProof manages all links across multihomed networks. LinkProof is an intelligent application switch that manages all links across multi-homed networks, enabling full link availability, highest link performance and complete link security for uninterrupted user access to web-enabled applications, which provides cost effective connectivity at main offices and data centers. Load balancing of outbound and inbound traffic needs to be addressed individually as each type poses a different set of difficulties, therefore LinkProof customizes its implantation for each type of traffic as a solution to this issue. Outbound Traffic Outbound traffic is traffic initiated from the local network to a remote destination over the WAN. LinkProof load balances outbound traffic based on availability and performance of the available links while managing the IP address ranges assigned to the network from various ISPs. Doc. No.: 8261 83 LinkProof User Guide NHR 1 100.1.1.20 NAT:100.1.1.2 LinkProof Via NHR1 100.1.1.1 200.1.1.1 Local Network 10.1.1.x NAT: Via NHR2 Figure 3 - NHR 2 200.1.1.20 Multihoming Outbound Traffic Multihoming Outbound Traffic, page 84 displays a scenario where a user on the local network (IP 1.1.1.80, for example) sends an outbound HTTP request to the Internet. The traffic is processed as follows: 1. The new user session reaches LinkProof and activates load balancing mechanism. 2. LinkProof classifies traffic according to configured routing policies (flow policies) to select the group of WAN links (Router farm) that will be used for this traffic. 3. LinkProof selects an outbound link for this traffic from the Router farm chosen in step 2, based on: — link availability measured according to user defined criteria (health checks) — link metrics measured according to user defined criteria (traffic amount, proximity, cost) 4. Once load balancing decision is reached this is recorded in LinkProof tables (Client Table) for use on the rest of the session traffic. 5. Before forwarding the traffic to the selected link, the source IP address and TCP/UDP port are replaced by NAT address allocated by the selected ISP and a new TCP/UDP port (for example src=10.1.180 is replaced by src=200.1.1.21) 6. The reply from the Internet Web server will arrive via the same link because it is answering to the NAT IP (dst=200.1.1.21). 7. LinkProof translates the destination IP from the NAT IP (200.1.1.21) to the user IP (10.1.1.80) and forwards the reply to the user. 8. LinkProof ensures that following packets from the user belonging to the same session will use the same WAN link to ensure persistency (as recorded in the Client Table). Inbound Traffic Inbound traffic is traffic initiated from an external user to a service provided by the local network, such as a Web server. LinkProof load balances inbound traffic based on availability and performance of the available links and provides the external user access via the best performing link. This is implemented by configuring the LinkProof as an authoritative name server. When the external client makes a DNS request, the LinkProof responds with the IP address allocated to the internal service by the best available WAN link (ISP). 84 Doc. No.: 8261 LinkProof User Guide NHR 1 NAT:100.1.1.2 100.1.1.20 For 10.1.1.50 Via NHR1 100.1.1.10 200.1.1.10 www.radware.com 10.1.1.50 Figure 4 - NAT: For 10.1.1.50 NHR 2 Via NHR2 200.1.1.20 Multihoming Inbound Traffic Multihoming Inbound Traffic, page 85 shows a scenario where an external user sends a request to www.radware.com that is hosted by internal server 10.1.1.50 represented externally by 100.1.1.21 via ISP1 and 200.1.1.21 via ISP2. The traffic is processed as follows: 1. The external user sends DNS query that is forwarded by DNS servers to LinkProof. 2. If this is a domain name for which LinkProof is authoritative server, LinkProof classifies traffic according to configured routing policies (flow policies) to select the group of WAN links (Router farm) that will be used for this traffic. 3. LinkProof selects an inbound link for this traffic from the Router farm chosen in step 2, based on: — link availability measured according to user defined criteria (health checks) — link metrics measured according to user defined criteria (traffic amount, proximity, cost) 4. Once load balancing decision is reached this is recorded in LinkProof tables (Client Table) for use on the rest of the session traffic. 5. A DNS response is sent back to the external user with the IP that represents the internal server via the selected link (ISP), for example 100.1.1.21. 6. The external user sends HTTP request to 100.1.1.21. LinkProof replaces the destination IP address with the internal server address (10.1.1.50 in our case). 7. The reply from the internal server will be forwarded via the same link the request arrived, to ensure persistency, after the source IP (10.1.1.50) is replaced by the NAT IP (100.1.1.21). Multihoming Configuration Summary The following configuration guidelines details the steps required to configure a basic multihoming solution in LinkProof. To configure multihoming 1. Configure networking definitions (IP interfaces, VLANs, routing) - Doc. No.: 8261 85 LinkProof User Guide 2. Configure WAN link load balancing: — Add a Router Farm, configure farms, page 89 — Add Logical Router Servers, configure farm servers, page 102 — Define health checks, Health Check, page 6 — Define flows and flow policies - if routing policies are required, configure a Flow Policy:, page 148 3. Configure outbound NAT called Dynamic NAT in LinkProof to define for each Router (WAN link) the NAT addresses to be used when forwarding, Dynamic NAT, page 107. 4. Configure inbound traffic load balancing (if required): a. b. Configure Static NAT to define for each internal server that must be available for access from the external network the IP address that will represent it via each Router (WAN link), Static NAT, page 108. Map the URLs for which LinkProof is authoritative server to the internal server IP addresses, Mapping URLs to local IP Addresses, page 119. Cluster Support In some configurations the routers or firewalls that are load balanced by LinkProof are actually a cluster of servers. Examples of such configurations are: • • • VRRP or HSRP router or firewall clusters Private firewall clusters WOC devices between LinkProof and the NHR (this is not a cluster, but the behavior of the MAC addresses is the same). Note: This feature is currently only supported in WBM and CLI. Potential issues when not using Cluster Support In these configurations, while outside traffic coming to a LinkProof server that is connected to a cluster is correctly forwarded to the MAC address that was received as a result of an ARP to that server's IP address, traffic coming from the cluster usually has as its source MAC the address of the physical server in the cluster that forwarded the traffic and not the cluster server’s address, thus potentially causing the traffic to be incorrectly redirected. This problem is illustrated in the following figure: 86 Doc. No.: 8261 LinkProof User Guide In this example, two NHRs are defined on the LinkProof device: NHRA, which is a cluster, and NHRB. LinkProof recognizes MAC A as the MAC address of NHRA (it was discovered via ARP messages to IP A), but when traffic comes from NHRA, its source MAC is either MAC11, MAC 22, or MAC 33, depending on which physical router processed this traffic. Resolution of cluster traffic issues with Cluster Support The Cluster Support feature enables you to configure traffic going through clusters. This is done by associating the MAC address of an NHR cluster server to recognize traffic from a physical server within one of its clusters. This is done by creating an entry in the Cluster Servers Table that includes the NHR cluster IP address, and either an additional IP or MAC address associated with the cluster server. In the example in the above figure, using the Cluster Support feature you can configure MAC 11, MAC 22, and MAC 33 to be associated with server NHRA, enabling the device to recognize traffic with these MAC addresses as traffic from server NHRA. When LinkProof forwards traffic to the cluster server, it uses the destination MAC address address that was discovered via an ARP to the logical server IP address (MAC A in the example). However, traffic coming from the cluster will be allocated to the cluster server if the source MAC or its IP is statically configured as belonging to this server. To add a new Cluster Servers table entry using WBM: 1. From the LinkProof menu, select LinkProof > Servers > Cluster Servers Table. The Clusters Servers Table window appears. 2. Click Create. The Clusters Servers Table Create window appears. 3. For each NHR cluster server address, set either an additional IP or MAC address, but not both. 4. Click Set. To add a new Cluster Servers table entry using CLI: From the CLI window type the following command: lp servers cluster-servers To configure a cluster server using an IP address, the MAC address must be set to 000000000000. To configure a cluster server using a MAC address, the IP address must be set to 0.0.0.0. Doc. No.: 8261 87 LinkProof User Guide Notes: i In many cases you may not be required to load balance traffic to the cluster, but rather to perform NAT on the traffic to and from the cluster. In this case the cluster needs to be configured as a LinkProof server (NHR or firewall). ii The LinkProof server IP should be the Virtual IP of the cluster or, in the case of WOC devices, the IP of the router beyond the WOC device. iii For HSRP clusters, where the Virtual IP cannot be the IP of any of the cluster servers, you can configure the IPs of the cluster servers so that their MAC address will be discovered via ARP. This allows you to replace a server in a cluster without changing the LinkProof configuration (if the new server has the same IP as the old one). iv For VRRP clusters where the Virtual IP is usually the IP of one of the cluster servers, you can statically configure the MAC addresses of the cluster servers. v For WOC devices, you need to statically configure the MAC address of the WOC device. Farm Management This section explains how LinkProof incorporates Farm Management in to the network configuration. This section includes the following topics: • • • • • • Farm Concept, page 88 Farm Load Balancing, page 89 Router Farm Load Balancing, page 94 Firewall Farm Load Balancing, page 95 Default Farm, page 99 Farm Connectivity Checks, page 99 Farm Concept LinkProof works with server farms rather than with individual servers. Utilizing multiple servers organized in a farm eliminates downtime, accelerates the service response time and improves the overall performance. A LinkProof farm is a group of networks servers that provide the same service. Servers contained in a server farm can belong to different vendors, or have a different capacity. The differences between the servers within a farm are transparent to the users. Providing all the servers within a group provide the same service managed by the LinkProof device, this group can be defined as a LinkProof server farm. When a new packet arrives that must be redirected to a certain farm, LinkProof selects the best server (according to user-defined criteria) from the servers available. In this manner LinkProof optimizes the server operation and improves the overall quality of service. A Farm definition includes traffic redirection functions such as load balancing scheme for client-server persistency, connectivity check methods and more. LinkProof supports the following types of farms (services): • • 88 Routers (access routers to the WAN) Firewalls /VPN gateways Doc. No.: 8261 LinkProof User Guide A Farm definition includes traffic redirection functions such as load balancing scheme for client-server persistency, connectivity check methods and more. To configure farms 1. From the main window, double-click the LinkProof device icon. The Connect LP to Device window appears. 2. In the Connect LP to Device window, type the device's IP address and click Ok. 3. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 4. In the Traffic Redirection window, click the Farms tab. The Farms pane appears. 5. From the Farms pane, click Add. The Edit LinkProof Farms window appears, where you can set the parameters of the farm. Farm Load Balancing Load balancing between servers of a farm is determined by a number of parameters. The most important parameters are Dispatch Method, that defines how to select a server from the farm, and Persistency, that defines when to select a new server. These parameters, together with the Client Aging Time, are required for all the different types of farms supported by LinkProof. Additional parameters are relevant for each specific type of farm, and are explained within the relevant sections. To configure farm load balancing 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click Farms. The Farms pane appears. 3. From the Farms pane, select an existing farm or click Add to create a new farm. The Edit LinkProof Farms window appears. 4. From the Edit LinkProof Farms window, select Traffic Settings. Configure the load balancing parameters according to your requirements. Dispatch Methods LinkProof receives requests for service from clients and decides to which server to direct each request. During this process, LinkProof finds the best server to provide the requested service. The Dispatch Method defines the criteria by which LinkProof selects the best server in the farm. Dispatch Methods are defined only for new sessions. Existing sessions are handled by the Client Table. You can define the Dispatch Method during the process of LinkProof Farm configuration, according to farm characteristics and users' needs.Criteria may vary for different applications. For example, the number of users is a significant factor for a Web farm, while the amount of traffic can be more important for an FTP farm. The following Dispatch Methods are available on LinkProof: • • • • • • • Cyclic, page 90 Fewest Number of Users, page 90 Fewest Number of Local Users, page 90 Least Amount of Traffic, page 90 Least Amount of Local Traffic, page 90 Least Number of Bytes, page 90 Least Number of Local Bytes, page 91 Doc. No.: 8261 89 LinkProof User Guide • • • • • Response Time, page 91 Hashing, page 91 NT-1 and NT-2, page 91 Private-1 and Private-2, page 92 Customized Hash, page 93 Cyclic When the Cyclic Dispatch Method is defined, LinkProof forwards the traffic dynamically to each sever in a round-robin fashion. Fewest Number of Users With the Fewest Number of Users Dispatch Method, LinkProof directs new requests for service to the server with the least number of sessions at that given time. Fewest Number of Local Users The Fewest Number of Local Users Dispatch Method can be used when the same servers participate in multiple farms. When this method is selected, LinkProof looks for the server with fewest number of users only, within the farm that is currently addressed by the client. Traffic of other farms is not considered. For example, Server 1 & Server 2 can provide service A and service B. These servers are used as part of Farm A to provide service A and as part of Farm B to provide service B. When the client's request for service A is sent to Farm A, which uses this Dispatch Method, LinkProof looks for a server with the fewest number of requests for service A. The requests for service B that exist on the same servers are not considered by LinkProof. Note: The session number is defined by the active Client Table entries to this server. Least Amount of Traffic With the Least Amount of Traffic Dispatch Method, LinkProof directs new requests for service to the server with the least amount of traffic at that given time. The amount of traffic is defined as packets per second (pps) from LinkProof to the server and from the server to LinkProof, as is recorded in LinkProof's Client Table for all traffic forwarded to that server. Least Amount of Local Traffic The Least Amount of Local Traffic Dispatch Method can be used when same servers participate in multiple farms. When this Method is selected, LinkProof looks for the server with least amount of traffic only within the farm that is currently addressed by the client. Traffic of other farms is not considered. For example: Server 1 and Server 2 provide service A and service B. These servers are used as part of Farm A to provide service A and as part of Farm B to provide service B. When the client's request for service A is sent to Farm A, which uses this Dispatch Method, LinkProof considers only the traffic that is related to service A. The traffic that is related to service B on the same servers is not considered by LinkProof. LinkProof looks for a server with the least amount of traffic related to service A, and forwards client's request to this server. Least Number of Bytes With the Least Number of Bytes Dispatch Method, LinkProof directs new requests for service to the server with the least amount of traffic in bytes at that given time. The amount of traffic is defined as bytes from LinkProof to the server and from the server to LinkProof, as is recorded in LinkProof's Client Table for all traffic forwarded to that server. 90 Doc. No.: 8261 LinkProof User Guide Least Number of Local Bytes The Least Number of Local Bytes Dispatch Method can be used when same servers participate in multiple farms. When this Method is selected, LinkProof looks for the server with least amount of traffic only within the farm that is currently addressed by the client. Traffic of other farms is not considered. For example: Server 1 and Server 2 provide service A and service B. These servers are used as part of Farm A to provide service A and as part of Farm B to provide service B. When the client's request for service A is sent to Farm A, which uses this Dispatch Method, LinkProof considers only the traffic that is related to service A. The traffic that is related to service B on the same servers is not considered by LinkProof. LinkProof looks for a server with the least amount of traffic related to service A, and forwards client's request to this server. Response Time The Response Time Dispatch Method allows LinkProof to select the fastest server in the farm. When this Method is used, the load balancing process is based on choosing the least loaded server as calculated by the Response Level as measured by the Health Monitoring module. The Health Monitoring module enables users to track the round trip time of health checks. The device keeps a Response Level indicator for each check. The Response Level is the average ratio between the actual response time and the configured Time-out. This average is calculated over a number of samples as defined in the Response Level Samples parameter. A value of 0 in the Response Level Samples parameter disables the parameter; any other value between 1-9 defines the samples number. The Response Level Samples parameter can be used in the health checks in which the Measure Response Time parameter is enabled. Response Time Dispatch Method Configuration Guidelines: 1. Set health checks for servers in the farm. During the Health Checks settings, enable the Measure Response Time parameter for each health check. 2. Enable the Health Monitoring module for this farm, see Health Monitoring, page 353. 3. Set the Dispatch Method in the farm to Response Time. 4. Set the Response Level Samples parameter. Hashing When the Hashing Dispatch Method is applied, LinkProof selects a server for a session using a Hash function. This is a static method where the server is chosen for a session purely by the session information. The input for the hash function is source and destination IP addresses. Source and destination ports can also be taken into consideration if the Port Hashing parameter is enabled and Client Table mode is Full Layer 4, see page Port Hashing, page 165. This method is symmetric, which means that it provides the same output when the source and destination addresses are switched, for example, a packet from A to B will result in the same Hash output (i.e., server) as the reply packet from B to A. NT-1 and NT-2 When the NT-1 or the NT-2 Dispatch Method is selected, LinkProof queries the farm servers for Windows NT SNMP statistics. LinkProof forwards the farm's clients to the least busy server according to the servers' reported statistics. You can select from a list of statistics. The parameters are considered according to the weights that you define in the first Windows NT weights scheme for the NT-1, and second Windows NT weights scheme for the NT-2. To configure NT-1 and NT-2 Dispatch Methods: 1. From the Farm Traffic Settings tab (Farm Load Balancing, page 89), set the Dispatch Method of the farm to NT-1 or NT-2. Doc. No.: 8261 91 LinkProof User Guide a. b. Click Load Balancing. The LinkProof Load Balancing Algorithms window appears. In the LinkProof Load Balancing Algorithms window, select Windows NT. The Windows NT pane appears. c. In the Windows NT pane, set the following parameters according to the explanations provided: Parameter Description Scheme: The scheme to be used, either NT-1 or NT-2. Check Period: The time interval between queries for the frequently updated parameters (number of open sessions, amount of traffic). Open Sessions Weight: The relational weight for considering the number of active sessions on the server. Incoming Traffic Weight: The relational weight for considering the amount of traffic coming to the server. Outgoing Traffic Weight: The relational weight for considering the amount of traffic going out of the server. Regular Check Period: The time interval between queries for other less dynamic parameters (average response time, limits on users and TCP connections). Response Weight: The relational weight for considering the average response time of the server. User Limit Weight: The relational weight for considering the limit on the number of logged in users on the server. TCP Limit Weight: The relational weight for considering the limit of TCP connections to the server. Retries: Defines how many unanswered requests for a variable cause to this variable to be ignored in the load balancing decision. NT Community: The community name to use when addressing the server. d. Click Ok to apply the configuration. Private-1 and Private-2 When the Private-1 or the Private-2 Dispatch Method is selected, LinkProof queries the farm's servers for private SNMP parameters according to a predefined private weights scheme. The ratios of sessions on the servers is balanced according to the statistics. You need to define which MIB variables are queried and to set the private weights scheme. The parameters are considered according to the weights that you define in the first private weights scheme for the Private-1 and second private weights scheme for the Private-2. To configure Private-1 and Private-2 Dispatch Methods: 1. From the Farm Traffic Settings pane, set the Dispatch Method of the farm to Private-1 or Private-2. 2. In the Traffic Settings pane, click Load Balancing. The Load Balancing Algorithms window appears. 3. In the LinkProof Load Balancing Algorithms dialog box, click the Private Parameters tab. The Private Parameters pane appears. 92 Doc. No.: 8261 LinkProof User Guide 4. In the Private Parameters pane, set the following parameters according to the explanations provided: Scheme: The scheme to be used: Private1 or Private2. Special Check Period: The time interval between queries for the requested parameters. Retries: Defines how many unanswered requests for a variable cause this variable to be ignored in the load balancing decision. Community: The community name for addressing the server. Var1 Object ID: The SNMP ID of the first private variable to check. Var1 Mode: Whether to measure the percentage available or the percentage utilized of the first parameter. • Ascending: The value of the variable specified in Var1 Object ID represents the percentage still available.· • Descending: The value of the variable specified in Var1 Object ID represents the percentage currently utilized. Weight (for Var1Mode): The relational weight for considering the value of the first parameter. Var2 Object ID: The SNMP ID of the second private variable to check. Var2 Mode: Whether to measure the percentage available or the percentage utilized of the second parameter: • Ascending: The value of the variable specified in Var2 Object ID represents the percentage still available. • Weight (for Var2 Mode): 5. Descending: The value of the variable specified in Var2 Object ID represents the percentage currently utilized. The relational weight for considering the value of the second. Click Ok. Your preferences are recorded. Customized Hash This is another variant of the hashing dispatch method that offers a different server distribution. This method allows you to define the bits in the source and destination IP to be input for the hash function. The mask used for this method can be configured using WBM (LinkProof > Global Configuration > Tweaks) or CLI as follows: lp global customized-hash-mask The mask default is 0.0.0.255. Persistency Session persistency means making sure that all traffic, which is related to a single application session, arrives to the same server. Doc. No.: 8261 93 LinkProof User Guide LinkProof allows you to determine when a new server will be selected for each farm, by allowing persistency mode configuration per farm. The default persistency mode is Layer 3. Persistency per farm can be kept according to any session identification parameter or combination of them that is less than the Client Table mode (for example source IP or destination IP if Client Table mode is Layer3) or according to Client Table mode. Note: Client Table mode cannot be changed if Persistency for any of the device farms is on a higher level than the new Client Table mode. For example, if Client Table mode is set to Full Layer4 and Persistency for any of the farms is set as to Half Layer4, Client Table mode cannot be changed to Layer3 Client Aging Time The Client Table tracks the sessions load balanced by the device to efficiently handle the flow of traffic between the clients and the servers, see Client Table Global Parameters, page 163. The Client Aging Time parameter indicates the interval of time (in seconds) between the moment a Client Table entry becomes inactive and until this entry is removed from the Client Table. An entry is active as long as there is continuous traffic between the client and the server. For example: when the Aging Time value is 100 seconds, this would mean that if no traffic is identified by an entry for 100 seconds, then the entry is removed from the Client Table. Every time an incoming packet or an outgoing packet is identified by a Client Table entry, the Client Aging Time for this entry is reset. The default value for the Client Aging Time is 60 seconds. Maximum Client Table Aging Time The maximum Client Table Aging time is the maximum value that the aging time can be set. This is the time from when the last packet entry has been identified by by the LP device, to the time when the entry is removed from the client table. Router Farm Load Balancing The following router load balancing specific parameters are available in router farm Traffic Settings: • • Packet Translation Basic NAT fallback Packet Translation This parameter defines whether LinkProof must perform any address translation on packets that are forwarded to the farm, or received from the farm (on their way back to the source). The options are: • • • • • 94 None: No address translation required NAT: Network address translation is required on packets going to router farm and received from farm. This option is the most common for router farm. Transform HTTP Requests - SSL: Enabling the SSL tag allows LinkProof to identify the origin of the traffic, whether HTTP or HTTPS. NAT & Virtual Tunneling: Regular or Virtual Tunneling network address translation is required on packets going to router farm and received from farm. VPN: Traffic to/from this farm must be encrypted/decrypted according to VPN rules configured.If traffic forwarded to this farm does not match any VPN Rule, then the traffic is forwarded to the selected farm without any packet translation. Doc. No.: 8261 LinkProof User Guide Note: This option is available only on LinkProof Branch devices with VPN license. Basic NAT Fallback If the LinkProof is configured to perform Network Address Translation for this farm using Basic NAT, it can occur that all NAT IP addresses available for basic NAT have been allocated for the moment. You have the option to define what action should LinkProof take in such a case - the options are to use Dynamic NAT IP, local IP or discard packets. Router Tracking Table The Router Tracking Table is used by the device in order to make sure that traffic destined to the device is always returned via the correct Router, via which it arrived. For every session that arrives from one of the Routers with destination IP of the device, an entry is added to the Router Tracking Table, with identification of the session (source IP and source port) indication the Router the session arrived through. When the device sends a reply packet, the Router Tracking table is used to get the router through which the reply packet should be sent. Other than traffic with destination IP of the device, there are other types of traffic for which entries are kept in the Router Tracking Table. This is required for traffic with TTL lower or equal than 1, for which the device should generate an ICMP error. No entries are added to the Router Tracking Table for traffic with source IP that belongs to the router, the device immediately knows to which router such traffic is to be sent. Router Tracking Table Aging You can set how long an entry should remain in the Firewall Tracking Table when no traffic is matched to it. To configure router tracking tables: 1. From the main window, double-click the LinkProof device icon.The Setup window appears. 2. In the Setup window, select Global > Advanced Settings > Edit Settings. The Advanced Settings window appears. 3. In Advanced Settings window change the Router Tracking Table Aging Time and Router Tracking Table Size (in the tuning area of the window) if required. 4. Click Ok to save settings. Firewall Farm Load Balancing A firewall is basically a filtering application capable of stopping unwanted traffic to and from your network. The firewall's goal is to inspect and control all the traffic between the local network and the Internet. The traffic must be handled in such a way that all potentially "dangerous" traffic be detected and dropped and if necessary logged. What traffic is "dangerous" for the local network is determined by the security policy adopted for the site. A single firewall is a single point of failure and can become capacity bottleneck, causing an interruption in service when the firewall is busy or down. Organizations encounter numerous problems when installing multiple firewalls. First, different client groups must be configured, which is a time-consuming procedure. Furthermore, multiple points of failure are created with the addition of each firewall. Since Doc. No.: 8261 95 LinkProof User Guide the traffic load is not dynamically shared between units, the firewalls are not used optimally. Finally, to achieve fault tolerance and redundancy between firewalls, hot standby, or idle units must be deployed on the network. Since the firewall's task is to separate between networks, firewall servers have at least 2 legs - one connected to the internal network and one connected to the external network (Internet). To provide scalability and reliability the trick is in load balancing the traffic on inbound and outbound paths through these firewalls. Note: Firewall farms can be used to load balance firewall devices and any other devices that separate between trusted and un-trusted networks and have at least 2 separate physical interfaces (one for each subnet), such as VPN gateways. The following firewall load balancing specific parameters are available from the Firewall Farm Traffic Settings: • • Packet Translation, page 96 Basic NAT Fallback, page 96 Packet Translation This parameter defines whether any address translation must be performed by LinkProof on packets that are forwarded to the farm, or received from the farm (on their way back to the source). The options include: • • • None: No address translation required NAT: Network address translation on packet is required when firewalls do not perform NAT by themselves. VIP: Translation to a Virtual Address is required when working with proxy firewalls or to provide access to internal servers via firewalls that perform NAT Basic NAT Fallback If the LinkProof is configured to perform Network Address Translation for this farm using Basic NAT, it may occur that all NAT IP addresses available for basic NAT have been allocated for the moment. You have the option to define what action should LinkProof take in such a case - the options are to use Dynamic NAT IP, local IP or discard packets. Load Balancing for Firewalls LinkProof can load balance all types of firewalls, including: • • Proxy Firewalls, page 96 Transparent NAT Firewalls, page 97 Proxy Firewalls To load balance proxy firewalls LinkProof must provide a single IP address that will represent the firewall farm to the clients. This IP address is called Virtual IP (VIP) and this is the address that will be configured as proxy address in the client workstations. Clients will send traffic to the VIP and LinkProof, once it has selected a firewall, replaces packet destination IP 96 Doc. No.: 8261 LinkProof User Guide to the firewall's IP. On the traffic returning from the proxy firewall to the client, LinkProof replaces the packet's source IP address (that is the firewall server address) to the VIP address - see Proxy Firewall Configuration, page 97. Server 1 IP CIP->VIP CIP->SIP1 Client LinkProof CIP<-SIP1 Client IP (CIP) Virtual IP (VIP) CIP<-VIP Server 2 IP Figure 5 - Proxy Firewall Configuration To configure proxy firewall farms: 1. From the Farm Traffic Settings pane, set the Packet Translation parameter to VIP. 2. Click Ok to return to the Traffic Redirection window. 3. In the Traffic Redirection window, select VIP. The VIP pane appears. 4. In the VIP pane, click Add. The Edit Virtual IP Address window appears. 5. In the Edit Virtual IP Address window, enter a Virtual IP address. 6. Click Add to define the firewall server IPs that will be mapped to this VIP. The Edit Mapped IP window appears. 7. From the Edit Mapped IP window, select one of the firewall servers in this farm from the Server Address drop-down list. When VIP is used for representing a proxy farm the same server IP address must be entered in the NAT Address field as well. 8. Click Ok to apply your preferences and return to Edit Virtual IP Address window. 9. Repeat this procedure (steps 6. though 8.) for all firewall servers in the farm. Transparent NAT Firewalls In many cases the firewalls perform NAT for internal clients. In such cases if it is required to load balance outbound traffic only, there is no need for LinkProof to perform any translations on the packets. However if inbound load balancing to internal servers is required the internal servers via a single public IP need to be represented. To implement such configurations the VIP mechanism is required on the farm defined for inbound traffic load balancing (the external leg of the firewall servers). The VIP will represent the public IP for the internal server. Destination IP address on incoming traffic to the internal server (VIP address) is replaced with the Static NAT address provided by the firewall server selected for this internal server. Doc. No.: 8261 97 LinkProof User Guide The source IP address on reply traffic from the internal servers is changed by the firewall server to the NAT address and by the LinkProof to the VIP address - see Inbound LB Firewall Farm Configuration, page 98. Server 1 IP NAT IP for internal server (NIP1) CIP->VIP CIP<-NIP1 Client CIP->LIP LinkProof CIP->NIP1 CIP<-LIP Internal Virtual IP (VIP) Client IP (CIP) CIP<-VIP Server 2 IP NAT IP for internal server (NIP2) Figure 6 - Inbound LB Firewall Farm Configuration To configure inbound LB with transparent firewall farms: 1. From the Farm Traffic Settings pane, set the Packet Translation parameter to VIP. 2. Click Ok to return to LinkProof Traffic Redirection window. 3. In the Traffic Redirection window, select the VIP tab. The VIP pane appears. 4. In the VIP pane, click Add. The Edit Virtual IP Address window appears. 5. In the Edit Virtual IP Address window, enter a Virtual IP address. Virtual IP Address must be a public Address supplied by the ISP. 6. Click Add to define the firewall server IPs that will be mapped to this VIP. The Edit Mapped IP window appears. 7. From the Edit Mapped IP window, select one of the firewall servers from this farm from the Server Address drop-down menu. For the NAT Address field enter the Static NAT IP provided for the internal server by this firewall server. 8. Click Ok to apply parameters and return to the Edit Virtual IP Address window. 9. Repeat this procedure (steps 4. through 8.) for all internal servers. Translating Outbound Traffic to Virtual Addresses If the internal servers can also initiate outbound sessions, source address translation to VIP can be performed on these sessions if the Translate Outbound Traffic to Virtual Address parameter is enabled. 98 Doc. No.: 8261 LinkProof User Guide To configure translate outbound traffic to a virtual address: 1. From the main window, double-click the LinkProof device icon.The Setup window appears. 2. In the Setup window, select Global. The Global pane appears. 3. From the Global pane, select the Advanced Settings option and click Edit Settings. The Advanced Settings window appears. 4. In the LinkProof Advanced Settings window, check the Translate Outbound Traffic to Virtual Address box to enable the feature. 5. Click Ok. Your preferences are recorded. Default Farm A default farm is automatically created for each server IP address configured on the LinkProof. The default farm has the following purposes: • To allow the device to select an edge (end of flow) farm according to the routing table. When the traffic does not match any configured flow, the device searches the routing table for the default gateway. If the default gateway is a server configured on the device, LinkProof forwards traffic to the default farm that was configured for this server, otherwise the traffic is forwarded to the default gateway without any farm being selected. • When traffic arrives from a logical server that belongs to a farm that is not configured in any flow. The first time an IP is configured as belonging to a farm the device automatically configures this farm as the default farm for the server IP. The farm that is automatically configured as default farm for a server IP can be changed. Farm Connectivity Checks In order to load balance traffic that arrives to LinkProof farm, the state of the servers in this farm must be checked. LinkProof periodically checks the health of the servers. A successful check indicates that the service is available on this server. Failure to establish a successful connection means that LinkProof considers the server unavailable for this service or farm. When a failure occurs, LinkProof continues to check for the server's availability and generates a syslog/e-mail/SNMP/CLI trap that the server is “Not In Service.” LinkProof can be configured to monitor the status of servers in its farms to ensure they are available and can handle the request. During the farm connectivity checks, the farm is considered as one entity and therefore each server within the farm is checked in the same way. You can perform a health check of the servers using one of these methods: • Basic - Ping • Advanced - Health Monitoring Module, refer to Chapter 10. LinkProof performs pinging by sending an ICMP echo request to the server. If a server is available, this server sends an ICMP echo reply. If a Ping operation fails, this means that the server is down. Notes: i Doc. No.: 8261 When the basic Farm Connectivity Checks (ping) are used, the status of servers in the farm is affected by these checks only. 99 LinkProof User Guide ii Using the basic Farm Connectivity Checks (ping), LinkProof does not resume checks on farms where subnet of farm IP does not correspond to any of the configured LinkProof IP interfaces. This applies, for example, after Interface Grouping was triggered and released Table 11 on page 100 describes the Connectivity Checks configuration parameters. Table 11: Connectivity Methods Parameter Description Connectivity Interval: How often LinkProof polls the servers (in seconds) Connectivity Retries: Default value: 10 The number of polling attempts that are made before a server is considered inactive. Default value: 5 Identify Server By Name This parameter allows to determine logical server health status according to the status of all the physical server interfaces. For example: when one side of the firewall is not in service, LinkProof considers all other firewalls with the same name to be out of service as well. This flag can be used either when using LinkProof connectivity checks, or when using the Health Monitoring module. Server Management This section explains Server Management and includes the following topics: • • • • Servers Overview, page 100 Farm Servers, page 101 Server Parameters, page 101 Physical Servers, page 103 Servers Overview Farm servers are logical entities that are associated with application services provided by physical servers that run these applications. The process of adding and configuring servers in the LinkProof farm consists of two main stages: • Adding physical servers • Setting up farm servers Adding physical servers means adding the hardware elements to the network and defining them as servers. This is done using APSolute Insite after the actual installation of the physical server is performed. For each service provided by a physical server, you can define a farm server and attach it to the farm that provides this service. Configuring farm servers means organizing the servers the way you use their services. A physical server that provides multiple services may participate in multiple farms. In each farm this physical server is represented by a unique farm server that provides one specific service. Each service is associated with a farm, and you can define its own load balancing scheme and customized health checks. By that way, in case one of the services provided by a physical server is not available, other services can still be used. 100 Doc. No.: 8261 LinkProof User Guide To enable tracking of all the farm servers associated with the specific physical server, farm servers are organized in groups, identified by the server name. All farm servers with the same server name are considered by LinkProof as running on the same physical server. Farm server parameters are configured per farm and per server and control the process of providing a particular service. Physical server configuration is performed for each Server Name, and applies to all farm servers on the same LinkProof with the same name, implying they all run on the same machine. Farm Servers Farm (logical) servers represent applications residing on the physical server. Each application provides a particular service. LinkProof supports different farm server types, according to farm types: routers and firewalls. The name of the farm server identifies the actual physical server that provides the service. The Server Name parameter is configured when the physical server is added to the APSolute Insite map. The IP address of the farm server must also be defined. A physical server can have a few IP addresses, so different farm servers that are operating on the same physical server can have different IP addresses. The same Server Name and Server Address can be used in different farms (but same type of farms) LinkProof periodically sends ARP to all Logical Servers that have IP address. The user can disable this mechanism using the ARP to Logical Servers parameter, and set the interval between ARPs (in seconds) using the Time between ARPs parameter. To configure ARP paramaters: 1. From the main window, double-click the LinkProof device icon. The Setup window appears. 2. In the Setup window, click Networking > ARP Table. The ARP Table window appears. 3. In the ARP Table window, change the ARP parameters as desired. 4. Click Ok. Your preferences are recorded. Farm server configuration sets parameters that define server's behavior within a specified farm. Server Parameters Server Weight The weight of the server in a farm is the server's priority, and importance. You can define a particular server in a farm to have more weight than other servers. This means that more traffic is forwarded to this server as opposed to other servers. Server weights operate as ratios. For example, when the Dispatch Method is set to Least Number of Users, the weights determine the ratio of the number of users between the servers. If the Least Amount of Traffic method is used, the weights determine the ratio of the amount of traffic between the servers. The weight ranges from 1 to 100. A server with weight 2 receives twice the amount of traffic as a server with weight 1. The default weight is 1. Doc. No.: 8261 101 LinkProof User Guide Note: Server Weight is not supported when the Cyclic Dispatch Method is selected in the farm Connection Limit Connection Limit is the maximum number of users that can be directed to a server for a service provided by the farm. The number of users depends on the Sessions Mode, because it is determined by the number of active entries in the Client Table for sessions destined to the specific server. Default value: 0, which means that the mechanism for the selected server is disabled. Note: There is no user number limit for the Connection Limit parameter. Bandwidth Limit Bandwidth Limit is the maximum amount of bandwidth in Kbps allowed for this application server. If traffic through that server exceeds the configured limit for any given second, LinkProof drops excess packets. Default value: No Limit. The limit is measured in Kbps, so 1Mbps is represented with a bandwidth limit of 1000. A value of 0 means that there is no bandwidth limit. Admin Status Admin Status is the user defined management status of the server that you can change at any stage of server's configuration or operation. The following options are available: • • Enabled: The server is active and ready to reply new requests for service. Disabled: The server is not active. When setting the Admin Status to Disabled, LinkProof removes all the entries relevant to this server from the Client Table, stops sending new requests for service to this server and disconnects all the connected clients. Operation Mode A farm server can be configured to have one of the following operational modes: • • Regular: The server's health is checked, as long as it is available the server is eligible for receiving client requests. This is the default operation mode. Backup: The server's health is checked, but the server does not receive any client requests. The server becomes eligible for client requests when all the servers in the Regular mode have failed. To configure farm servers 1. From the main window, select a LinkProof device and click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click Farms. The Farms pane appears. 3. From the Farms pane, click Add/Edit. The Edit LinkProof Farm window appears. 4. From the Edit LinkProof Farm window, click Add. The LinkProof Farm Server window appears. 102 Doc. No.: 8261 LinkProof User Guide 5. From the LinkProof Farm Server window, set the parameters of the server according to your requirements. 6. Click Ok. Your preferences are recorded. ARP to Logical Server LinkProof periodically sends ARP to all Logical Servers that have IP address. You can disable this mechanism using the ARP to Logical Servers parameter, and set the interval between Arms (in seconds) using the Time between Arms parameter. To configure ARP parameters: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, click Networking > ARP Table. The ARP Table window appears. 3. From the ARP Table window, change the ARP parameters according to your requirements. 4. Click Ok. Your preferences are recorded. Identifying NHR (Router) by Port In certain cases both firewall legs, although connected to separate physical ports have the same MAC address. So that LinkProof to correctly identify the logical firewall server this parameter should be enabled. To enable Identifying by Port: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. In the LinkProof window, select Global tab. The Global pane appears. 3. In the Global pane, select Advanced Settings > Edit Settings. The LinkProof Advanced Settings window appears. 4. In the LinkProof Advanced Settings window enable the Identifying NHR by Port parameter. 5. Click Ok. Your preferences are recorded. Physical Servers Physical servers are hardware units configured to operate as an integral part of the network. Before setting up a physical server, you must connect the server to the LinkProof device on the hardware level. Once hardware connections are completed, you can start adding physical servers to the APSolute Insite map. The parameters of the physical server are defined globally and are applied to all the farm servers that use the physical server. Doc. No.: 8261 103 LinkProof User Guide Table 12 on page 104 describes physical servers' Setup parameters. Table 12: Physical Server Parameters Parameter Server Name Recovery Time Description The physical server name. The Server name defines the name of the farm servers group that are associated with this physical server. Adding a new server to a farm using a Server Name that was already defined in another farm, implies that it is the same physical server. The period of time, in seconds, during which no data is sent to the physical server since the server recovers from a failure. When a server's operational status is changed from inactive to active (dynamically or administratively), the server is not eligible to receive clients for this period of time. Recovery Time applies to all servers in all farms that share the same Server Name. Once this time is reached, the server becomes eligible for receiving clients requests. Default is 0. When this value is set, the server is eligible immediately after changing operational status from inactive to active. The maximum number of Client Table entries that can run simultaneously on the physical server. This depends on farm’s Sessions Mode. When the limit is reached, new requests for service are no longer directed to this server. All open sessions are continued. Connection Limit When the Connection Limit parameter is configured to 0 (default), this mechanism is disabled for this physical server and there is no user number limit. When configuring Connection Limit for the physical server, ensure that Connection Limit in the farm servers with the same Server name is lower or equal to Connection Limit in the physical server. The total number of active sessions that run simultaneously on the farm servers must not be higher than the Connection Limit value defined on the physical server. The maximum traffic (in kbps) that can be received from the router. In Kbps Limit When the limit is reached, new requests for service are no longer directed to this router. All open sessions are continued. The maximum traffic (in kbps) that can be sent to the router. Out Kbps Limit 104 When the limit is reached, new requests for service are no longer directed to this router. All open sessions are continued, unless the Discard Flag is enabled. Doc. No.: 8261 LinkProof User Guide Table 12: Physical Server Parameters Parameter Description The maximum traffic (in kbps) that can be sent and received from the router. Kbps Limit Discard Flag Warm-up Time When the limit is reached, new requests for service are no longer directed to this router. All open sessions are continued, unless the Discard Flag is enabled. This flag defines device behavior when outbound or total bandwidth limits are reached for routers. If flag is Disabled, new sessions will not be allocated to this server, but existing sessions traffic will not be dropped. If flag is enabled, traffic will be dropped when bandwidth limit is exceeded. The time, in seconds, after the server is up, during which clients are slowly sent to this physical server in increasing rate, so that the server can reach its capacity gradually. LinkProof internally raises the weight of the server for this period of time, at the end of which the server's weight is the pre-configured weight, see Server Weight, page 101. If the Warm-up Time parameter is set to 0 (default), the server performs activation at full weight upon a change in operational status from “inactive" to "active” and after waiting the Recovery Time. Note: This option is not applicable for the farm servers in which the load balancing decision is made using the Cyclic Dispatch Method. IP Address The IP addresses of the server. For each farm server associated with this physical server, you define an IP address. LinkProof supports multiple billing models for the Cost feature. For each Router user can defined the billing model used, the options being: Billing Mode Inbound bandwidth Outbound bandwidth Total bandwidth (Inbound+Outbound) Max (Inbound, Outbound) – maximum between Inbound and Outbound bandwidth. ToS This field contains the ToS value for this Router. Value ranges differ between the different ToS types: 0-15 for ToS Type, 0-7 for Precedence Type. A value of 255 may be given if no ToS is required for this Router. Network Address Translation This section explains NAT capabilities, which enables the source IP address to be hidden. NAT enables translation of an IP address used within one network to a different IP address known within another network. Doc. No.: 8261 105 LinkProof User Guide This section includes the following topics: • • • • • • • Network Address Translation (SmartNAT) - Introduction, page 106 Dynamic NAT, page 107 Static NAT, page 108 No NAT, page 109 Basic NAT, page 110 One IP Support, page 111 Static Port Address Translation, page 112 Network Address Translation (SmartNAT) - Introduction The main complication in a multi-homed network is managing the IP addressing scheme for the different providers. There are two common possibilities that can be deployed with regard to the IP scheme that the internal network uses: • A single IP network number is assigned to the internal network. This will require communication and cooperation between the two ISPs in order to advertise proper routes for this single IP network to the rest of the Internet. Also, care must be taken to ensure that both links are used for incoming traffic. If only a single ISP is used to deliver inbound traffic to the network, then part of the motivation and benefits of multi-homing go unrealized. • Each ISP assigns the internal network a different IP address range. Therefore, two IP address ranges will be active at the same time for the internal network. However there is an issue of what range to use for outbound traffic. If Range1 (assigned to the network by ISP1) is used and the link to ISP1 fails, there is no way for the response traffic to return to the network, since the world knows Range1 to be accessible only through ISP1. Furthermore, if only Range1 is used, the ISP2 link will never be used for inbound traffic, again since the world knows Range1 as accessible through ISP1. Also, there is the issue of what IP addresses to advertise to the world for inbound traffic. For example, if the network has a Web server that needs to be accessed from the world, which IP range would the Web server belong to? If it belongs to only one of the ranges, the Web server is inaccessible if the ISP responsible for that range loses its link to the network. If addresses from both ranges are advertised, then DNS fail over and resiliency become additional factors that need to be addressed. For intelligent address management of traffic, LinkProof utilizes an algorithm called SmartNAT. To alleviate the outbound traffic problem, LinkProof will perform "smart" dynamic NAT. With this feature, LinkProof will have addresses from both ISPs' address ranges available for translation. Then, when a router is selected to carry an outbound session, LinkProof will choose an IP address that is associated with that router/ISP. Therefore if LinkProof chooses Router1 as the router to deliver a session to the Internet, it will use an IP address of ISP1 as the translated source address. Likewise, if it chooses Router2 as the router to deliver a session to the Internet, it will use a source IP address of ISP2. By choosing translated source IP addresses according to the chosen router, return delivery issues will not be encountered. SmartNAT not only encompasses dynamic IP address allocation and translation, but it also includes, for LinkProof, the ability to statically map internal resources to external IP addresses. Individual internal resources, such as servers, are mapped to multiple outside IP addresses (one from each ISP). Statically mapped IP addresses are used for inbound traffic, from the most available ISP link. The static mapping of SmartNAT also compensates transparently for ISP link failure. If an ISP link is down, only available IP addresses are used for inbound traffic. By making an inside resource available through all available ISPs, uptime is guaranteed for that internal resource. Permanent access to the resource is available through the most available ISP link. 106 Doc. No.: 8261 LinkProof User Guide Notes: i LinkProof performs NAT when forwarding to farms for which NAT has been enabled (security and firewall farms only). NAT will be performed only for IPs that are found in the Smart NAT tables. ii LinkProof can perform a single Network Address Translation per session. To configure NAT: Configuring NAT involves the following stages: 1. Change the NAT Tuning parameters. 2. Configure the NAT Addresses. To Change the NAT Tuning Parameters: 1. From the main window, double-click the LinkProof icon. The Setup window appears. 2. In the Setup window, select Global. The Global pane appears. 3. In the Global pane, select Advanced Settings>Edit Settings. The Advanced Settings window appears. 4. In the Advanced Settings window, set the following parameters according to the explanations provided: Parameter Description Static NAT: Specify the number of IP addresses to be used by Static NAT.Range: >0-8,192. Default: 512 Basic NAT: Specify the number of IP addresses to be used by Basic NAT.Range: >0-128. Default: 512. No NAT: Specify the number of IP addresses to be used by No NAT.Range: >0-20,000. Default: 512. 5. Click Ok to exit all windows. 6. Restart the device to apply the tuning parameter changes. Dynamic NAT The Dynamic NAT feature enables LinkProof to hide various network elements located behind LinkProof. Using this feature, LinkProof replaces the original source IP and source port of a packet that is with the configured NAT IP and a dynamically allocated port before forwarding the request to the farm. The network elements whose addresses are NATed can be servers or other local hosts. You can set different NAT addresses for different ranges of Intercepted Addresses. For example, traffic from subnet A is NATed using IP address 10.1.1.1 and traffic from subnet B is NATed using IP address 10.1.1.3 Doc. No.: 8261 107 LinkProof User Guide To configure Dynamic NAT: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select the NAT tab. The NAT pane appears. 3. In the NAT pane, select Dynamic NAT from the drop-down list and set the following parameters according to the explanations provided: Parameter Description From Local Address: The range of IP addresses of the local server. To Local Address: The range of IP addresses of the local server. Server Address: The IP address of the farm server. These NAT addresses are used when traffic from local addresses is sent to this farm server. The NAT IP address to be used. Dynamic NAT IP: The IP address of the LP Interface can be used for NHRs on the same subnet. Note: NAT Redundancy Mode: This mode cannot be used with a range of IP addresses for Dynamic NAT per NHR. Whether the NAT address is regular or backup.The Active mode is for the active device and the Backup mode is for the backup device. 4. Click Add >Apply>Ok. Your preferences are recorded. Static NAT Static NAT is used to ensure delivery of specific traffic to a particular server on the internal network. For example, LinkProof uses Static NAT, meaning predefined addresses mapped to a single internal host, to load balance traffic to this host among multiple transparent traffic connections. This ensures that the return traffic uses the same path. Multiple Static NAT addresses are assigned to the internal server, one for each farm server address range. Note: Static NAT addresses cannot be part of the Dynamic NAT IP pool. To configure Static NAT 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select NAT. The NAT pane appears. 3. In the NAT pane, select Static NAT from the drop-down list. The Static NAT pane appears. 108 Doc. No.: 8261 NAT IP for internal server (NIP1) LinkProof User Guide 4. In the Static NAT pane, set the following parameters according to the explanations provided: Parameter Description From Local Address: The range of local IP addresses. To Local Addresses: The range of local IP addresses. Server Addresses: The IP addresses of the farm server. These NAT addresses will be used when traffic form local addresses is sent to this farm server. From Static NAT: The range of NAT addresses to be used when forwarding to the server addresses above. To Static NAT: The range of NAT addresses to be used when forwarding to the server addresses above. Redundancy Mode: The redundancy mode can be either Backup or Active. The Active mode is for the active device and the Backup mode is for the backup device. 5. Click Apply and Ok. Your preferences are recorded. Exclude Static NAT For Local Network Traffic from local host for which Static NAT is configured undergoes NAT when forwarded to a farm for which NAT is enabled. Traffic to local network is not translated. In certain cases, mainly for security purposes, it is required that traffic to local network from the local host is translated using Static NAT. To allow this configuration the Exclude Static NAT for Local Network flag should be disabled (it is enabled by default). Enable Ping to multiple Static NATs A flag allows enabling or disabling simultaneous ping functionality to multiple Static NAT addresses belonging to the same Internet host. No NAT No NAT enables a simple configuration where internal hosts have IP addresses that belong to a range of one of the farm servers. Traffic to/from these hosts should not be translated if the traffic is forwarded to this farm server. If you do not configure any NAT address for a host via a farm server, that farm server will not be used by inbound traffic to that host if the host IP resolution is provided via DNS. In order to use a farm server for traffic from the host when NAT is not required, use the No NAT configuration. To configure No NAT: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select NAT. The NAT pane appears. Doc. No.: 8261 109 LinkProof User Guide 3. In the NAT pane, select No NAT from the drop-down list and set the following parameters according to the explanations provided: Parameter Description From Local Address: The range of local IP addresses. To Local Address: The range of local IP addresses. Port Number: This is the destination port for which traffic is not NATed. For example, all traffic to destination port 80 is not NATed. Destination port 0 refers to all the ports. Server Address: The IP address of the farm server. These NAT addresses will be used when traffic from local addresses is sent to this farm server. 4. Click Add >Apply > Ok. Your preferences are recorded. Basic NAT Basic NAT enables a one-to-one NAT mapping for occasional users, based on local IP ranges and destination applications. A pool of NAT addresses for each server is configured per range of local IP addresses and destination port. Whenever a client with an IP address within the range initiates a session to any host with the relevant application port, a NAT address is allocated to this session, and is used for all further sessions for the client with this application on this destination host. Basic NAT is useful for any application which requires that source ports not be translated, and therefore cannot be used when the client's IP is translated using Dynamic NAT. Typically the configured local IP range includes more hosts than the IP addresses allocated for Basic NAT for the same IP range. The latter indicates that any traffic from one of the hosts in the local IP range will be NATed using one of the Basic NAT addresses configured for this local IP range. This enables the use of a pool of Static NAT addresses, for a (larger) range of local IP addresses. The destination port can be configured to a specific application port, or to "All ports". You can also configure how the LinkProof should behave if all Basic NAT addresses for the specified IP range and application are occupied. To configure Basic NAT : 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select the NAT tab. The NAT pane appears. 3. In the NAT pane select Basic NAT from the NAT drop-down list. The Basic NAT pane appears. 4. In the Basic NAT pane, set the following parameters according to the explanations provided: 110 Parameter Description From Local Address: The range of local IP addresses To Local Address: The range of local IP addresses. Doc. No.: 8261 LinkProof User Guide Port Number: This is the destination port for which traffic is NATed. For example, enter "80",all traffic to destination port 80 is NATed. Destination port 0 refers to all the ports. Server Address: The IP address of the farm server.These NAT addresses will be used when traffic from local addresses is sent to this farm server. From NAT Address: The range of NAT addresses. To NAT Address: The range of NAT addresses. Redundancy Mode: The redundancy mode can be either Backup or regular. The Active mode is for the active device and the Backup mode is for the backup device. 5. Click Add > Ok. Your preferences are recorded. One IP Support This feature is designed to reduce the number of public IP addresses used for LinkProof configurations. When One IP is enabled the user can define Dynamic SmartNAT and IP addresses which are identical to the devices' IP addresses. LinkProof registers all incoming and outgoing traffic to distinguish between management traffic / Health Monitoring / Proximity and forwarded traffic. It is possible to use One IP enabled on several IP interfaces and disabled on others. When One IP is used, the LinkProof device uses the Interface addresses to perform Dynamic SmartNAT and hide the LAN segment behind the LinkProof. Incoming Traffic for Public Services When not using One IP configurations for incoming traffic, then Web services are configured for internal servers using Static NAT. Using One IP configuration Static Port Address Translation (SPAT) is described in the next section. Smart NAT using One IP configuration LinkProof uses a set of predefined IP addresses in order to maintain connectivity as well as functionality. Each router connected to the LinkProof needs 2 IP addresses (this is a regular configuration (non-VLAN Bridge). One IP is used for the router's internal Interface and another is used for the LinkProof Interfaces themselves. As a configuration example LinkProof uses 2 IP addresses per Router in a regular configuration. Therefore in we have 5 Routers we need 5 x 2 IP addresses = 10 Available addresses.In most LinkProof configurations the IP addresses used for the above configuration are public IP addresses. When using LinkProof with SmartNAT configurations it is required to assign private addresses (as stated in RFC 1918) for the internal LAN segments behind the LinkProof device additional IP Public addresses. To configure Smart NAT with One IP using WBM: 1. From the Router menu, select Router > IP Router > Interface Parameters. The IP Router Interface Parameters window appears. Doc. No.: 8261 111 LinkProof User Guide 2. Click Create. The Interface Parameters Create window appears. 3. From the One IP (Router Interface Only) field select Enable or Disable. 4. Click Set To configure Smart NAT with One IP using CLI: 1. Enter net ip-interface set <IP Address> -oi <enable or disable> 2. Select Enable or Disable (by default 1IP option is disabled). You are required to configure Dynamic NAT(DNAT) using the SmartNAT configuration. See Dynamic NAT for an explanation on how to configure DNAT. Static Port Address Translation Static Port Address Translation (Static PAT or SPAT) allows one-to-one mapping between local and global addresses. With Static PAT multiple internal hosts can share a single IP address for communication thus saving public IP address usage. Static PAT is actually a subset of NAT (RFC 2663) but usually referred to as Static PAT when discussing Port Forwarding. Static PAT allows you to configure static mapping of UDP or TCP ports of Linkproof’s IP interface to the internal hosts' ports. Static PAT Example, page 112 shows an example of Static PAT, in which a client initiates a connection from the Internet towards the Web Server. . Figure 7 - Static PAT Example The Static Port Address Translation follows is as follows: 112 Doc. No.: 8261 LinkProof User Guide Client to Web Server: Destination IP Destination Port Destination IP Destination Port IP B (Public) 80 (HTTP). Forward to IP 8080 (Internal) Private Action on Web Server Replay to Client IP Web Server to Client: Destination IP Destination Port Destination IP Destination Port Action on WebServer Client IP (Public) 8080 IP B (Public) 80 (HTTP). Continue Session The LinkProof device SPAT process of translates the source IP to the destination IP as well as from destination ports to other destination ports. Multiple internal hosts can be configured and also share a single IP address on different ports. Static PAT and DNAT Port Table The Limit for highest possible port for SPAT (and DNAT) is called PAT & DNAT Port table. The default is 60534. This limit affects the SPAT port configured manually as well as Dynamic NAT allocated ports. Note: The configuration is done using device tuning in WBM. To configure Static PAT using APSolute Insite: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, select the NAT tab. The NAT pane appears. 3. In the NAT pane select Static NAT from the NAT drop-down list. The Static NAT pane appears. 4. In the Static NAT pane, set the following parameters: Parameter Description Server IP or Physical Port The Server or Port address. Local Address The IP Address of the internal server. The application port (TCP or UDP) to which the packet is sent to on the Local IP address. Local Port Note: This parameter is not available if ICMP or IPSec protocols were selected. TCP, UDP or ICMP. Protocol Doc. No.: 8261 Note: If the selected router has OneIP activated, then ICMP is not available. 113 LinkProof User Guide Entry Name (optional): the user ID of Static PAT. External Address: The external IP Address. External Port: Redundancy Mode: The destination application port (TCP or UDP) for the received packet that is sent to the Local IP/Internal Port. Note: This parameter is not available if ICMP or IPSec protocols were selected. The redundancy mode can be either Backup or Regular. The Regular (Active) mode is for the active device and the Backup mode is for the backup device. 5. Click Add > Ok. To configure Static PAT using WBM: 1. From the LinkProof menu, select Smart NAT > Static PAT Table. The Static PAT Table window appears. 2. Click Create. The Static PAT Table Create window appears. Enter the following parameters and click Set. Parameter Description Internal IP The Internal IP of the Server (Internal IP in Static PAT Example, page 112). Internal Port The Internal port used by the server (8080 in Static PAT Example, page 112). Protocol The protocol type (TCP, UDP or ICMP) Server IP The IP of the External Router (IP A in Static PAT Example, page 112). External IP The IP of the External LinkProof Interface (IP B in Static PAT Example, page 112). External Port The external port that the LinkProof device listens to (80 in Static PAT Example, page 112). Static PAT Mode Backup and Main is used for Mirroring purposes and is defined in accordance with Smart NAT redundancy settings. Static PAT Name Name used for identifying the PAT rule. To configure Static PAT using CLI Type in the command: lp smartnat static-pat add <Internal IP> <Internal Port> <Protocol Type> <Router IP> <External IP> <External Port> command. Static PAT Example, page 112 shows an example in which the following CLI is used: 114 Doc. No.: 8261 LinkProof User Guide lp smartnat static-pat add 10.204.1.1 9090 tcp 10.204.1.1 192.168.1.1 Management IP Considerations By default (if enabled) LinkProof enables management access to the device in the following protocols: • Telnet - TCP Port 23 • SSH - TCP port 22 • Web - TCP Port 80 • SSL - TCP Port 443 • FTP - TCP Port 21 • SNMP - TCP Port 161 When using 1IP configurations the LinkProof IP address for management (its own IP) will be used for SPAT. This might create a conflict with the above services should they also be used for internal servers. If you try to use any ports in conflict with the above ports, then the following error message is generated (using WBM or CLI): "Can not bind port 80: Port is bound to device WEB service (UDP or TCP). Change service port first" Please refer to Services, page 341 for more information on how to change the selected port / service. • • • SPAT is supported with TCP, UDP and ICMP SPAT with 1IP is supported on TCP & UDP only. By design SPAT is limited to 1 server behind the SPAT device using a single port for a single service. Only a single public service with port 80 HTTP (i.e) can be exposed per public IP address. In this way an organization using PAT and a single IP cannot run more than one of the same type of public service behind a PAT (for example two public web servers using the default port 80). • VPN (IPSec) Pass-through with SPAT: In order to configure VPN traffic pass-through together with SPAT, you need to define a SPAT entry with UDP port 500 (IKE). The device will allow AH, ESP protocols to undergo SPAT and pass through the device as well. To resolve conflicting IPs, SmartNAT methods have been set according to priority and are set as follows: 1-NoNAT • 2-SNAT 3-SPAT 4-DNAT So for example if the user has configured an IP to be used in 1IP and SPAT and the same IP appears in a SNAT range. Where inbound traffic is involved the SNAT range will take precedence over SPAT. Outbound traffic for this session will only use SNAT. Proximity This section explains of LinkProof’s ability to detect network proximity and includes the following topics: • • Proximity Introduction, page 116 Proximity Configuration, page 116 Doc. No.: 8261 115 LinkProof User Guide Proximity Introduction In today's Internet environment, providing quality content is only part of the issue. Delivering content to clients as quickly as possible is a critical factor for successful ecommerce initiatives. Delivering content along the path with the least latency can reduce download times. The importance of even a small increase in performance will contribute to user satisfaction, and can have significant impacts on user loyalty, enjoyment, and commerce. Radware offers both dynamic and static (administratively configurable) proximity mechanisms to meet Inter- and Intranet needs. The dynamic proximity detection mechanism measures the network proximity (both latency and hop count) between the client's mouse "click" all the way to the content located on the provider's web servers. Only through such accurate measurement can content providers be sure that their users are receiving the quality of service necessary to compete in the fast paced Internet arena. In addition, by minimizing the hops and latency between the end users and the content, Radware's redirection mechanisms will reduce the traffic on the Internet backbones. Radware's Internet Traffic Management solutions deliver content to end users from the closest site or WAN link by utilizing this proximity detection mechanism in either global or multi-homed Internet environments. In order to get accurate network proximity results, LinkProof uses several different proximity check methods capable of passing through any router and firewall. When an internal client attempts to reach a server on the Internet, it first approaches LinkProof, and a proximity check is performed through each of the routers. The results determine which one provides the best path to the server. When another client from the same network approaches the same server at a later time, the best link is already known, and the client is immediately forwarded via that router. Conversely, when an outside client wishes to contact an internal server, LinkProof checks the proximity through each of the links, and responds to the client with the NAT IP address of the router best suited to handle the traffic. The proximity probes are a combination of IP, TCP, and application layer probes (such as TCP ACK's and ICMP Echo requests) to ensure accurate measurements. The type of checks used for proximity is configurable to allow users more control of the device and generate maximum performance from the links. Notes: i LinkProof can perform proximity checks via up to 10 routers ii In the dynamic proximity table only the best 3 routers are recorded for each checked subnet Proximity Configuration Proximity Mode You can determine whether to use proximity data and when: • • • • 116 No Proximity: Proximity data is ignored. The dynamic auto learning mechanism is off. Static Proximity: LinkProof forwards traffic using the best router according to a static proximity table configured by the user. The dynamic auto learning mechanism is off. Full Proximity Inbound: LinkProof forwards traffic using the best router according to the static proximity table, and will use dynamic auto learning to choose the best router only for inbound traffic, for subnets that are not defined as static entries. Full Proximity Outbound: LinkProof forwards traffic using the best router according to the static proximity table, and will use dynamic auto learning to choose the best router only for outbound traffic, for subnets that are not defined as static entries. Doc. No.: 8261 LinkProof User Guide • Full Proximity Both: LinkProof forwards traffic using the best router according to the static proximity table, and will use dynamic auto learning to choose the best router for all traffic, for subnets that are not defined as static entries. Proximity Checks LinkProof enables the user to select the checks used for inbound and outbound proximity calculations. The device uses a proprietary proximity checks schemes in order to find dynamically the best Router for a destination subnet. In some cases, different IDS (Intrusion Detection Systems) might consider the proximity check packets as attacks on devices located behind the IDS. LinkProof enables the user to configure for each proximity test whether it should be used for Inbound Proximity, Outbound Proximity, Both, or None. • • Basic: This is a basic ping test typically used to check inbound traffic. Advanced: This test simulates standard applications (using UDP traffic) and is useful for both inbound and outbound proximity checks. However, on occasion IDS devices may consider such proximity check packets as an attack. • Server Side: This test simulates a client of an application (sends TCP SYN packets) hence it is outbound traffic oriented. • Client Side: This test simulates the server side of an application (sends TCP ACK packets), hence it is inbound traffic oriented. You can also define the following parameters for all proximity checks: • • Check Retries: Defines the number of retries that are performed when the checked destination doesn't respond to the first attempt. Check Interval: Defines the time interval between consecutive retries in seconds. Proximity Aging Period Proximity Aging Period defines the amount of time in minutes that a dynamic auto-learned entry will be kept in the database. When this time is about to expire, LinkProof may refresh the information of that entry by re-executing the proximity checks. Weights (Hops, Latency, Load) You can define the emphasis that the device should put on the hops parameter and on the latency parameter when making a load balancing decision. In addition you can define the weight the router load should take in the load balancing definition together with the proximity parameters. The router load is calculated according to the dispatch method used, for example, the number of clients when using the least amount of users. Note: The load weight is relevant only when the Farm Dispatch Method is set to Least Amount of Traffic, Least Number of Bytes or Least Number of Users. Main & Backup DNS Addresses To prevent the inefficient learning of requests that arrive from the local DNS server, LinkProof can be configured to ignore requests from specific addresses in the dynamic proximity mechanism. The addresses of the primary and backup local DNS servers can be configured. Note: Doc. No.: 8261 If the company's DNS server are placed at the Internet provider, the main and backup DNS server should belong to different ISPs. Only 2 such DNS servers (main and backup) can be configured. 117 LinkProof User Guide Proximity Subnet Mask By default LP performs proximity checks for each class C subnet. This can be changed using this parameter. When this parameter is changed the dynamic proximity database and statistics are cleared. Using Grouping Decisions inside Proximity If this parameter is set to Disabled (default is Enabled) it allows the load balancing mechanism to consider routers which were defined as backup to decide whether there is proximity data for a specific destination via this router. This functionality is required when some of your WAN links are restricted (for example domestic access only). To configure Proximity: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click Proximity. The Proximity pane appears. 3. In the Proximity pane, set the parameters accordingly. DNS This section explains the concept of DNS space for URLs in multi-homed networks and how this is incorporated in your network in conjunction with LinkProof. This section includes the following topics: • • • • • • DNS Introduction, page 118 Mapping URLs to local IP Addresses, page 119 DNS Response Parameters, page 120 DNS for Local Users, page 120 DNS Redundancy, page 122 DNS Client, page 122 DNS Introduction One of the main complications of the multi-homed network is which IP address to use in the DNS space for a particular URL. To solve this problem and at the same time provide load balancing for inbound traffic, LinkProof can take control of particular URLs. To achieve this, LinkProof must become the authoritative name server for a particular URL through proper configuration in an organization's master DNS servers. This causes all DNS queries from the Internet for the particular URL to arrive at LinkProof. At the same time, multiple static NAT addresses are assigned to LinkProof, all mapped to the IP address of the server hosting the particular URL. Each static NAT address comes from one of the address ranges associated with each link. When LinkProof receives a DNS query asking it to resolve a particular URL to an IP address, it resolves the query to the static NAT address corresponding to the best link available for the user's request. This means different responses may be provided to different clients requesting the same URL. 118 Doc. No.: 8261 LinkProof User Guide Notes: i LinkProof operates as authoritative server for A records only. If Linkproof receives queries for other types of records the device will answer that the record type is not supported. The device will answer with Authoritative Answer 0, which specifies that the responding name server is not an authority for the domain name in question. Return code is set to 0 No error meaning that the request was completed successfully. ii The device will answer a DNS query only if the URL specified in the query is configured on the device. If the URL is not configured then the device will not answer iii When answering a DNS query the device will select only those links with Static NAT or No NAT defined for the local IP mapped to the requested URL. Mapping URLs to local IP Addresses In order to allow LinkProof to provide load balancing of inbound traffic to internal servers, you must configure the following: • Host to Local IP Mapping: The URLs supported and the local IP addresses for • the servers on which the URLs reside. LinkProof can map explicit host names to a local IP address (Host to Local IP) or dynamic host names - wildcard URLs (Dynamic Host to Local IP). The dynamic host names allow the user to set a single definition for many similar URLs that are hosted on the same server.To help increase performance by employing more efficient search, you can define whether LinkProof should search for a URL in one of the mapping tables only or in both, using the URL to IP Search Mode parameter. Static NAT or No NAT: For the servers local IP addresses via all available routers To configure Host to Local IP Mapping: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click the DNS Settings tab. The DNS Settings pane appears. 3. In the DNS Settings pane, select Name to Local IP or Both in URL to IP Search Mode parameter and click Name to Local IP. The Name to Local IP window appears. 4. In the Name to Local IP window, set the required parameters (Host URL and Local IP) and click Add. Repeat for all existing URLs. 5. Click Ok. Your preferences are recorded. To configure Dynamic Host to Local IP mapping: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears. 3. In the DNS Settings pane, select Dynamic Host Name to Local IP or Both in the URL to IP Search Mode parameter and click Dynamic Host Name to Local IP. The Dynamic Host Name to Local IP window appears. Doc. No.: 8261 119 LinkProof User Guide 4. In the Dynamic Host Name to Local IP window, set the required parameters (Variable Host Name and Local IP) and click Add. Repeat for all existing URLs. 5. Click Ok. Your preferences are recorded. DNS Response Parameters DNS Response parameters include the following: • • • • • Response TTL: This parameter defines the “time to live” of the DNS responses that are cached by clients. A high value means less DNS traffic, but the router from whose range the response IP was selected might become unavailable during this period. A low value provides higher availability of the internal server.The default setting is 0, which means the response is not cached. Two Records in DNS Reply: This parameter allows LinkProof to answer with two A records (the Static IPs of the internal server via the two best routers) or with one A record when disabled. DNS Response Mode:This parameter allows customers to choose whether device will answer DNS queries according to SmartNAT status or not. In configurations where NAT is performed by the device positioned in front of LinkProof (access routers or firewall) the SmartNAT is disabled which means the device will answer DNS queries with the internal servers local IP address. However, to be able to perform inbound load balancing, LinkProof must be able to answer DNS queries with public IP addresses (static NAT). LinkProof can answer DNS queries according to the following criteria: — According to SmartNAT mode (static NAT address if SmartNAT enabled, local IP address otherwise) - default — Always NAT IP address (static NAT address) — Always Local IP address. To Configure DNS Response Parameters: 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears. 3. In the DNS Settings pane, set the parameters as desired. 4. Click Apply to save settings. DNS for Local Users This feature provides a solution that allows you to provide DNS resolution for internal servers while using the same DNS server for both internal and external users. The problem with this configuration is that internal users need the host name to be resolved to the local IP address of the server, while external clients need the external IP for the server, but the DNS server cannot distinguish between internal and external users. The solution implemented in LinkProof depends on whether the DNS server is located internally or externally. External DNS server configuration When the DNS server is located outside the company network the DNS for local user functionality behaves as follows: • 120 The LinkProof is the authoritative DNS for the internal servers and resolves host name to public IP address (static NAT). Doc. No.: 8261 LinkProof User Guide • • • • User, whether external or internal, queries the DNS server for host name resolution. DNS server requests LinkProof for address resolution and receives public IP address. It sends response to users. The response to internal users passes via LinkProof. LinkProof will intercept the DNS response with internal server resolution and replace public IP with local IP address. Thus internal users will be able to communicate with internal servers directly, via the local network. External clients receive the public IP from the DNS server and will be able to access the servers. Internal DNS server configuration When the DNS server is located inside the company network the DNS for local user functionality behaves as follows: • The DNS server is the authoritative DNS for the internal servers and resolves host name to local IP address. Alternatively LinkProof can be an authoritative DNS. In this case DNS Response Mode should be set to Always Local IP address. • User, whether external or internal, queries the DNS server for host name resolution. • DNS server answers with local IP address. • Response to external users passes via LinkProof. LinkProof intercepts the DNS response and replaces the local IP with a public IP address. Thus external users will be able to communicate with servers. • Internal users receive the local IP from the DNS server and are able to communicate with internal servers directly, via the local network. LinkProof can provide DNS for “Local Users” functionality for the following types of DNS messages: • A record reply • MX record reply • PTR query and reply • A record inverse queries and replies The DNS for “Local Users” functionality is activated via the DNS Server Location parameter. By default this parameter is set to Not Relevant, meaning that this feature is not enabled. To activate this feature, set this parameter to either Internal or External, depending on where your DNS server is located. For increased performance it is recommended to configure the DNS servers for which this functionality is provided. To Configure DNS for Local Clients: 1. From the main window, select APSolute OS >Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears. 3. In the DNS Settings pane, set the DNS Server Location to the desired value. 4. Click Apply to save settings 5. Configure DNS Servers (optional): 6. Click DNS Server. The DNS Servers window appears. 7. In the DNS Servers window, enter the DNS Server IP address and click Add. Repeat for all your DNS servers. 8. Click Ok. Your preferences are recorded. Doc. No.: 8261 121 LinkProof User Guide Configuration Notes: The DNS for “Local Users” functionality is resource consuming, since the device has to scan all DNS responses. It should not be enabled if not required. DNS for “Local Users” functionality is not required in the following cases: • • Different DNS servers provide host name resolution for internal and external users. Communication between internal users and internal servers always passes via LinkProof (both ways). DNS Redundancy Virtual DNS IP address must be configured for LinkProof redundant configuration in order to allow DNS requests to be handled smoothly and transparently by the redundant device when the main device is down. A virtual DNS address should be configured for each provider (router). The same address is configured on both devices. To configure DNS Redundancy 1. From the main window, select APSolute OS > Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears. 3. In the DNS Settings pane, set the following parameters according to the explanations provided: Parameter Description DNS IP Address: Virtual IP address DNS Mode: Regular in the main device, Backup in the backup device 4. Click Add. 5. Repeat for each virtual IP 6. Click Apply to save settings. DNS Client In certain cases the LinkProof must resolve external host names. For this purpose DNS servers (main and backup) need to be configured. In addition static DNS can be configured. To DNS Client Configure the DNS Client: 1. In the main window, click Traffic Redirection. The Traffic Redirection window appears. 2. In the Traffic Redirection window, click the DNS Settings tab. The DNS Settings pane appears. 3. In the DNS Settings pane, select Clients DNS. 4. Configure main and backup DNS servers. 5. Click Ok. Your preferences are recorded. 122 Doc. No.: 8261 LinkProof User Guide Basic Load Balancing This section provides some Basic Load Balancing configuration examples, which can be implemented without using Flow definitions. This section includes the following configurations: Simple Router Load Balancing Configuration, page 123. Simple Router Load Balancing Configuration with VLAN, page 127 One-leg (lollipop) Configuration, page 131 Sandwich Configuration, page 136 Single Device Installation, page 143 • • • • • Simple Router Load Balancing Configuration The example in Simple Router Load Balancing Configuration, page 123 illustrates the configuration of simple router load balancing. Router 1 Router 2 NAT:100.1.1.2 NAT:200.1.1.2 For 10.1.1.30 For 10.1.1.30 Via Router 1 Via Router 2 Interface 100.1.1.1 200.1.1.1 LinkProof Interface 10.1.1.10 Internal Local Network 10.1.1.30 10.1.1.x Figure 8 - Simple Router Load Balancing Configuration To configure simple Router Load Balancing: 1. During initial installation, configure the IP address for the device, for this example 10.1.1.10 for interface 1. 2. Define additional interfaces: Doc. No.: 8261 123 LinkProof User Guide a. b. From the main window, double-click the LinkProof device icon. The Connect LP to Device window appears. In the Connect LP to Device window, type the device‘s IP address: 10.1.1.10 and click Ok. c. Double-click the LinkProof icon again. The Setup window appears. d. In the LinkProof Setup window, click Add. The Edit Interface window appears. e. In the Edit Interface window, set the following parameters according to the explanations provided: IF Num F-2 F-2 IP Address 100.1.1.10 200.1.1.10 Network Mask 255.255.255.0 255.255.255.0 f. Click Ok. The LinkProof Setup window remains open. 3. Define at least one of the routers as a default gateway to the Internet (it is recommended to define all the routers in the Routing Table): a. b. c. In the Setup window select Networking > Routing Table. The Routing Table window appears. In the Routing Table window, click Add. The Edit Route window appears. In the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0. Next Hop: 200.1.1.20 IF Number: F2 d. Click Ok. Your preferences are recorded. 4. Add two Routers: 124 a. b. From the main toolbar, click Add then from the drop-down menu select a Router. Double-click the Router icon that appears on the map. The Router window appears. c. in the Router window, set the following parameters according to the explanations provided: Parameter Description Router Name: Router 1 IP Address: 100.1.1.20 Doc. No.: 8261 LinkProof User Guide d. Add another router. Set the following parameters according to the explanations provided: Parameter Description Router Name: Router 2 IP Address: 200.1.1.20 e. 5. Click Ok. Your preferences are recorded. Add a farm to the LinkProof: a. b. From the main window, click Traffic Redirection. The Traffic Redirection window appears. In the Traffic Redirection window, click the Farms tab. The Farms pane appears. c. In the Farms pane, click Add. The Edit LinkProof Farms window appears. d. In the Edit LinkProof Farms window, select Farm Type Router and define the farm name, for example: Routers_Farm. e. In the Edit LinkProof Farms window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Dispatch Method: As required Persistency Mode: As required Packet Translation: NAT 6. Add two farm servers. a. b. In the Farm Servers pane, click Add. The LinkProof Farm Router Server window appears. In the LinkProof Farm Router Server window, click Traffic Settings and set the following parameters according to the explanations required: Parameter Description Server Name: Router 1 Server Address: 100.1.1.20 c. Repeat this procedure for the second farms server. Set the following parameters according to the explanations provided: Parameter Description Server Name: Router 2 Server Address: 200.1.1.20 d. 7. Click Ok. Your preferences are recorded. Set Connectivity Checks: a. b. Doc. No.: 8261 in the Setup window, click Global > Connectivity Settings > Edit Settings. The Connectivity Settings window appears. In the Connectivity Settings window, enable the Connectivity Check status. It is recommended to use the Health Monitoring option. If Health Monitoring Connectivity Checks was selected for the farms then configure health checks for the farm servers, see Health Monitoring, page 353. 125 LinkProof User Guide 8. It is recommended to ensure that remote side of the router is operational. If Ping Connectivity Check was selected, use Full Path Health Monitoring to configure checks for the other side of the routers. This is done by implementing the following steps: a. b. c. From the main window, double-click the Firewal 1 icon. The Router window appears. In the Router window, click Advanced Settings. the Advanced Settings pane appears. In the Advanced Settings pane, set the following parameters according to the explanations provided: Parameter Description Device Name: Select LinkProof 1 IP Address: Select the internal interface of router 100.1.1.20 d. Click Full Path Health Monitor. The Full Path Health Monitor window appears. e. From the Full Path Health Monitor window, set the following parameter according to the explanation provided: Parameter Description Check Address: Add the Router ip (100.1.1.20) f. Repeat the above procedure for Router 2. 9. Configure NAT (Dynamic & Static) for the two routers: a. b. From Local Address: 10.1.1.0 10.1.1.0 To Local Address: 10.1.1.255 10.1.1.255 Router IP: 100.1.1.20 200.1.1.20 Dynamic NAT IP: 100.1.1.22 200.1.1.22 c. After each entry, click Add to save your settings. d. From the NAT field, select Static NAT to add NAT addresses for inbound traffic by adding the following NAT entries: From Local Address: 10.1.1.30 10.1.1.30 To Local Address: 10.1.1.30 10.1.1.30 Router IP: 100.1.1.20 200.1.1.20 From Static NAT: 100.1.1.21 200.1.1.21 To Static NAT: 100.1.1.21 200.1.1.21 e. 126 From the LinkProof Traffic Redirection window, click the NAT tab. The NAT pane appears. In the NAT field select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries: After each entry, click Add to save your settings. Doc. No.: 8261 LinkProof User Guide 10. Map the URL of the Internal server to the servers local IP: a. b. In the Traffic Redirection window, click the DNS tab. The DNS pane appears. In the DNS pane, click Name to Local IP. The Name to Local IP window appears. c. From the Name to Local IP window, enter www.site.com as the Host URL parameter and 10.1.1.30 for the local IP parameter. d. Click Add to save the entry. Click Ok. Your preferences are recorded. Simple Router Load Balancing Configuration with VLAN The example shown in Simple Router Configuration with VLAN, page 127, illustrates a configuration similar to the previous one, but in a VLAN environment. Router 1 Router 2 NAT:100.1.1.2 NAT:200.1.1.2 For 10.1.1.30 For 10.1.1.30 Via Router 1 Via Router 2 Interface LinkProof Interface Interface 3 200.1.1.1 100.1.1.1 Internal Local Network 10.1.1.30 Figure 9 - 10.1.1.x Simple Router Configuration with VLAN To configure Router Load Balancing with VLAN: 1. During initial installation, configure the IP address for the device, for this example 10.1.1.10 for interface 1. 2. Define VLAN: To operate the load balancing in a VLAN network topology you must use a “Regular” VLAN type. A regular IP VLAN is automatically defined on the LinkProof (100001). You need only to assign the relevant ports to it. Doc. No.: 8261 127 LinkProof User Guide a. b. From the main window, double-click the LinkProof device icon. The Connect LP to Device window appears. In the Connect LP to Device window, type the device‘s IP address: 10.1.1.10 and click Ok. c. Double-click the LinkProof device icon again. The Setup window appears. d. In the LinkProof Setup window, select Networking > VLAN. The Virtual LAN window appears. e. From the Virtual VLAN window, select VLAN number 100001 (Regular IP) and in the Assign port to VLAN area, select F-1. f. Click Update to apply the changes and then click Ok to return to the LinkProof Setup window. 3. Assign an IP Interface to VLAN: a. b. From the Setup window, select IP address 10.1.1.10 for F1 and click Edit. The Edit Interface window appears. In the Edit Interface window, set the following parameter according to the explanation provided: Parameter Description IF Number: select 100001 value c. Click Ok to return to the LinkProof Setup window. 4. Define an additional interface: a. b. In the Setup window, click Add. The Edit Interface window appears. In the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Number: F-3 IP Address: 200.1.1.10 Network Mask: 255.255.255.0 c. Click Ok. The Setup window remains open. 5. Define at least one of the Routers as the default gateway to the Internet. It is recommended to define all the routers in the Routing Table: a. b. c. 128 In the Setup window, select Networking > Routing Table. The Routing Table window appears. In the Routing Table window, click Add. The Edit Route window appears. In the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: 100001 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Doc. No.: 8261 LinkProof User Guide Next Hop: 20.1.1.20 IF Number: F-3 d. 6. Click Ok. Your preferences are recorded. Add two Routers: a. b. From the main toolbar, click Add and from the drop-down menu, select Router. Double-click the Router icon that appears on the map. The Router window appears. In the Router window, set the following parameters according to the explanations provided: Parameter Description FW Name: Router 1 IP Address: 100.1.1.20 c. For the second Router, set the following parameters according to the explanations provided: Parameter Description FW Name: Router 2 (for example) IP Address: 200.1.1.20 d. 7. Click Ok. Your preferences are recorded. Add a farm to LinkProof: a. b. From the main window, click Traffic Redirection. The Traffic Redirection window appears. In the Traffic Redirection window, click Farms. The Farms pane appears. c. In the Farms pane, click Add. The Edit LinkProof Farms window appears. d. In the Edit LinkProof Farms window, for Farm Type select Firewall and define the farm name, for example: Router Farm. e. In the Edit LinkProof Farms window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Dispatch Method: As required Persistency Mode: As required Packet Translation: NAT 8. Add two Farm Servers: a. b. From the Farm Servers pane, click Add. The LinkProof Farm Router Server window appears. In the LinkProof Farm Router Server window, set the following parameters according to the explanations provided: Parameter Description Server Name: Router 1 Doc. No.: 8261 129 LinkProof User Guide Server Address: c. 100.1.1.20 Repeat the procedure for the second farm servers by setting the following parameters according to the explanations provided: Parameter Description Server Name: Router 2 Server Address: 200.1.1.20 d. Click Ok. Your preferences are recorded. 9. Configure Connectivity Checks. a. b. From the Setup window, select Global > Connectivity Settings > Edit Settings. The Connectivity Settings window appears. In the Connectivity Settings window, enable the Connectivity Check status. It is recommended to use the Health Monitoring option. If Health Monitoring Connectivity Checks was selected for the farms then configure health checks for the farm servers, see Health Monitoring, page 353. 10. It is recommended to ensure that remote side of the router is operational. If Ping Only Connectivity Check was selected, use Full Path Health Monitoring to configure checks for the other side of the routers. This is done by implementing the following steps: a. b. c. From the main window, double-click the Firewal 1 icon. The Router window appears. In the Router window, click Advanced Settings. The Advanced Settings pane appears. In the Advanced Settings pane, set the following parameters according to the explanations provided: Parameter Description Device Name: Select LinkProof 1 IP Address: Select the internal interface of router 100.1.1.20 d. Click Full Path Health Monitor. The Full Path Health Monitor window appears. e. In the Full Path Health Monitor window, set the following parameter according to the explanation provided: Parameter Description Check Address: Add the Router ip (100.1.1.20) f. Repeat the above procedure for Router 2. 11. Configure NAT: 130 a. b. From the Traffic Redirection window, click NAT. The NAT pane appears. In the NAT pane, check the SmartNAT checkbox to enable NAT functionality. c. In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries for Router 2 (traffic sent via Router 1 does not require NAT): Parameter Description From Local Address: 10.1.1.0 Doc. No.: 8261 LinkProof User Guide To Local Address: 10.1.1.255 Router IP: 100.1.1.20 Dynamic NAT IP: 100.1.1.22 d. After each entry, click Add to save your settings. e. From the NAT field, select Static NAT to add NAT addresses for inbound traffic by adding the following NAT entry for Router 2: Parameter Description From Local Address: 100.1.1.30 To Local Address: 100.1.1.30 Router IP: 200.1.1.20 From Static NAT: 200.1.1.21 To Static NAT: 200.1.1.21 f. After each entry, click Add to save your settings. g. From the NAT field, select No NAT to define a No NAT entry for inbound traffic via Router 1 by adding the following entry: Parameter Description From Local Address: 100.1.1.30 To Local Address: 100.1.1.30 Router IP: 200.1.1.20 12. Map the URL of the internal server to the servers local IP: a. b. In the Traffic Redirection window, click DNS. The DNS pane appears. In the DNS pane, click Name to Local IP. The Name to Local IP window appears. c. In the Name to Local IP window, enter www.site.com as the Host URL parameter and 10.1.1.30 for the local IP parameter. 13. Click Add to save the entry. Click Ok. Your preferences are recorded. One-leg (lollipop) Configuration The example shown in Simple One-leg (lollipop) Firewall Configuration, page 132, illustrates a simple configuration that does not require to change the network configuration. Doc. No.: 8261 131 LinkProof User Guide NAT: 200.1.1.21 fOR 100.1.1.30 Via Router 2 Router 2 Router 1 100.1.1.20 200.1.1.2 Interface 2 Interface 1 200.1.1.10 100.1.1.10 LinkProof Internal Local Network 100.1.1.3 100.1.1.x Figure 10 - Simple One-leg (lollipop) Firewall Configuration To configure a One-leg Configuration: 1. During initial installation, configure the IP address for the device, for this example 100.1.1.10 for interface 1 via Command Line Interface. 2. Define additional interfaces: a. b. From the main window, double-click the LinkProof icon. The Connect LP to Device window appears. In the Connect LP to Device window, type the device‘s IP address: 100.1.1.10 and click Ok. c. Double-click the LinkProof device icon again. The Setup window appears. d. In the Setup window, click Add. The Edit Interface window appears. e. In the Edit Interface window, set the following parameters according to the explanations provided: IF Num F-2 IP Address 200.1.1.10 Network Mask 255.255.255.0 f. Click Ok. The LinkProof Setup window remains open. 3. Define at least one of the routers as a default gateway to the Internet (it is recommended to define all the routers in the Routing Table): 132 Doc. No.: 8261 LinkProof User Guide a. b. c. From the Setup window, select Networking > Routing Table. The Routing Table window appears. In the Routing Table window, click Add. The Edit Route window appears. In the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0. Next Hop: 200.1.1.20 IF Number: F2 d. 4. Click Ok. Your preferences are recorded. Add two Routers: a. b. c. From the LinkProof toolbar, click Add and from the drop-down menu, select a Router. Double-click the Router icon that appears on the map. The Router window appears. In the Router window, set the following parameters according to the explanations provided: Parameter Description Router Name: Router 1 IP Address: 100.1.1.20 d. Add another router. Set the following parameters according to the explanations provided: Parameter Description Router Name: Router 2 IP Address: 200.1.1.20 e. 5. Click Ok. Your preferences are recorded. Add a farm to the LinkProof: a. b. From the main window, select APSolute OS > Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click Farms. The Farms pane appears. c. In the Farms pane, click Add. The Edit LinkProof Farms window appears. d. In the Edit LinkProof Farms window, select Farm Type Router and define the farm name, for example: Routers_Farm. Doc. No.: 8261 133 LinkProof User Guide e. In the Edit LinkProof Farms window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Dispatch Method: As required Persistency Mode: As required Packet Translation: NAT 6. Add two farm servers. a. b. From the Farm Servers pane, click Add. The LinkProof Farm Router Server window appears. In the LinkProof Farm Router Server window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Server Name: Router 1 Server Address: 100.1.1.20 c. Repeat this procedure for the second farms server. Set the following parameters according to the explanations provided: Parameter Description Server Name: Router 2 Server Address: 200.1.1.20 d. Click Ok. Your preferences are recorded. 7. Set Connectivity Checks: a. b. From the LinkProof Traffic Redirection window, click Connectivity Checks. The Connectivity Checks pane appears. In the Connectivity Checks pane, enable the Connectivity Check status. It is recommended to use the Health Monitoring option. If Health Monitoring Connectivity Checks was selected for the farms then configure health checks for the farm servers, see Health Monitoring, page 353. 8. It is recommended to ensure that remote side of the router is operational. If Ping Only Connectivity Check was selected, use Full Path Health Monitoring to configure checks for the other side of the routers. This is done by implementing the following steps: a. b. c. 134 From the main window, double-click the Firewal 1 icon. The Router window appears. In the Router window, click Advanced Settings. The Advanced Settings pane appears. In the Advanced Settings pane, set the following parameters according to the explanations provided: Parameter Description Device Name: Select LinkProof 1 IP Address: Select the internal interface of router 100.1.1.20 Doc. No.: 8261 LinkProof User Guide d. Click Full Path Health Monitor. The Full Path Health Monitor window appears. e. In the Full Path Health Monitor window, set the following parameter according to the explanation provided: Parameter Description Check Address: Add the Router ip (100.1.1.20) f. 9. Repeat the above procedure for Router 2. Configure NAT: a. b. From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears. In the NAT pane, check the SmartNAT checkbox to enable NAT functionality. c. In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries for Router 2 (traffic sent via Router 1 does not require NAT): Parameter Description From Local Address: 10.1.1.0 To Local Address: 10.1.1.255 Router IP: 100.1.1.20 Dynamic NAT IP: 100.1.1.22 d. After each entry, click Add to save your settings. e. From the NAT field, select Static NAT to add NAT addresses for inbound traffic by adding the following NAT entry for Router 2: Parameter Description From Local Address: 100.1.1.30 To Local Address: 100.1.1.30 Router IP: 200.1.1.20 From Static NAT: 200.1.1.21 To Static NAT: 200.1.1.21 f. After each entry, click Add to save your settings. g. From the NAT field, select No NAT to define a No NAT entry for inbound traffic via Router 1 by adding the following entry: Parameter Description From Local Address: 100.1.1.30 To Local Address: 100.1.1.30 Router IP: 200.1.1.20 10. Map the URL of the Internal server to the servers local IP: a. b. Doc. No.: 8261 From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears. In the DNS pane, click Name to Local IP. The Name to Local IP window appears. 135 LinkProof User Guide c. In the Name to Local IP window, enter www.site.com as the Host URL parameter and 10.1.1.30 for the local IP parameter. 11. Click Add to save the entry. Click Ok. Your preferences are recorded. Sandwich Configuration This configuration is typical when router load balancing as well as firewall load balancing (for both inbound and outbound traffic) is required. This configuration uses one LinkProof and one FireProof device to load balance inbound and outbound traffic. When static NAT is used on the firewalls, a virtual IP address is created on the external LinkProof to ensure that different NAT addresses, on different firewalls, for a single internal host, are seen as a single public address. This provides load balancing and high availability between the NAT addresses. NAT: For 30.1.1.11 VIP For Router 1 NAT: For 30.1.1.11 VIP For Router 2 100.1.1.2 Interface 2 200.1.1.2 100.1.1.1 200.1.1.1 LinkProof 30.1.1.10 NAT: for 30.1.1.1 30.1.1.2 NAT: For 10.1.1.30 Firewall 2 Firewall 1 20.1.1.2 20.1.1.1 20.1.1.1 FireProof 10.1.1.1 10.1.1.30 136 Local Network 10.1.1.x Doc. No.: 8261 LinkProof User Guide Figure 11 - LinkProof Sandwich Configuration To Configure FireProof: 1. During initial installation, configure the IP address for the device, for this example 10.1.1.10 for interface 1. 2. Define additional interfaces: a. b. From the main window, double-click the FireProof icon. The Connect FP to Device window appears. From the FireProof Connect to Device window, type the device‘s IP address: 10.1.1.10 and click Ok. c. Double-click the FireProof icon again. The FireProof Setup window appears. d. In the FireProof Setup window, click Add. The Edit Interface window appears. e. In the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Number: F-2 IP Address: 20.1.1.10 Network Mask: 255.255.255.0 f. 3. Click Ok. The FireProof Setup window remains open. Define at least one of the Firewalls as the default gateway to the Internet, it is recommended to define all firewalls in the routing table: a. b. c. From the FireProof Setup window, select Networking > Routing Table. The Routing Table window appears. In the Routing Table window, click Add. The Edit Route window appears. In the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 20.1.1.1 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 20.1.1.2 IF Number: F-2 d. 4. Click Ok. Your preferences are recorded. Add two Firewalls: a. b. Doc. No.: 8261 From the main toolbar, click Add and from the drop-down menu, select a Firewall. Double-click the Firewall icon that appears on the map. The Firewall window appears. 137 LinkProof User Guide c. In the Firewall window, set the following parameters according to the explanations provided: Parameter Description FW Name: Firewall 1 IP Address: 20.1.1.1 d. Add another firewall. Set the following parameters according to the explanations provided: Parameter Description FW Name: Firewall 2 IP Address: 20.1.1.2 e. Click Ok. Your preferences are recorded. 5. Add a Farm to FireProof: a. b. From the main window, select APSolute OS > Traffic Redirection. The FireProof Traffic Redirection window appears. In the FireProof Traffic Redirection window, click Farms. The Farms pane appears. c. In the Farms pane, click Add. The Edit FireProof Farms window appears. d. In the Edit FireProof Farms window, for Farm Type select Firewall and define the farm name, for example: Internal Firewall. e. In the Edit FireProof Farms window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Dispatch Method: as required Persistency Mode: as required Packet Translation: Disable 6. Add two farm servers: a. b. Parameter Description Server Name: Firewall 1 Server Address: 20.1.1.1 c. 138 From the Farm Servers tab, click Add. The Farm Firewall Server window appears. In the Farm Firewall Server window, set the following parameters according to the explanations provided: Repeat the procedure for the second farm by setting the following parameters according to the explanations provided: Parameter Description Server Name: Firewall 2 Server Address: 20.1.1.2 Doc. No.: 8261 LinkProof User Guide d. 7. Click Ok. Your preferences are recorded. Configure connectivity checks for load balanced firewall servers as well as the remote side of firewalls. To configure LinkProof: 1. During initial installation, configure the IP address for the device, for this example 10.1.1.10 for interface 1. 2. Define additional interfaces: a. b. From the main window, double-click the LinkProof device icon. The Connect LP to Device window appears. In the Connect LP to Device window, type the device‘s IP address: 100.1.1.10 and click Ok. c. Double-click the LinkProof device icon again. The Setup window appears. d. In the Setup window, click Add. The Edit Interface window appears. e. In the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Number: F-2 IP Address: 100.1.1.10 Network Mask: 255.255.255.0 IF Number: F-2 IP Address: 200.1.1.10 Network Mask: 255.255.255.0 f. 3. Click Ok. The LinkProof Setup window remains open. Define the Router as the default gateway to the Internet. It is recommended to define all the routers in the Routing Table: a. b. c. From the LinkProof Setup window, select Networking > Routing Table. The Routing Table window appears. In the Routing Table window, click Add. The Edit Route window appears. In the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 200.1.1.20 Doc. No.: 8261 139 LinkProof User Guide IF Number: d. F-2 Click Ok. Your preferences are recorded. 4. Add two Routers: a. b. From the main toolbar, click Add and from the drop-down menu, select a router. Double-click the Router icon that appears on the map. The Router window appears. c. From the Router window, set the following parameters according to the explanations provided: Parameter Description FW Name: Router 1 IP Address: 100.1.1.20 d. Add another router. Set the following parameters according to the explanations provided: Parameter Description FW Name: Router 2 IP Address: 200.1.1.20 e. Click Ok. Your preferences are recorded. 5. Add 2 farms to LinkProof: FM1: External Firewall to load balance inbound traffic via the firewalls. FM2: Router Farm to load balance outbound and inbound traffic via the routers. a. b. 140 From the main window, select APSolute OS > Traffic Redirection. The LinkProof Traffic Redirection window appears. In the LinkProof Traffic Redirection window, click Farms. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, for Farm Type select Firewall and define the farm name, for example: Internal Firewall. e. In the Edit LinkProof Farms window, click Traffic Settings and set the parameters as required: f. Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm Firewall Server window appears. g. In the LinkProof Farm Firewall Server window, select servers as specified in step “h” below. h. In the LinkProof Farm Firewall Server window, click Traffic Settings and set the parameters as required. i. Repeat this procedure for all farms. For each farm define servers and load balancing parameters according to the explanations provided: Farm Name: External Firewall Router Farm Server Name: Firewall 1 Router 1 Server Address: 30.1.1.1 100.1.1.20 Server Name: Firewall 2 Router 2 Server Address: 30.1.1.2 200.1.1.20 Doc. No.: 8261 LinkProof User Guide Dispatch Method: Any Any Persistency: Any Any Packet Translation: VIP NAT j. Click Ok. Your preferences are recorded. 6. Configure connectivity checks for load balanced firewall servers as well as the remote side of firewalls, see Simple Router Load Balancing Configuration with VLAN, page 127 7. Define a Virtual IP Address to load balance inbound traffic to the internal server 10.1.1.30: a. b. From the LinkProof Traffic Redirection window, click the VIP tab. The VIP pane appears. For the VIP Address parameter, set a virtual IP address that will be the public address representing the internal server (10.1.1.30) for example 30.1.1.11 c. Click Add. The Edit Mapped IP window appears. d. From the Edit Mapped IP window, set the following parameters according to the explanations provided: Parameter Description Firewall: 30.1.1.1 NAT Address: 30.1.1.30 e. Click Ok to return to the Edit Virtual IP Addresses window. f. Click Add again to define a Mapped IP for Firewall 2. Set the following parameters according to the explanations provided: Parameter Description Firewall: 30.1.1.2 NAT Address: 30.1.1.31 g. Click Ok to return to the Edit Virtual IP Addresses window. h. Click OK. Your preferences are recorded. 8. Configure NAT: a. b. From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears. In the NAT pane, check the SmartNAT checkbox to enable NAT functionality. c. In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries: From Local Address: 10.1.1.0 10.1.1.0 To Local Address: 10.1.1.255 10.1.1.255 Router IP: 100.1.1.20 200.1.1.22 Dynamic NAT IP: 100.1.1.22 200.1.1.22 d. Doc. No.: 8261 After each entry, click Add to save your settings. 141 LinkProof User Guide e. From the NAT field, select Static NAT to add NAT addresses for inbound traffic by adding the following NAT entries: From Local Address: 30.1.1.11 To Local Address: 30.1.1.11 Router IP: 100.1.1.20 From Static NAT: 100.1.1.21 200.1.1.21 To Static NAT: 100.1.1.21 200.1.1.21 f. After each entry, click Add to save your settings. g. From the NAT field, select No NAT to define a No NAT entry for inbound traffic via Router 1 by adding the following entry: Parameter Description From Local Address: 100.1.1.30 To Local Address: 100.1.1.30 Router IP: 200.1.1.20 h. After each entry, click Add to save your settings. 9. Map the URL of the internal server to the servers local IP: a. b. From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears. In the DNS pane, click Name to Local IP. The Name to Local IP window appears. c. From the Name to Local IP window, enter www.site.com as the Host URL parameter and 10.1.1.30 for the local IP parameter. 10. Click Add to save the entry. Click Ok. Your preferences are recorded. 142 Doc. No.: 8261 LinkProof User Guide Single Device Installation The same functionality as in the previous example can be achieved with a single LinkProof device using the Port Rules functionality. Router 1 Local Network 10.1.1.x LinkProof Interface Interface 4 10.1.1.10 200.1.1.2 100.1.1.1 100.1.1.2 200.1.1.2 Interface 30.1.1.1 Interface 20.1.1.10 Firewall 1 Router 2 30.1.1.1 20.1.1. External Internal 30.1.1.2 20.1.1.2 Firewall 2 Figure 12 - Single Device Installation In this configuration two separate farms must be configured, one on the internal interfaces of the firewalls for outbound load balancing and one on the external interfaces of the firewalls for inbound load balancing. To configure LinkProof in a single device installation: 1. During initial installation configure an IP for the device, for this example: 10.1.1.10 in interface 1. 2. Define the interfaces for ports 2,3, and 4: a. b. c. From the main window, double-click the LinkProof icon. The LinkProof Connect to Device window appears. From the LinkProof Connect to Device window, type the device‘s IP address: 10.1.1.10 and click Ok. Double-click the LinkProof icon again. The LinkProof Setup window appears. d. From the LinkProof Setup window, click Add. The Edit Interface window appears. e. From the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Number: F-2 Doc. No.: 8261 143 LinkProof User Guide IP Address: 20.1.1.10 Network Mask: 255.255.255.0 IF Number: F-3 IP Address: 30.1.1.10 Network Mask: 255.255.255.0 IF Number: F-4 IP Address: 40.1.1.10 Network Mask: 255.255.255.0 f. Click Ok. The LinkProof Setup window remains open. 3. Using Command Line Interface, configure Port Rules: LP port-rules set 1 2 LP port-rules set 3 4 4. Add two Firewalls: a. b. c. From the LinkProof toolbar, click Add and from the drop-down menu, select a Firewall. Double-click the Firewall icon that appears on the map. The Firewall window appears. From the Firewall window, set the following parameters according to the explanations provided: Parameter Description FW Name: Firewall 1 IP Address: 20.1.1.1 IP Address: 30.1.1.1 d. Add another firewall. Set the following parameters according to the explanations provided: Parameter Description FW Name: Firewall 2 IP Address: 20.1.1.2 IP Address: 30.1.1.2 e. Click Ok. Your preferences are recorded. 5. Add two Routers: a. b. 144 From the LinkProof toolbar, click Add and from the drop-down menu, select a Router. Double-click the Router icon that appears on the map. The Router window appears. Doc. No.: 8261 LinkProof User Guide c. From the Router window, set the following parameters according to the explanations provided: Parameter Description Router Name: Router 1 IP Address: 100.1.1.20 d. Add another router by setting the following parameters according to the explanations provided: Parameter Description Router Name: Router 2 IP Address: 200.1.1.20 e. 6. Click Ok. Your preferences are recorded. Add three farms to LinkProof: a. b. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, for Farm Type select Firewall and define the farm name, for example: Internal Firewall e. Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm Firewall Server window appears. Select servers as specified in step g. f. From the LinkProof Farm Firewall Server window, click the Traffic Settings tab and set parameters as required. g. Repeat this procedure for all farms. For each farm define servers and load balancing parameters as follows: Farm Name: Internal Firewall External Firewall Routers Server Name: Firewall1 Firewall1 Router1 Server Address: 20.1.1.1 30.1.1.1 Server Name: Firewall2 Firewall2 Router2 Server Address: 20.1.1.2 30.1.1.2 200.1.1.20 Dispatch Method: any any any Persistency any any any Packet Translation: Disable Disable NAT 7. Configure Dynamic NAT for the two routers: Doc. No.: 8261 145 LinkProof User Guide a. b. From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears. From the NAT pane, check the SmartNAT checkbox to enable NAT functionality. c. In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries: From Local Address: 30.1.1.0 30.1.1.0 To Local Address: 30.1.1.255 30.1.1.255 Router IP: 100.1.1.20 200.1.1.20 Dynamic NAT IP: 100.1.1.22 200.1.1.22 d. After each entry click Add to save your settings. Flow Management This section describes the flow management process for LinkProof and describes the flow concept and flow policies and also some LinkProof configuration examples. This section includes the following topics: • • • Flow Concept, page 146 Flow Policies, page 147 Typical Flow Configurations, page 148 Flow Concept The Flow Management capability allows LinkProof to sequentially load balance several server farms, each providing a different service. Basic firewall load balancing (without differentiation between types of traffic) can be implemented without configuring Flows on the LinkProof, but for any other configuration Flow Management is required. Traffic flow designed for a packet involves the following process: • A packet arrives from the client, is examined by LinkProof, load balanced within a farm, returned from the selected server to LinkProof, examined again and load balanced within a different farm, and so on. • LinkProof distinguishes between clients and servers even when the servers are using spoofing, by looking at the source MAC. Multiple flows can be defined on a device, for different types of traffic. To identify the traffic for each flow the Radware classification engine is used. Policies are defined to classify traffic and attach it to a specific flow. Any number of policies can be defined for each flow. To configure Flow Management: 1. Configure all the farms necessary according to the type of service each has to provide. 2. From the LinkProof Traffic Redirection window, select the Flow tab. The Flow pane appears. 3. From the Flow pane, click Add Flow. The LinkProof Traffic Flow window appears 4. From the LinkProof Traffic Flow window, configure Flow Policies as described in Flow Policies, page 147. 146 Doc. No.: 8261 LinkProof User Guide Default Flow The Linkproof device automatically creates a default flow that is used for traffic that does not match any flow policy.The default flow does not included any farm. When traffic that must be forwarded according to default flow is detected, the device looks in the routing table for the default gateway. If the default gateway is a farm server the default farm of this server is selected as the farm used by the default flow. Traffic is then forwarded to one of the servers in this farm according to the farm load balancing settings. If the default gateway is not a farm server, then traffic is just forwarded to this default gateway, without any load balancing. Flow Policies A flow policy defines the criteria used to select a specific flow for a specific type of traffic. When a new session arrives to the LinkProof, the device scans through the flow policies list looking for a match. Once a match is found the packet is redirected according to the flow attached to this policy. The device scans the policies according to their index, in ascending order, so it is important that policies that look for a more specific traffic have a lower index (for example policy that looks for HTTP traffic from local network must have a lower index than policy that looks for any traffic from the local network). The flow policies include the following elements: Traffic Classification Criteria and the selection of the farm for this type of traffic. The classification criteria available are: • • Source and/or Destination IP Addresses: IP Address or a Network class (IP subnets, IP ranges, or list of discrete IPs can be defined as a Network class - see Bandwidth Management, page 335). Application: Using the Service elements it is possible to define a required application according to application port and/or additional data (see Bandwidth Management chapter). Note: • Although the Service classes that can be configured on the device allow for definition of Layer 7 criteria (for Bandwidth Management purposes), when used for traffic classification for flow management purposes any criteria that is not found in the first packet of the session will be ignored during the classification process. Traffic Direction: Different flows can be applied to different traffic directions. The matched traffic depends not only on the value of the Traffic Direction parameter (One Way or Two Way), but also on whether the policy is searching for layer 3 or layer 4 sessions. One Way Two Way Layer 3 Policy Requests from policy source to destination and the related replies from destination. All traffic between policy source and destination. Layer 4 Policy Request only from policy source IP and port to destination IP and port. Requests from policy source IP and port to destination IP and port and related replies from destination. Doc. No.: 8261 147 LinkProof User Guide Note: • • For layer 3 policy traffic from policy source addresses passes the flow farms from left to right, while traffic from the policy destination address passes the flow from right to left. However if the layer 3 policy sets both source and destination addresses to "any", all request traffic will pass flow from left to right (reply traffic will pass in the opposite direction). For layer 4 policies, request traffic will pass the flow from left to right, reply traffic will pass the flow from right to left. VLAN Tag: To classify traffic according to VLAN identifier tags. Inbound Physical Port: Classifies only traffic received on certain interfaces of the device. For more details on the classification criteria see Bandwidth Management Classification Criteria, page 337. To configure a Flow Policy: 1. Via the Bandwidth Management module, define all the traffic classes you require for the policy - source and/or destination networks, inbound physical port group, VLAN Tag group and Services, see Bandwidth Management, page 335. 2. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 3. From the LinkProof Traffic Redirection window, click the Flows tab. The Flows pane appears. 4. From the Flows pane, click Flow Policies. The Edit Policy window appears. 5. From the Edit Policy window, set classification criteria and select the flow to be used for the traffic that matches this criteria. 6. Click Ok to save settings and return to the Flows pane. Typical Flow Configurations The following section provides configuration examples for typical LinkProof configurations using Flow Management: • Flow LinkProof Example Configuration, page 148 Flow LinkProof Example Configuration It is often required to use different WAN links for different applications and/or destinations. In the following example there are 2 routers. Router 1 is connected to a private network and can only connect to other corporate sites (Intranet). Router 2 is connected to the public network and can be used as a backup for the private link (with VPN) and also for access to the Internet. HTTP traffic on the Intranet must use the private link as long as it is available and only use the VPN link for backup. The other applications running on the Intranet can use both links (load balanced). 148 Doc. No.: 8261 LinkProof User Guide Router 2 Router 1 NAT: For 10.1.1.30 Via Router 2 NAT: For 10.1.1.30 Via Router 1 100.1.1.2 200.1.1.2 100.1.1.10 200.1.1.10 Interface LinkProof Interface Local Internal 10.1.1.30 Figure 13 - 10.1.1.x Flow LinkProof Example Application To configure Router Load Balancing per Application: 1. During initial installation, configure IP address for the device, for example 10.1.1.10 on Interface 1 2. Define additional IP interfaces: a. b. From the main window, double-click the LinkProof icon. The LinkProof Connect to Device window appears. From the LinkProof Connect to Device window, type the device's IP address: 10.1.1.10 and click Ok. c. Double-click the LinkProof icon again. The LinkProof Setup window appears. d. From the LinkProof Setup window, click Add. The Edit Interface window appears. e. From the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Num: F-2 IP Address: 100.1.1.10 Doc. No.: 8261 149 LinkProof User Guide Network Mask: 255.255.255.0 IF Num: F-2 IP Address: 200.1.1.10 Network Mask: 255.255.255.0 f. Click Ok. The LinkProof Setup window remains open. 3. Define at least one of the routers as the default gateway to the Internet, it is recommended to define all the routers in the Routing Table: a. b. c. From the LinkProof Setup window, select Networking > Routing Table. The Routing Table window appears. From the Routing Table, click Add. The Edit Route window appears. From the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 200.1.1.20 IF Number: F-2 d. Click Ok to apply the parameters. 1. Add two Routers: a. b. Parameter Description FW Name: Router 1 IP Address: 100.1.1.20 c. 150 From the LinkProof toolbar, click Add and from the drop-down menu, click Router. Double-click the Router icon that appears on the map. The Router window appears. From the Router window, set the following parameters according to the explanations provided: Add another router by setting the following parameters according to the explanations provided: Parameter Description FW Name: Router 2 IP Address: 200.1.1.20 Doc. No.: 8261 LinkProof User Guide d. 2. Click Ok. Your preferences are recorded. Add 3 farms to LinkProof: FM1: Farm1 to load balance HTTP traffic to other corporate sites. FM2: Farm2 to load balance non-HTTP traffic to other corporate sites. FM3: Farm3 to load balance traffic to the internet. a. b. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, select Farm Type Firewall and define the farm name. e. Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm Firewall Server window appears. Select servers as specified in step f). f. From the LinkProof Farm Firewall Server window, click the Traffic Settings tab and set parameters as required. g. Repeat this procedure for all farms. For each farm define servers and load balancing parameters as follows: Farm Name: Farm1 Farm2 Farm3 Server Name: Router1 Router1 Router1 Server Address: 100.1.1.20 100.1.1.20 Operation Mode: Regular Regular Server Name: Router2 Router2 Server Address: 200.1.1.20 200.1.1.20 Operation Mode: Backup Regular Dispatch Method: any any Persistency any any Packet Translation: NAT NAT h. 100.1.1.20 Regular any any NAT Click Ok. Your preferences are recorded. 3. Configure connectivity checks for the load balanced routers. 4. Define the required flows: a. b. From the Traffic Redirection window, click Flows. The Flows pane appears. From the Flows pane, click Add. The LinkProof Traffic Flows window appears. c. From the LinkProof Traffic Flows window, add 3 flows as follows. Flow Name Intranet1 intranet2 Intranet3 1st Farm Farm1 Farm2 Farm3 Doc. No.: 8261 151 LinkProof User Guide d. From the Flows pane, highlight the flow you created and click Policies. The Flow Policies window appears. Note: e. From the Flow Policies window, click the Modify tab and click Add. The Edit Policy window appears. f. From the Edit Policy window, click New Network. The Edit Network Table dialog box appears. g. From the Edit Network Table dialog box, set the following parameters according to the explanations provided: Parameter Description Network Name: Local Network Network Mode: IP Mask IP Address: 10.1.1.0 IP Mask: 255.255.255.0 h. Click Ok. Your preferences are recorded. i. From the Edit Network Table dialog box, click New Network again and set the following parameters according to the explanations provided: Parameter Description Network Name: Internal Server Network Mode: IP Range From Address: 10.1.1.30 To Address: 10.1.1.30 j. Click Ok. Your preferences are recorded. k. Click New Network again and set the following parameters according to the explanations provided: Parameter Description Network Name: Corporate Network Network Mode: IP Mask IP Address: 20.1.1.0 IP Mask: 255.255.255.0 l. 152 You may be prompted to enable BWM and to reboot the LinkProof, if so click Ok and follow the on-screen instructions. Click Ok. Your preferences are recorded. Repeat by setting the following parameters according to the explanations provided: Parameter Description Network Name: Corporate Network Doc. No.: 8261 LinkProof User Guide Network Mode: IP Mask IP Address: 30.1.1.10 IP Mask: 255.255.255.0 Network Name: Corporate Network Network Mode: IP Mask IP Address: 40.1.1.0 IP Mask: 255.255.255.0 m. From the Edit Policy window, set the following parameters for the policies required for the three flows: Policy Name: HTTPOut HTTPIn all-lntranet all-lnternet Policy Index: 1 2 3 4 Service Type: Regular Regular None None Service Name: HTTP HTTP None None Source: Local Network Corporate Network Local Network Local Network Destination: Corporate Network Internal Server any any Direction: Two way Two way Two way One way Flow: Intranet1 Intranet1 Internet2 Internet n. 5. Click Ok and then Update Active Policies. Your preferences are recorded. Configure NAT (Dynamic & Static) for the two routers: a. b. From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears. In the NAT field select Dynamic NAT to add NAT addresses for outbound traffic by adding the following NAT entries: From Local Address: 10.1.1.0 10.1.1.0 To Local Address: 10.1.1.255 10.1.1.255 Router IP: 100.1.1.20 200.1.1.20 Dynamic NAT IP: 100.1.1.22 200.1.1.22 c. Doc. No.: 8261 After each entry, click Add to save your settings. 153 LinkProof User Guide d. From the NAT field, select Static NAT to add NAT addresses for inbound traffic by adding the following NAT entries: From Local Address: 10.1.1.30 10.1.1.30 To Local Address: 10.1.1.30 10.1.1.30 Router IP: 100.1.1.20 200.1.1.20 From Static NAT: 100.1.1.21 200.1.1.21 To Static NAT: 100.1.1.21 200.1.1.21 6. After each entry, click Add to save your settings. a. b. Map the URL of the Internal server to the servers local IP: From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears. c. From the DNS pane, click Name to Local IP. The Name to Local IP window appears. d. From the Name to Local IP window, enter www.site.com as the Host URL parameter and 10.1.1.30 for the local IP parameter. e. Click Add to save the entry. Click Ok. Your preferences are recorded. VPN Load Balancing When supporting advanced LinkProof & Firewall configurations there are special considerations with regards to the way the traffic flows. VPN Load Balancing, page 155 illustrates a network topology called a Firewall "Sandwich". This topology refelects the inbound and outbound traffic flow as it is routed by the LinkProof devices through Firewalls. This section includes the following topics: • • • 154 Multicast Dispatch, page 156 Clear Client Table, page 157 Client Table Overwrite, page 158 Doc. No.: 8261 LinkProof User Guide Figure 14 - VPN Load Balancing VPN Load Balancing, page 155 illustrates 2 possible VPN Load Balancing scenarios: The network session starts from the H.Q to the branch. • In this case traffic returning from the branch uses the same path. In case that a new traffic session originates from the branch to the H.Q, the same VPN server tunnel must be used as the one used previously by the traffic coming from the H.Q to the branch. The traffic flow is as follows: — Router - LAN A — 2nd LinkProof — VPN Gateway 1 — 1st LinkProof — VPN Gateway 3 — Branch LAN The network session starts from the branch to the H.Q. • In this case traffic returning from the H.Q will use same path. In case that a new traffic session will originate from the H.Q to the branch, it should use the same VPN server tunnel as the one used before by the traffic coming from the branch to the H.Q. The traffic flow is as follows: — Branch LAN — VPN Gateway 3 — 1st LinkProof — VPN Gateway 1 — 2nd LinkProof — Router - LAN A VPN Alternative Traffic Paths, page 156 illustrates 2 alternative VPN Traffic flow paths. Doc. No.: 8261 155 LinkProof User Guide Figure 15 - VPN Alternative Traffic Paths LinkProof is unable to determine which VPN Gateway the tunnel uses (The tunnel is maintained via one VPN Gateway only). Therefore if traffic is routed back via the wrong path, the connection is dropped by the other VPN Gateway. To avoid this from happening, a dispatch method is available to configure a Firewall Farm called Multicast. Multicast Dispatch When the network session starts from the H.Q to the branch, as illustrated in VPN Alternative Traffic Paths, page 156, a VPN session is open along the red path. When the Multicast Dispatch method is used, after the return packet reaches the lower LinkProof device, a Multicast is sent with the return packet to both VPN Gateways. The gateway that responds 1st, is the one with an already established VPN session (red path). LinkProof forwards the traffic to the VPN Gateway and the session is not interrupted. To configure Multicast Despatch using WBM When creating a new Firewall Farm. 1. Select Linkproof > Farms > FW Farm Table > Create. 2. From the Dispatch Method drop-down list select Multicast. 3. Click Set. 156 Doc. No.: 8261 LinkProof User Guide To configure Multicast Despatch using CLI 1. lp farms firewall -farms add <farm name> -dm multicast> command. 2. Press Enter. Clear Client Table Client entries are removed from a farm using the Clear client Table feature when specific VPN Load Balancing configurations are problematic. Clear Client Table Scenarios, page 157 illustrates the 2 possible scenarios for which the Clear client Table feature is used. Figure 16 - Clear Client Table Scenarios Scenario 1 In the event that switch No. 3 goes down, then LinkProof No.4 handles the session. If Switch No.3 comes up again, LinkProof No.3 responds to the traffic again and sends the traffic to both VPN gateways (VPN No.1 and VPN No.2), as multicast mode has been set. The LinkProof No.3 does not have a Client Table entry any more. LinkProof No.1 however, still sends traffic to VPN No. 1 and this in turn creates a persistency issue because LinkProof No.3 and LinkProof No.1 have different entries in their client table. The Solution To solve this scenario, a new flag is added to the farm that indicates when a client entry as part of a farm needs to be deleted when the server of that farm comes up again.This assures persistency is maintained. Doc. No.: 8261 157 LinkProof User Guide Scenario 2 Another problem arises when both backup and regular servers (Firewalls) are configured. If both servers are active, then traffic goes through the regular server. If the regular server is not in service, all its associated Client Table entries are deleted and traffic is sent through the backup server. Once the regular server is up, the old sessions that are already in the Client Table are sent through the backup server even though the regular server is up. Only new sessions are sent through the regular server. The Solution To solve the second scenario, an additional value has been added to the field which provides an option to delete farm related client entries in the event that the first regular server is up. This assures that no session goes through the backup server if there is a regular server available. Each farm contains a field called Client Table Clear Condition, which has one of the following values To configure the Clear Client Table using WBM 1. Select LinkProof > Farms > FW Farms Table. The FW Farm Table window appears. 2. Click Create. The Farm Table Create window appears. 3. From the Clear Client Table Condition drop-down list select one of the following parameters. None This is the default value. Previous functionality is ignored. Any Server Up This value indicates when a server of a particular farm goes up after having been down, and all the client entries are deleted which are part of that farm. 1st Regular Server Up This value indicates when a regular server goes up and when it is the first regular server for that farm to go up. All the Client Table entries associated with that server selection of that farm are deleted. 4. Click Set. To configure the Clear Client Table using CLI 1. Type in the following command: lp farms firewall-farms set <Farm Name> - tc <1 default(none),Any Server Up or 1st Regular Server Up> 2. Press Enter. Note: The above parameters can also be set while creating the Firewall Server Farm. Client Table Overwrite This feature assists in dealing with the problems associated with Scenario 1, page 157. To solve the problem a new flag was added to the farm to indicate when a client entry as part of a farm needs to be deleted when the server of that farm comes up again. 158 Doc. No.: 8261 LinkProof User Guide Notes: Since the 2 LinkProofs are not synchronized and do not recognize that the server is up/down at the same time, the following persistency issues remain until they are overwritten. i Persistency issues remain until the Client Table entry is deleted. The server that recieves a packet from a different server (Firewall) is not overwritten. ii In the case in which the new server is of a different Farm than the Farm of the original server, then the server selection is not overridden. iii In the case where IP translations (NAT) of any sort are involved for the session, then the server selection is not overridden. To configure the Client Table Overwrite using WBM Once a new Firewall Farm has been created. 1. Select Linkproof > Global Configuration > Client Table > Server Selection Override. 2. From the Server Selection Override drop-down list select either Disable (default) or Enable . 3. Click Set. To configure the Client Table Overwrite using CLI 1. Type in the following: lp global client-table server-selectionoverride set <disable (default) or enable> . 2. Press Enter. Client Table This section explains the concept of Client Table which is employed to store client session information, which is necessary to maintain session persistency. This section includes the following topics: • • • Client Table Management, page 159 Client Table Global Parameters, page 163 Client Table Views, page 166 Client Table Management In order to efficiently handle the flow of traffic between the clients and the servers, Radware devices employ the Client Table. The Client Table stores client session information, which is necessary to maintain session persistency. When a client first approaches the device, LinkProof then checks whether an entry for this client already exists in the Client Table. If the appropriate entry is found, the client is directed to the farms and servers that appear in the Client Table, In such a case, there is no need to make a load balancing decision. Doc. No.: 8261 159 LinkProof User Guide If an entry does not exist, traffic is classified to identify the flow that matches this traffic. An entry is made into the Client Table indicating the sequence of farms this traffic must pass according to the selected flow. A server is selected for each farm in the flow, as the traffic reaches it, according to the load balancing considerations that are defined by the Dispatch Method (see Dispatch Methods, page 89), and is recorded in the Client Table. Router 1 Local Network 10.1.1.x LinkProof Interface Interface 4 10.1.1.10 200.1.1.2 100.1.1.1 100.1.1.2 200.1.1.2 Interface 30.1.1.1 Interface 20.1.1.10 Firewall 1 Router 2 30.1.1.1 20.1.1. External Internal 30.1.1.2 20.1.1.2 Firewall 2 Figure 17 - HTTP Outbound Session Example Configuration The following Client Table entry provided below in Table 13 on page 160 is an example of an HTTP outbound session for the network example as shown in HTTP Outbound Session Example Configuration, page 160. Table 13: Client Table 1 160 Source Address Destination Address Source Port Destination Port Flow 10.1.1.2 202.2.2.2 1062 80 http flow Farm Name Server Name Idx Type Action Port # Ext Idx fw_int_farm fw1 1 Regular Send to Farm 16 fw_ext_farm fw1 2 Regular Send to Farm 17 Doc. No.: 8261 LinkProof User Guide Farm Name Server Name Idx Type Action Port # Ext Idx router_farm router2 3 N Send to Farm 18 Each entry in the client table provides the following information: • • • Session parameters (source address and port, destination address and port). Flow that matches this session. Information regarding each farm in the selected flow: — Server selected for each farm. If this field is empty it means that the session has not yet reached this farm, and server selection has not yet occurred. IDX - the index of the farm in the flow. If the session was only routed then the index value is 0. — Action taken for this farm or Port Number for IDS & SSL farms.The values for the action fields are: Select Server A server was not yet selected for this farm. Send to Farm A server was selected for this farm Skip Farm This farm was bypassed. Discard Packets are dropped when they reach this stage. Passive Farm A server farm was selected only for use of NAT - traffic is not forwarded to this server. This option can occur when a Static NAT is performed for local traffic. Passive Select A passive server (see above) was not yet selected. Select Tunnel A virtual tunnel was selected. Select Tunnel PBP A virtual tunnel was selected when Virtual Tunneling is operating in Packet-per-packet mode. — Type - Client Entry can have the following values: Regular No packet translation. V Virtual IP translation. DN Dynamic NAT. SN Static NAT. VPN Rglr Session is encrypted, Flow mode=Basic. VPN Prvt Session is encrypted, Flow mode=Combined Private&VPN VPNVT CT Session is encrypted, Flow mode=VT RSN Virtual Tunneling NAT using Static NAT RNN Virtual Tunneling NAT using No NAT Doc. No.: 8261 161 LinkProof User Guide — Ext Idx - extension index. When type is other than Regular, this index points to additional information regarding this session, such as address and port - used in address translation. When a client first approaches LinkProof, then a check is done to find out whether an entry for this client already exists in the Client Table: • • If the appropriate entry is found, the client is directed to the farms and servers that appear in the Client Table. In that case, there is no need to make a load balancing decision. If an entry does not exist, traffic is classified to identify the flow that matches this traffic. An entry is made into the Client Table indicating the sequence of farms this traffic must pass according to the selected flow. A server is selected for each farm in the flow, as the traffic reaches it, according to the load balancing considerations that are defined by the Dispatch Method and is recorded in the Client Table Note: The farms for each client table entry are displayed in the order in which they were configured in the flow. Removing an Entry from the Client Table LinkProof removes the relevant entries from the Client Table In the following cases: • • • When one of the servers within a farm becomes unavailable. When the Aging Time of an entry expires. The Client Aging Time parameter is set per farm, see Farm Load Balancing, page 89 When using the Remove On Session End. To Configure the Client Table 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, click the Global tab and select Client Table Settings and click Edit Settings. The Client Table Settings window appears. 3. From the Client Table Settings window, set the parameters accordingly. 4. Click Set. Your preferences are recorded. Client Table Report Enhancements Client Table current entries can be viewed via CLI only using the following commands: • lp client table (to see client table information) • lp client table-summary (to see summary information) The following options are available with the lp client table CLI command, which allow you to filter existing client entries and display only relevant entries: • • • • • • • • • 162 -ip to print only entries with given IP address -fl to print only entries with given flow name -fn to print only entries with given farm name -sn to print only entries with given server name -vl to print only entries with forwarding type bridging -ap to print only entries with given application port -db to print only entries with delayed binding information -ed to print only entries with edge farm info -mapped to print entries including mapped information Doc. No.: 8261 LinkProof User Guide • -ptr to print only entries with given packet translation type (VIP, Dynamic NAT, VPN, etc). Client Table Tuning Guidelines When setting the Client table size you must also configure Client Extension Table size. The relationship between the two table sizes is as follows: Client Extension Table size = (max number of farms in a flow, as configured on the device) *Client Table size. For example, in case LinkProof load balances routers only, the Client Table Extension size should be the same as the Client Table Size. To configure Client Table tuning: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, click Global. The Global pane appears. 3. From the Global pane, select Client Table Settings and then click Edit Settings. The Client Table Settings window appears. 4. From the Client Table Settings window, edit the parameters according to your requirements. Client Table Global Parameters Client Table Global Parameters applies to the LinkProof device. All the farms defined on this device are affected by the Global Parameter settings. Client Table Mode For flexibility purposes LinkProof allows the Client Table to work in various modes. The following Client Table modes are available: • Layer 3 • Half Layer 4 • Full Layer 4 For maximum flexibility LinkProof allows to configure different persistency modes per farm. The persistency defines when a new server is selected for the specific farm. The Client Table Mode defines when an entry is made in the Client Table. Layer 3 Mode The Layer 3 mode is the default Client Table Mode, in which LinkProof maintains Layer 3 persistency. In this mode, each entry is identified by the following parameters: • Source IP address • Destination IP address In Layer 3 mode all sessions between the same source and destination addresses are represented by a single Client Table entry and will be forwarded to the same farm servers. Half Layer 4 In this mode, each entry is identified by the following parameters: • • • Source IP address Destination IP address Destination port Doc. No.: 8261 163 LinkProof User Guide In this mode, all the sessions destined to the same address and port are represented by a single entry in the Client Table, regardless of the Source port(s). For example, in a simple web page retrieval, a client may open few TCP sessions with the server, using each session to transfer different parts of the page, such as text, GIF files and so on. All of these sessions, identified by Destination port 80 and different Source ports, constitute a single entry in the Client Table. This mode is the minimum mode required whenever sessions to different destination ports must be tracked separately. For example: • • When different flows are configured for different applications When farms of proxy servers are defined on the device (VIP mechanism is used, see Proxy Firewalls, page 96 Full Layer 4 In this mode, each entry is identified by the following parameters: • Source IP address • Destination IP address • Source port • Destination port In this mode, a new entry is added to the Client Table for every session opened between the client and the server. For example, in the above example of a simple page retrieval, each of these sessions, identified by Destination port 80 and a unique Source port, such as 1234, 1235, 1236 and so on, constitute a new entry in the Client Table. This mode is required when: • NAT is enabled in any of the farms. • Content-based load balancing is configured on the device. • SYN Flood protection mechanism is enabled. Since a new table entry is made into the Client Table for every new session, the Client Table has many entries. You can increase the Client Table to accept more entries based on the amount of RAM available on the LinkProof unit. Remove Entry on Session End The Remove Entry on Session End mode allows LinkProof to remove entries from the Client Table before Aging Time expires. This mode is used to clear entries representing the TCP sessions that were closed before the end of the Aging Time period. Note: As the Client Aging Time is configured per farm, to determine the Client Table entry aging time LinkProof looks at the Aging Times of all the farms in this entry's flow and selects the longest period Tip: Removing entries from the Client Table immediately when the TCP session is closed, frees the memory resources for the active sessions and therefore improves memory utilization When Remove Entry on Session End is Enabled LinkProof behaves as follows: • • 164 When LinkProof detects a RST or FIN packet between the source and the destination Linkproof marks the entry for deletion from the Client Table, as the RST/FIN packets indicate that the session is closed. The entry is aged in 5 seconds and subsequently removed Doc. No.: 8261 LinkProof User Guide Aging by Application You can assign different applications different client lifetimes. Since applications are identified by the ports they use, you assign application aging times by configuring aging times for specific ports. For example, you can assign FTP longer aging times and HTTP shorter ones. You can configure application-aging times for applications over TCP and UDP protocols. For applications not included in the UDP and TCP protocols (e.g., ICMP), use port 0. Any applications for which you do not assign an aging time will age according to the Farm configuration. Note: Aging per Application is available only if Client Table mode is Half Layer 4 and up. To configure Aging by Application: 1. From the main window, double-click the LinkProof icon.The LinkProof Setup window appears. 2. From the LinkProof Setup window, click the Global tab, select the Client Table Settings option and click Edit Settings. The Client Table Settings window appears. 3. From the Client Table Settings window, select Aging by Port. The Application Aging Table appears. 4. From the Application Aging Table, set the following parameters according to the explanations provided: Parameter Description Application Port: From the drop-down menu select the relevant Application Port for which to set Application Aging for. Aging Time: Set the Application Aging time. Default value: 60 seconds. 5. Click Add. Your preferences appear in the Application Aging Table. 6. Click Ok. Your preferences are recorded. Session Limit per Hash Entry For maximal performance LinkProof uses a hash algorithm to search for a Client Table entry. The hash function is applied on the session identification parameters, as determined by the Client Table mode. Multiple Client Table entries can be associated to the same hash entry, especially in Layer 4 modes. As having unlimited session associated to the same Hash entry causes performance degradation this feature enables you to limit this number and maintain ideal performance. The default value of '0' indicates no limitations. Port Hashing The Port Hashing parameter, when enabled, determines which source and destination ports are to be taken into consideration.When the Hashing Dispatch Method is applied, LinkProof selects a server for a session using a Hash function. This is a static method where the NHR is chosen for a session purely by the session information. The input for the hash function is source and destination IP addresses. Doc. No.: 8261 165 LinkProof User Guide Note: This parameter can be enabled only when Client Table mode is Full Layer 4 Delayed Bind Time-out Delayed Bind Time-out: The period of time (in seconds) that the device waits for completion of TCP Handshake. Client Table Views On all Radware devices, the Client Table maintains Client to Server Persistency.The Client Table is accessible using CLI and Web Based Management. The Client Table stores information about a client’s source and destination IP and ports, selected server, server port, NAT addresses and other product specific information Note: Using 64M DRAM, LinkProof supports up to 350,000 entries in the Client Table. Using 128M DRAM, LinkProof supports up to 1,000,000 entries in the Client Table To access the Clients Table using WBM: • From the LinkProof menu, select Clients > Client Table. The Clients Table Views window appears, which contains the following read-only parameters: Source Address: The IP address of the source. Client Address: The IP address of the client. Destination Address: The IP address of the destination. Source Port: Displays the Source Port of the client. Destination Port: Displays the Destination Port of the client. To view the Client Table using WBM: 1. From the LinkProof menu, select Clients > View Filters. The Clients Table window appears. 2. Click Create. The View Filters Create window appears, which contains the following parameters: 166 Index: Shows the Filter Index number currently selected. Values 1 - 5 Source IP From: The range of the clients’ addresses. Destination IP From: The range of the addresses of the servers that provide the requested service. Doc. No.: 8261 LinkProof User Guide Destination Port From: Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured. Next Hop Router IP: The next hop router IP address. Available Client types: • any - Any Client Type Client Types: Note: • regular - Any client of the type Regular. • dynamicNat - Any Client receiving an dynamic NAT address. • basicNat - Any Client receiving a NAT address from Basic NAT. • virtualIP - Any client destined for a Virtual IP on the device. • staticNAT - Any Client receiving a NAT address from Basic NAT. • noNat - Any Client Matching the configured NoNAT addresses. • vpn - Any Client matching VPN policy. • remoteNatStaticNat - Any Client matching Virtual Tunneling Policy with static NAT Address policy. • remoteNatNoNat - Any Client matching Virtual Tunneling Policy with no NAT Address policy. Client types are unique to LinkProof. The CT (client type) flag is case– sensitive, and must use the exact phrases as they appear in the above list. 3. Set the parameters according to the explanations provided. 4. Click Set. Your preferences are recorded. Doc. No.: 8261 167 LinkProof User Guide 168 Doc. No.: 8261 LinkProof User Guide Chapter 5 - Advanced Features This chapter describes LinkProof’s advanced capabilities and provides common configuration examples, and includes the following sections: • • • • • Content Load Balancing, page 169 Virtual Tunneling, page 179 Integrated VPN Gateway, page 188 Cost Based Load Balancing, page 194 Data Compression, page 196 Content Load Balancing This section explains what content load balancing is and describes the methods for LinkProof load balancing. This section includes the following topics: • • • Content Load Balancing Overview, page 169 Content Load Balancing Configuration, page 171 Content Rule Configuration Example, page 174 Content Load Balancing Overview As a result of the reliance on networked/ Web applications like ERP, CRM and even CITRIX applications, there is a need for application-aware multi-homing devices that can direct application traffic to the link most suited to its requirement (performance, security, availability). To differentiate Web-based application, HTTP content-based decisions are required LinkProof is application aware and based on HTTP content it can: • load balance specific traffic to different routers or firewalls • block traffic to specific URLs or traffic that includes specific content types. To make a load balancing decision based on HTTP content (layer 7 decision) LinkProof implements a mechanism referred to as Delayed Binding. Delayed Binding When Delayed Binding is used, LinkProof first performs a TCP handshake with the client in order to receive the HTTP request. Then, LinkProof parses the HTTP request's data, usually HTTP headers, and performs the load balancing decision according to the layer 7 policies defined. Then LinkProof initiates a TCP handshake with the destination and forwards the traffic to selected farm server. LinkProof allows you to define parameters for the HTTP request parsing, including: • • • • Search Depth in Bytes: How deep in the HTTP request or reply to search for the required criteria (it can require waiting for a number of packets). Default is 4096 bytes. Max Number of Request Fragments: The maximum amount of request fragments that the device gathers to look for the required criteria. Default is 10. Max Number of Reply Fragments: The maximum amount of reply fragments that the device gathers to look for the required criteria. Default is 10. SYN Protection Accumulate Request: Allows you to enable or disable this feature. Doc. No.: 8261 169 LinkProof User Guide To change Delayed Binding Global Settings: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, click the General tab. The General pane appears. 3. From the General pane, select the Advanced Settings option and click Edit Settings. The LinkProof Advanced Settings window appears. 4. From the LinkProof Advanced Settings window, set the parameters according to your requirements. 5. Click Ok. Your preferences are recorded. Alias Ports LinkProof devices often are installed on networks that contain proxies. The function of the proxie is to inspect the traffic before sending it out to the internet. These proxies tend to use TCP ports that do not correspond to the well known TCP ports usually used by a certain protocol (I.e. HTTP traffic may appear with port 8080 as the destination port). LinkProof incorporates Alias Ports, which allows you to link any destination TCP port to one of these protocols. To create a new Alias Port: 1. From the LinkProof main window select Global > Advanced Settings. The LinkProof Advanced Settings window appears. 2. From the LinkProof Advanced Settings window, click Alias Ports. The Alias Ports window appears. 3. From the Alias Ports window, set the following parameters according to the explanations provided: Port Number: Well Known Port Number: This field contains the value of the destination TCP port. Enter a value that corresponds to a specific protocol. This field provides all possible values to which special handling is provided, including: • HTTP - For Web traffic usually found on port 80. • POP3 - For mail traffic usually found on port 110. • TCP - Default. Select the relevant Well Know Port Number. 4. Click Update. The new alias port entry appears in the Alias Ports List. To update a previously created Alias Port: 1. From the From the LinkProof main window select Global > Advanced Settings. The SecureFlow Advanced Settings window appears. 170 Doc. No.: 8261 LinkProof User Guide 2. From the LinkProof Advanced Settings window, click Alias Ports. The Alias Ports window appears. 3. From the Alias Ports window, double click on the relevant entry from the Ports list. The Update Alias Ports window appears. 4. From the Update Alias Ports window edit the parameters according to the explanations provided in the previous step. 5. Click Ok. Your preferences are recorded. Note: Any other type of traffic other than HTTP and POP3 should not use aliases. Content Load Balancing Configuration Content load balancing is integrated in flows using an entity called Content Rule. Content Rule is an entity that allows LinkProof to load balance between different farms of the same type, or different servers in a farm, based on HTTP content. The Content Rule allows configuring traffic load balancing using Layer 7 policies. When the first packet of a session is matched to a flow that contains a Content Rule, Delayed Bind is used. When LinkProof receives enough information from the HTTP Header, a farm and then a server can be selected according to the Layer 7 Policy attached to this Content Rule. Configuring Content Load Balancing includes the following steps: • • • Defining Layer 7 Policies, page 171 Defining Content Rules, page 173 Defining Flows with Content Rules, page 174 Note: Content Rules are activated only for HTTP traffic over standard port 80. Defining Layer 7 Policies A single Layer 7 Policy can include several rules, all using the same HTTP criteria, such as URL, HTTP Header, etc. and so on. For example, a Layer 7 Policy can send HTTP traffic to a certain URL via a specific router always. In order to select farm according to a Layer 7 Policy, LinkProof matches the packet against the entries within the Policy according to the defined order, and uses the first matching entry. Note: The more specific policy must appear first, otherwise the less specific policy is always matched and used For example, when a packet with a request to URL www.a.com/a arrives to LinkProof, which has a Layer 7 policy with the following entries: • First entry with classification criteria - www.a.com/ab • Second entry with classification criteria - www.a.com/a Then the second entry is matched and used. The criteria according to which LinkProof classifies traffic are called Methods. The following Method Types are available for LinkProof: • • URL: Looks for a specified hostname and/or path in the HTTP request. File Type: Looks for a specified File Type in the HTTP request. Doc. No.: 8261 171 LinkProof User Guide • • • Header Field: Looks for a specified Header Field in the HTTP request. Cookie: Looks for a specified cookie in the HTTP request. Regular Expression: Looks for a regular expression anywhere in the HTTP Header of the request. LinkProof supports Posix 1002.3 regular expressions, the string can be up to 80 characters. Note: All content settings of the Methods are case insensitive. To define a new Layer 7 Policy: 1. From the main window, click Traffic Redirection. The Traffic Redirection window appears. 2. From the Traffic Redirection window, click the Content Rules tab. The Content Rules pane appears. 3. From the Content Rules pane, click L7 Policies. The Layer 7 Policies window appears. 4. From the Layer 7 Policies window, click Add Policy. The Policy pane appears in the right pane; set the following parameters according to the explanations provided: Parameter Description Policy Name: The name of the policy that you define. Policy Index: The order by which policy entries are matched. It is not possible to update the Index once defined. It may be convenient to use non-consecutive Index values (for example set the first entry with Index 10 and the second with Index 20) for ease of future changes. Farm Type: The type of farms (Router or Firewall) for which this policy applies Method: The method used for this policy. Method Arguments: The actual content that must be matched by the packet. Table 14 on page 173 describes the parameters of the available Method Types. The action that LinkProof must take if the traffic matches this policy. The options are: Action: Select one of the farms configured on the device (of the type defined above). Discard packet. Server: If the Action is to load balance the traffic to a farm, this parameter defines whether to always select a specific server in this farm, or load balance between the servers in the farm according to the farm Dispatch Method. 5. Click Ok. Your preferences are recorded. 172 Doc. No.: 8261 LinkProof User Guide Table 14: Layer 7 Method Types Method Type Method Specific Parameters Description Example Host Name The host name part of the URL in the HTTP header (mandatory). Host Name = www.a.com Path The path part of the URI in the Path = cgi-bin HTTP heaser File Type The type of file in Type = html the URI. Header Field A specific header field in the HTTP request (mandatory) Header Field + AcceptLanguage Token A value inside the specific header field. Token = en-us Cookie Key A specific cookie key in the HTTP Cookie Key = server request (mandatory) Cookie Value The value of the Cookie Value = cookie key. red Regular Expression Regular Expression (string pattern matching) URL File Type Header Field Cookie Regular Expression Regular Expression + .ABC Defining Content Rules Once Layer 7 policies have been defined you can associate the Layer 7 policies to a Content Rule. To set up a Content Rule: 1. From the main window, click Traffic Redirection. The Traffic Redirection window appears. 2. From the Traffic Redirection window, click the Content Rules tab. The Content Rules pane appears. 3. From the Content Rules pane, click Add. The Edit LinkProof Content Rule window appears. 4. From the Edit LinkProof Content Rule window, set the following parameters according to the explanations provided: Parameter Doc. No.: 8261 Description 173 LinkProof User Guide SuperFarm Name: The name of the Content Rule that you define. Farm Type: The type of farms (Router or Firewall) that this Content Rule includes L7 Rule: Select the Layer 7 policy that should be matched. Default Action: The action that LinkProof must take if the request traffic does not match this policy. The options are: • Select one of the farms configured on the device (of the type defined above). • Discard packet • Bypass all farms of the type defined in this policy. 5. Click Ok. Your preferences are recorded. Note: The Layer 7 policies selected in the Content Rule must be polices defined for the same type of farms as the Content Rule. Defining Flows with Content Rules Once Content Rules are defined, they can be used in the Flow configuration as any other farm, see Flow Concept, page 146. Content Rule Configuration Example It is often required to use different WAN links for different applications provided over HTTP. 174 Doc. No.: 8261 LinkProof User Guide In the following example shown here in Content Rule Configuration Example, page 175 there are 2 routers. Router 1 must always be used for the CRM application provided over HTTP and for access to the corporate intranet. For the rest of the traffic, Router 2 should be used, while Router 1 should only be used as backup in case Router 2 fails.. Router 1 Router 2 Interface 2 100.1.1.10 200.1.1.10 LinkProof 10.1.1.10 Interface 1 Local Network 10.1.1.x Figure 18 - Content Rule Configuration Example To configure Content Rule Configuration: 1. During initial installation, configure an IP address for the device, for example 10.1.1.10 on Interface 1. 2. Define additional IP interfaces: a. b. c. From the main window, double-click the LinkProof icon. The LinkProof Connect to Device window appears. From the LinkProof Connect to Device window, type the device's IP address: 10.1.1.10 and click Ok. Double-click the LinkProof icon again. The LinkProof Setup window appears. d. From the LinkProof Setup window, click Add. The Edit Interface window appears. e. From the Edit Interface window, set the following parameters according to the explanations provided: Parameter Description IF Num: F-2 IP Address: 100.1.1.10 Doc. No.: 8261 175 LinkProof User Guide Network Mask: 255.255.255.0 IF Num: F-2 IP Address: 200.1.1.10 Network Mask: 255.255.255.0 f. Click Ok. The LinkProof Setup window remains open. 3. Define at least one of the routers as a default gateway to the Internet, it is recommended to define all the routers in the Routing Table. a. b. c. From the LinkProof Setup window, select Networking > Routing Table. The Routing Table window appears. From the Routing Table window, click Add. The Edit Route window appears. From the Edit Route window, set the following parameters according to the explanations provided: Parameter Description Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: 100.1.1.20 IF Number: F-2 Destination IP Address: 0.0.0.0 Network Mask: 0.0.0.0 Next Hop: IF Number: d. F-2 Click Ok to apply the parameters. 4. Add two Routers: a. b. From the LinkProof toolbar, click Add and from the drop-down menu select a router. Double-click the Router icon that appears on the map. The Router window appears. c. From the Router window, set the following parameters according to the explanations provided: Parameter Description FW Name: Router1 IP Address: 100.1.1.20 d. Add another router. Set the following parameters according to the explanations provided: Parameter Description FW Name: Router2 IP Address: 200.1.1.20 e. Click Ok. Your preferences are recorded. 5. Add a farm to the LinkProof: 176 Doc. No.: 8261 LinkProof User Guide a. b. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, select Farm Type Router and define the farm name, for example: Routers_Farm. e. From the Edit LinkProof Farms window, click Traffic Settings and set the following parameters according to the explanations provided: Parameter Description Dispatch Method: as required Persistency Mode: as required Packet Translation: as required f. 6. Click Ok. Your preferences are recorded. Add the two farm servers: a. b. From the Farm Servers pane, click Add. The LinkProof Farm Router Server window appears. From the LinkProof Farm Router Server window, set the following parameters according to the explanations provided: Parameter Description Server Name: Router 1 Server Address: 100.1.1.20 Operation Mode: Backup c. Repeat this procedure for the second farms server. Set the following parameters according to the explanations provided: Parameter Description Server Name: Router 2 Server Address: 200.1.1.20 Operation Mode: Regular d. 7. a. b. c. 8. Click Ok. Your preferences are recorded. Enable Connectivity Checks: From the Farms pane, click the Connectivity Checks tab. The Connectivity Checks pane appears. From the Connectivity Checks pane, select the Connectivity Check Status. It is recommended to use the Health Monitoring option. If Health Monitoring Connectivity Checks was selected for the farms configure health checks for the farm servers, see Health Monitoring, page 353. Configure Content Rules: a. b. Doc. No.: 8261 From the Traffic Redirection window, click Content Rules. The Content Rules pane appears. From the Content Rules pane, click Layer 7 Policies and then click Add. The Edit L7 policy window appears. 177 LinkProof User Guide c. From the Edit L7 Policy window, enter the following URL policies under the select-url policy name: Policy Name select_url select_url Index 1 2 Farm Type Router Router Methods URL URL Arguments www.site.crm.com www.site.intranet.com Action Router_farm Router_farm Server Router1 Router1 d. From the Content Rules pane click Add. The LinkProof Content Rule window appears. e. From the LinkProof Content Rule window, set the following parameters according to the explanations provided: Parameter Description Content Rule Name: url_rule Farm Type: Router L7 Rule: select_url Default Action: router_farm f. Click Ok. Your preferences are recorded. 9. Define the flows: 178 a. b. click the Flows tab. The Flows pane appears. From the Flows pane, click Add. The LinkProof Traffic Flows window appears. c. From the LinkProof Traffic Flows window, add 2 flows as follows: Parameter Description Flow Name general_flow 1st farm url_rule d. From the Flows pane, highlight the flow you just created and click Policies. The Farm Policies window appears. e. You may be prompted to enable BWM and reboot LinkProof, if so click Ok and follow the on-screen instructions. f. From the Flow Polices window, click the Modify tab and then click Add. The Edit Policy window appears. g. From the Edit Policy window, click New Network. The Edit Network Table dialog box appears. h. From the Edit Network Table dialog box, set the following parameters according to the explanations provided: Parameter Description Network Name: Local Network Network Mode: IP Mask Doc. No.: 8261 LinkProof User Guide IP Address: 10.1.1.0 IP Mask: 255.255.255.0 i. Click Ok. Your preferences are recorded. j. Set the following policies for existing flows: Parameter Description Policy Name All_traffic Policy Index: 1 Service Type: None Service Name: None Source: Local Network Destination: any Direction: One way Flow: General_flow k. Click Update Active Policies. 10. Configure Dynamic NAT for the 2 routers: a. b. From the LinkProof Traffic Redirection window click NAT. The NAT pane appears. From the NAT pane, select Dynamic NAT from the NAT field to add NAT addresses for outbound traffic and add the following entries: From Local Address: 10.1.1.0 10.1.1.0 To Local Address: 10.1.1.255 10.1.1.255 Router IP: 100.1.1.20 200.1.1.20 Dynamic NAT: 100.1.1.22 200.1.1.22 c. After each entry, click Add to save your settings. Virtual Tunneling This section explains Virtual Tunneling and how this feature functions in the network in conjuction with LinkProof. This section includes the following topics: • • • Virtual Tunneling Introduction, page 179 Virtual Tunneling Terms, page 181 Virtual Tunneling Configuration, page 181 Virtual Tunneling Introduction Providing high availability and load balancing over multiple WAN links for applications such as VPN (Virtual Private networks) or VoIP can be very difficult if not completely impossible with current technology. It should also be noted that Internet load balancing and high availability for IP applications are difficult to NAT. Doc. No.: 8261 179 LinkProof User Guide Applications, such as VoIP signaling and VPN connectivity, have difficulties in multi-homed environments that are not BGP-based for reasons such as the following: • The applications embed source address information in the packet payload in addition to the packet header. • The destination addresses for the applications are static and not resolved via DNS. LinkProof addresses this issue by providing Virtual Tunneling. The LinkProof Virtual Tunneling feature utilizes existing SmartNAT technology. LinkProof uses NAT to encapsulate packets between sites by translating both source and destination addresses. By using the Virtual Tunneling feature LinkProof creates virtual tunnels between the two application servers located in different sites, allowing them to communicate via multiple and diverse WAN links. The Virtual Tunneling functionality is operational only between pairs of LinkProof devices. No virtual tunnels can be provided to sites not equipped with LinkProof. The following diagram Virtual Tunneling Scenario, page 180 provides an explanation of the encapsulation mechanism used by the Virtual Tunneling functionality. A.0/24 London C.0/24 San Francisco Internet L.100 S.100 B.0/24 Figure 19 - D.0/24 Virtual Tunneling Scenario In the scenario shown above in Virtual Tunneling Scenario, page 180 LinkProof can provide the following: • • High availability for traffic between the two gateways. Load balancing to increase the bandwidth available to the VPN traffic. High Availability If a client in London wants to establish a VPN connection to San Francisco, the London firewall/VPN gateway (IP address L.100) initiates a connection to the internal IP address of San Francisco firewall/VPN gateway (S.100). LinkProof on the London side receives the packets and selects a virtual tunnel. Since both London and San Francisco have dual Internet connections there are 4 virtual tunnels available for the London LinkProof to choose from (A-to-C; A-to-D; B-to-C; B-to-D). If tunnel A-D was chosen, the LinkProof will translate source address to its external IP (static NAT) via router A and destination address to its external IP via router D. If link D becomes unavailable: LinkProof London chooses a new virtual tunnel, for example A-to-C and translates the source and destination addresses accordingly. LinkProof San Francisco translates the packets back to the original addresses (L.100 - S.100). This allows the connection between the two VPN gateways to be sustained, regardless of the path that the traffic takes. In order to achieve this functionality, the LinkProof units must be aware of the Static NAT tables, WAN links health, response-time, and load at remote site. This can be achieved by using the inter-LinkProof communication protocol, called TRP (Tunneling Report Protocol) to populate and "teach" each participating LinkProof the afore mentioned information. 180 Doc. No.: 8261 LinkProof User Guide Load Balancing LinkProof provides an option to select a virtual tunnel per new Client Table entry or Packet by Packet. The Packet by Packet option allows to load balance a tunneled connection over multiple WAN links. • • Per Client Table Entry: Once connectivity is established between two VPN gateways, sessions between clients and servers behind the gateways are opened and closed, but the VPN connection is open. Since LinkProof sees communication between the same two IP addresses - the VPN gateways (L.100 and S.100 in our example), and entry in Client Table already exists, all packets are forwarded to the same virtual tunnel, as long as the virtual tunnel is active. Packet by Packet: To load balance a VPN connection between all existing virtual tunnels, LinkProof provides the option of selecting a virtual tunnel per packet instead of per new Client Table entry. Each packet is encapsulated within the chosen virtual tunnel. Virtual Tunneling Terms Virtual tunnels are created for every pair of local service and remote service. There is a tunnel for each combination of a local and a remote link. Tunnels are created automatically according to the changes in the local or remote links. A virtual tunnel is set between an IP address of the local LinkProof and an IP address of the remote LinkProof. During the load balancing decision a virtual tunnel is selected according to its health and additional parameters required by the configured dispatch method (response time, load). TRP TRP (Tunneling Report Protocol) is a proprietary inter-LinkProof communication protocol used to establish and maintain the virtual tunnels. The TRP protocol includes two types of messages: • Regular - requires from remote LinkProofs the operational and load status of their WAN links. • Extended - requires from remote LinkProofs WAN links status and configuration changes. The interval at which these messages are exchanged is configurable. Virtual Tunneling Configuration Before approaching Virtual Tunneling configuration you should perform the following steps: 1. Configure each LinkProof for basic load balancing. For the router farm that will be used for Virtual Tunneling set the following parameters — Packet Translation: NAT & Virtual Tunneling. — Connectivity Check Status: Health Monitoring. 2. Configure Static NAT/No NAT for local stations participating in virtual tunneling. 3. Define static routes to local station subnets. 4. Define static route to external subnets of remote LinkProof devices "destination=0.0.0.0" route covers all possible subnets. Device-Based Virtual Tunneling Configuration: For basic configuration of the Virtual Tunneling feature user is required to perform the following steps for each participating LinkProof. Doc. No.: 8261 181 LinkProof User Guide To configure Device-Based Virtual Tunneling: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection,click the Virtual Tunneling tab. The Virtual Tunneling pane appears. 3. From the Virtual Tunneling pane, check the Virtual Tunneling Admin Status checkbox to enable Virtual Tunneling, and click Ok. 4. You will be prompted to reboot the device. Click Ok. 5. Once the reboot process ends, repeat steps 1. and 2. 6. Enable TRP Synchronization and Virtual Tunneling HM Admin Status. 7. Click Add to configure a local service. The Edit Local Service window appears. 8. From the Edit Local Service window, set the following parameters according to the explanations provided: Parameter Description Local Service Name: Logical entity that represents the service (VPN, VoIP) for which the local LinkProof provides Virtual Tunneling functionality. Password: Password for TRP communication (mandatory). Domain name for TRP DNS resolution. This parameter is not mandatory. If this parameter is not configured step 12 must be performed. Host Name: Note: Distribution Mode: If you do not wish to use this parameter you are required to enter a blank. Define the persistence mode of this service. The values available are Client Table (provides only high availability for the tunneled traffic, not load balancing) and Packet by Packet. 9. Click Ok. Your preferences are recorded. 10. Add local stations - (internal servers whose traffic will be tunneled by this service): a. b. From the Edit Local Service window, enter the Internal Station Address (the address of the server for which virtual tunneling is provided) and click Add. Your entry is added to the table. Repeat this procedure for all local stations attached to this service. 11. From the Edit Local Services window, click Remote Service. The Remote Service pane appears. 182 Doc. No.: 8261 LinkProof User Guide 12. From the Remote Service pane, set the following parameters according to the explanations provided: Parameter Description Remote Service Name: Logical entity that represents the remote service (VPN, VoIP) to which the local LinkProof provides Virtual Tunneling functionality for the local service. Any service defined as remote in a local LinkProof device must be defined as local in a remote LinkProof device. Password: Password for TRP communication (mandatory). Host Name: Domain name for TRP DNS resolution. This host name is used by LinkProof to find the interfaces of the remote LinkProof for TRP communication. This parameter is not mandatory. If this parameter is not configured step 12 must be performed. Note: If you do not wish to use this parameter you are required to enter a blank. 13. Click Add. 14. Repeat for all Remote Services. Click Ok to return to the Virtual Tunneling pane. If host names were defined for each local/remote service DNS can be used to resolve remote site addresses for TRP communications. In this case DNS Client must be configured. a. b. Click DNS Client button. The DNS Client window appears Configure main and Backup DNS servers and click Ok. (Now go to step 13.) If hostnames were not defined for all local/remote services, one remote link (remote LinkProof IP interface) must be defined for each remote service. This allows local LinkProof to initiate TRP communication with all participating remote LinkProof devices. a. b. Click Advanced. The Advanced Virtual Tunneling window appears. From the Advanced Virtual Tunneling window, in the Remote Links pane, click Add. The Edit Remote Links window appears. c. From the Edit Remote Links window, set the following parameters according to the explanations provided: Parameter Description Remote Service Name: Select the Remote Service (previously configured) to which this remote link belongs. Remote Link Address: IP address of the remote LinkProof tunneling this Remote Service. The address can be Virtual DNS or Remote VIP address (required if redundant LinKProof devices are installed at the remote site), or Physical IP address (interface to the Routers) of the remote LinkProof tunneling this Remote Service. Remote Link Name: Link name for reference. Doc. No.: 8261 183 LinkProof User Guide Remote Link Mode: Whether the Remote Link functions in Regular mode or Backup mode for this Virtual Tunneling service. 15. To change basic parameters and size of Virtual Tunneling tables (not mandatory) click Virtual Tunneling Settings from the Virtual Tunneling pane. The Virtual Tunneling Settings window appears. 16. From the Virtual Tunneling Settings window, set the following parameters according to the explanations provided: Parameter Description TRP Port: The port used by TRP communication. Default is 2090. If there are LP devices on the same network this port number must be changed. The same TRP port must be configured on all LinkProof devices participating in the Virtual Tunneling functionality. TRP Retries: The number of times this device tries to initiate a TRP communication with remote LinkProof devices. TRP Regular Interval (sec): The time interval, in seconds, at which Regular TRP messages are initiated. TRP Extended interval (min): The time interval, in minutes, at which Extended TRP messages are initiated. Tunnel Check Interval (sec) The time interval, in seconds, at which tunnel health is checked. Tunnel Check Retries: The number of times that tunnel health checks are attempted each time. The period of time after which the operational Tunnel Check Time-out (sec): status of a tunnel that does not respond to health checks is set to Not In Service. Tunnel Weight: The weight applied to tunnel latency values in the load balancing decision. Local Link Weight: The weight applied to local link load value in the load balancing decision. Advanced Configuration Advance configuration is required in the following cases: • • 184 TRP communication is disabled. In this case the Remote Stations Table and Remote Link Table have to be filled manually. TRP communication is enabled, but you may want to change some of the parameters in the Remote Stations Table manually, including: — Remote Link Table — Service-NHR — Bind Table. Doc. No.: 8261 LinkProof User Guide To configure Virtual Tunneling in advanced mode: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, Click the Virtual Tunneling tab. The Virtual Tunneling pane appears. 3. From the Virtual Tunneling pane, Click Advanced. The Advanced Virtual Tunneling window appears. 4. From the Advanced Virtual Tunneling window, click Add. The Edit Remote Links window appears. 5. From this window you can configure the Remote Links (IP addresses of remote LinkProof) for Remote Services. 6. For the Remote links: a. b. From the Advanced Virtual Tunneling window, click Remote Links. The Remote Links pane appears. From the Remote Links pane, set the following parameters according to the explanations provided: Parameter Description Remote Service Name: Select the Remote Service (previously configured) to which this remote link belongs. Remote Link Address: IP address of the remote LinkProof tunneling this Remote Service. The address can be Virtual DNS or Remote VIP address (required if redundant LinKProof devices are installed at the remote site), or Physical IP address (interface to the Routers) of the remote LinkProof tunneling this Remote Service. Remote Link Name: A link name for reference. Remote Link Mode: Whether the Remote Link functions in Regular mode or Backup mode for this Virtual Tunneling service. 7. c. Click Ok. Your preferences are recorded. d. Repeat this procedure for all the links of all the remote services configured on this LinkProof. For the Remote Service Station: a. b. From the Advanced Virtual Tunneling window, click Remote Stations. The Edit Remote Stations window appears. From the Edit Remote Stations window, set the following parameters according to the explanations provided: Parameter Description Remote Service Name: Select the Remote Service (already configured) to which this remote link belongs. Doc. No.: 8261 185 LinkProof User Guide Remote Link Address: IP address of the remote LinkProof tunneling this Remote Service. The address can be Virtual DNS or Remote VIP address (required if redundant LinKProof devices are installed at the remote site), or Physical IP address (interface to the Routers) of the remote LinkProof tunneling this Remote Service. Remote Internal: Link name for reference. Remote Link Mode: Whether the Remote Link functions in Regular mode or Backup mode for this Virtual Tunneling service. Remote Internal Address: Internal IP of station participating in this remote service. The IP configured as Local Station on the remote LinkProof on which this remote service is local. Remote External Address (NAT): The static NAT address configured for the internal address above via this remote link. c. Click Ok. Your preferences are recorded. d. Repeat the procedure for all the remote stations via all the remote links of all the remote services configured on this LinkProof. 8. For the NHR Bind: This window allows you to view and change local routers’ availability for virtual tunneling to each remote service. a. b. From the Advanced Virtual Tunneling window, click NHR Bind. The NHR Bind pane appears. From the NHR Bind pane, set the following parameters according to the explanations provided: Parameter Description NHR Bind Mode: Defines whether this Router (NHR) is functioning in Regular mode or Backup mode in relation to this Remote Service. NHR Bind Status: Defines whether this Router (NHR) is enabled for this Remote Service or not. c. Click Ok. Your preferences are recorded. Multi-Device Configuration: Easy configuration of multiple devices is provided via the Virtual Tunnel Clusters feature available on APSolute Insite. The Virtual Tunnel Cluster is an entity that exists only on APSolute Insite, and which defines a single Virtual Tunneling service for a group of devices. Note: This functionality requires Professional Insite license. To configure multiple devices: 1. Perform preliminary configuration on all LinkProof devices. 186 Doc. No.: 8261 LinkProof User Guide 2. From the General menu, select Virtual Tunnel Clusters. The Virtual Tunnel Clusters window appears. 3. If the Virtual Tunneling feature is not enabled for any of the LinkProof devices on the map, you are prompted to turn this functionality on and to reboot the devices. Once the functionality is enabled on all LinkProof devices the Virtual Tunnel Clusters window appears. 4. From the Virtual Tunnel Clusters window, click Add to add a new virtual tunneling cluster. The Edit Virtual Tunnel Clusters window appears. 5. From the Edit Virtual Tunnel Clusters window, enable TRP Synchronization and Virtual Tunneling HM Admin Status. Set the following parameters according to the explanations provided: Parameter Description Cluster Name: The name of the cluster for Insite purposes only. Type: The relationships between the devices in the cluster. The values available are:· • Mesh - virtual tunnels are created between all the devices in the cluster. • Password: Star - virtual tunnels are created between the headquarter site and all the other sites. Password for TRP communication. The same password will be used for all the units. 6. Click Add. The Edit Device in Cluster window appears. 7. From the Edit Device in Cluster window, set the following parameters according to the explanations provided: Parameter Description Device IP: Select the LinkProof IP address from the drop-down list. Status: If the cluster type is Star, you can choose whether this device is functioning as HeadQuarters or Branch. If cluster type is Mesh, the Status is always Peer. Domain name for TRP DNS resolution. This parameter is not mandatory. If this parameter is not configured configure IP parameter. Host Name: Note: IP: Doc. No.: 8261 If you do not wish to use this parameter you are required to enter a blank. IP of local device. The address can be Virtual DNS or Remote VIP address (required if redundant LinKProof devices are installed at this site), or Physical IP address (interface to the Routers) of the LinkProof device.This parameter is required if Host Name was not configured.This parameter is not configured on the device, it is used by Insite to configure Remote Links tables for this service on all the other devices in the cluster. 187 LinkProof User Guide Distribution Mode: Define the persistence mode of this service. The values available are Client Table (provides only high availability for the tunneled traffic, not load balancing) and Packet by Packet. 8. Add Local stations - internal servers whose traffic will be tunneled by this service: a. b. From the Edit Device in Cluster window, enter an Internal Station Address and click Add. Repeat for all local stations attached to this service. c. Click Ok. Repeat this procedure for all devices in the cluster. 9. From the Edit Virtual Tunnel Clusters window, click Ok. APSolute Insite records the relevant Remote Service and Remote Link Tables on all participating devices. View Virtual Tunneling Status To view the virtual tunnels created for this device and their status: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, Click the Virtual Tunneling tab. The Virtual Tunneling pane appears. 3. From the Virtual Tunneling pane, Click Virt. Tunnels. The Virtual Tunnels window appears. 4. The following parameters can be viewed for each virtual tunnel: • • • • • Remote Service Name: The remote service name as it has been entered in the Remote Service Table. Remote Link Address: The IP address of the remote LinkProof that provides this Remote Service as defined in the Remote Links Table. Local Server Address: The IP address of a local Router (NHR) available for virtual tunneling to this Remote Service. Operational Status: The Operational status of this tunnel. Can be Active or Not In Service. VT Mode: The Virtual Tunnel mode depends on the Remote Link Mode and the local NHR Bind Mode, which can have the following values: — Regular-Regular — Regular-Backup — Backup-Regular — Backup-Backup If there are Regular-Regular virtual tunnels available, then only they may participate in the load balancing decision. If no Regular-Regular tunnels are available, Regular-Backup tunnels are considered next, then Backup-Regular and finally Backup-Backup virtual tunnels. Integrated VPN Gateway This section explains how LinkProof integrates IPSec VPN gateway software to ensure secure communication over a public infrastructure. This section includes the following topics: 188 Doc. No.: 8261 LinkProof User Guide • • • Integrated VPN Gateway Introduction, page 189 IPSec, page 189 Configuring VPN Gateways, page 191 Integrated VPN Gateway Introduction Enterprises have the need to not only ensure the availability and reliability of their links, but there is also the need for secure Intranet connectivity from the headquarters location to branch offices while maintaining low connectivity costs by leveraging the Internet for secure communications. Virtual Private Network (VPN) is a cost-effective alternative to traditional dedicated networks such as Frame Relay and Leased Lines. A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. Instead of using a dedicated connection such as leased line, a VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee. Encryption and other security mechanism are used to ensure that only authorized users can access the network and that the data cannot be intercepted. IPSec technology is the de-facto standard for implementing VPNs. Many of the same challenges associated with the connection between headquarters and branch locations also apply to the VPN. LinkProof Branch offers an integrated VPN gateway thereby providing complete end-to-end secure connectivity between headquarters and branch locations. By implementing LinkProof Branch with integrated VPN, enterprises consolidate the amount of devices installed at each branch site. LinkProof Branch VPN solution will provide 100% availability (multi-homing) and maximum performance and QoS (proximity, load balancing and bandwidth management). Organizations can be assured of the security of the internal network (access control and intrusion prevention) as well as secure connectivity with the LinkProof Integrated VPN gateway. Note: A special license is required to activate this feature. IPSec IPSec combines a number of security technologies into a complete system that provides confidentiality, integrity, and authenticity of IP datagrams. IPSec standards include: • • IP Security Protocol: Defines the type of security services provided for the data (confidentiality, integrity, and authenticity) and the information that is added to an IP packet to enable those services. Internet Key Exchange: IKE is a security exchange protocol that is used to negotiate security parameters between IPSec peers and establish authenticated keys in each peer therefore establishing a Security Association. It is also possible to manually configure security associations, although this is a complex and work intensive process. IKE is best suited to most real-world applications enabling large-scale secure communications. IPSec Protocols IPSec defines a new set of headers to be added to IP datagrams that provide information for securing the payload of the IP packet as follows: Authentication Header (AH)-This header, when added to an IP datagram, ensures the integrity and authenticity of the data, but does not provide confidentiality protection. Encapsulating Security Payload (ESP)-This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. Doc. No.: 8261 189 LinkProof User Guide Security Association A Security Association (SA) is a relationship between two or more entities that describes how the entities use security services to communicate securely. SAs are used for more than just IPSec. For example, IKE SAs describe the security parameters between two IKE devices. Further references to security associations provided further in this chapter specify whether they are IPSec or an IKE SA. The security association is unidirectional, meaning that for each pair of communicating systems there are at least two security connections-one from A to B and one from B to A. The security association is uniquely identified by a randomly chosen unique number called the security parameter index (SPI) and the destination IP address of the destination. In summary, the security association is simply a statement of the negotiated security policy between two devices. IKE In symmetric cryptographic systems, both communicating parties use the same key for encryption and decryption. The material used to build these keys must be exchanged in a secure fashion. Information can be securely exchanged only if the key belongs exclusively to the communicating parties. The goal of the Internet Key Exchange (IKE) is for both sides to independently produce the same symmetrical key. This key then encrypts and decrypts the regular IP packets used in the bulk transfer of data between VPN peers. IKE builds the VPN tunnel by authenticating both sides and reaching agreement on methods of encryption and integrity. The outcome of an IKE negotiation is a Security Association (SA). This agreement upon keys and methods of encryption must also be performed securely. For this reason IKE is composed of two phases. The first phase lays the foundations for the second. Diffie-Hellman is that part of the IKE protocol used for exchanging the material from which the symmetrical keys are built. The Diffie-Hellman algorithm builds an encryption key known as a "shared secret" from the private key of one party and the public key of the other. Since the IPSec symmetrical keys are derived from this DH key shared between the peers, at no point are symmetric keys actually exchanged via the Internet. IKE Phase 1 During IKE Phase I the following occurs: • • The peers authenticate via a pre-shared secret. A Diffie-Hellman key is created. The nature of the Diffie-Hellman protocol means that both sides can independently create the shared secret, a key which is known only to the peers. • Key material (random bits and other mathematical data) as well as agreement on methods for IKE phase II are exchanged between the peers. The outcome of this phase is the IKE SA, an agreement on keys and methods for IKE phase II. LP/VPN supports Main Mode for IKE phase I between Gateways. Main mode is partially encrypted, from the point at which the shared DH key is known to both peers, and is less susceptible to Denial of Service (DoS) attacks. In main mode, the DH computation is performed after authentication. IKE Phase II (Quick mode) KE phase II is encrypted according to the keys and methods defined in the IKE phase I. The key material exchanged during IKE phase II is used for building the IPSec keys. The result of phase II is the IPSec Security Association. The IPSec SA is an agreement on keys and methods for IPSec, thus IPSec takes place according to the keys and methods agreed upon in IKE phase II. Once the IPSec keys are created, bulk data transfer takes place. 190 Doc. No.: 8261 LinkProof User Guide Configuring VPN Gateways LP/VPN provides site-to-site VPN connectivity using IPSec tunnel mode. In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. The major advantage of tunnel mode is that the end systems do not need to be modified to enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis. With tunnel mode, an attacker can only determine the tunnel endpoints and not the true source nd destination of the tunneled packets, even if they are the same as the tunnel endpoints. To prepare your system for VPN Gateway 1. Configure the LinkProof device for multi-homing. 2. Configure a special farm that includes the routers that will be used for VPN traffic. 3. Set the Packet Translation parameter to VPN. 4. Configure a flow that includes the farm and set the VPN rules for VPN traffic. 5. Configure Virtual Tunneling functionality if required. To configure the VPN Gateway 1. Configure Keys. 2. Configure VPN Rules. Configuring Keys Linkproof VPN gateway supports either key exchange via the IKE mechanism or manual key. If the key is to be set via IKE, all parameters for both phases of IKE should be set. For IKE phase 1 (the authentication phase) the following parameters are to be configured according to the explanations provided: • • • • • Encryption Algorithm: Symmetric encryption algorithms for encrypting the data transferred during IKE phase II. Currently 3DES algorithm only is supported. Hash Algorithm: For providing packet authentication and ensuring data integrity during IKE phase II. MD5 and SHA1 algorithms are supported. Diffie-Hellman Group: Diffie-Hellman key exchange for deriving key material between peers on a public network. The Diffie-Hellman key computation (also known as exponential key agreement) is based on the Diffie Hellman (DH) mathematical groups. The DH groups (DH key length) supported during the two phases of IKE are group 1 and 2 (default). Pre-Shared Key: The password to be used for peer authentication during the first phase of the IKE protocol. IKE Lifetime: The IKE SA is only valid for a certain period, after which the IKE SA must be renegotiated. The IPSec SA is valid for an even shorter period, (IKE phase II is less processor intensive than phase I). The period between each renegotiation is known as the lifetime. Generally, the shorter the lifetime, the more secure the IPSec tunnel (at the cost of more processor intensive IKE negotiations). With longer lifetimes, future VPN connections can be set up more quickly. Note: Doc. No.: 8261 These parameters must be identical on both sides, otherwise phase I negotiation will fail. 191 LinkProof User Guide Phase 2 Parameters: • • • • • • Protocol: Whether to use AH or ESP IPSec protocol for the data transfer Encryption Algorithm: Symmetric encryption algorithms for encrypting the data. Currently 3DES algorithm only is supported. Hash Algorithm: for providing packet authentication and ensuring data integrity. MD5 and SHA1 algorithms are supported. SA Lifetime: The IPSec SA lifetime (see IKE lifetime). Perfect Forward Secrecy: The keys created by peers during IKE phase II and used for IPsec are based on a sequence of random binary digits exchanged between peers, and on the DH key computed during IKE phase I. For this reason, the use of a single DH key may weaken the strength of subsequent keys. If one key is compromised, subsequent keys can be compromised with less effort. In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the compromise of a current session key or long-term private key does not cause the compromise of earlier or subsequent keys. The DH group used during PFS mode is configurable between groups 1 and 2, with group 2 (1042 bits) being the default. To add a Key: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane appears. 3. From VPN pane, select the Key Management option button. The Key Management table appears. 4. From the Key Management table, click Add. The Key Configuration window appears. 5. From the Key Configuration window, set the parameters according to the explanations above. 6. Click Ok. Your preferences are recorded. Manual Key If manual key is to be used only protocol, encryption and hash algorithm for IPSec data need to be configured, plus the manual key parameters: • • • • Encryption key: key to be used with the encryption algorithm. Authentication key: key for peer authentication Inbound SPI: security parameter index for inbound security association Outbound SPI: Security parameter index for outbound security association To add a manual Key: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane appears. 3. From the VPN pane, check the Key Management option button. The Key Management table appears. 4. From the Key Management table, click Add. The Key Configuration window appears. 5. From the Key Configuration window, select Manual from the Key Mode drop-down menu. 192 Doc. No.: 8261 LinkProof User Guide 6. Set the parameters according to the explanations provided above. 7. Click Ok. Your preferences are recorded. Configuring VPN Rules The VPN Rules define the IPSec policies to be implemented between the local gateway and remote gateways. A separate rule must be defined for each combination of a local subnet and a remote subnet that must communicate using IPSec. For each rule set the parameters according to the explanations provided: • • • • • Local Subnet: Configure the local subnet protected by this rule. Remote Subnet: Configure the remote subnet protected by this rule. Key Name: Select one of the keys defined in the previous step. Flow Mode: Defines the way traffic from/to protected network is treated by LinkProof. The options are: — Basic VPN: All the traffic from local subnet is encrypted and sent via the secure tunnel configured for this rule or via backup secure tunnel if DPD protocol is defined. — VPN with Virtual Tunneling: All the traffic from local subnet is encrypted (a single VPN secure tunnel is created) and then load balanced between all the available local NHRs. This mode uses the Virtual Tunneling functionality to load balance the VPN tunnel traffic between multiple paths - it requires LinkProof in the remote site as well. — Combined VPN/private links: This mode provides the ability to intelligently load balance traffic between unencrypted (private) and encrypted paths. The load balancing decision is taken based on NHR type (backup or regular) and application grouping configuration. If the chosen NHR is part of the secure tunnel for this VPN rule, traffic is encrypted before it is forwarded to the NHR, otherwise traffic is forwarded to NHR as is. Secure Tunnel: A secure tunnel is composed from the following parameters: — Local Gateway: The IP address of local gateway. This is a virtual IP, you can use IP from the encrypt NHR subnet, or IP that does not belong to any LinkProof subnet. — Remote Gateway: The IP address of remote gateway. — Local NHR: The local NHR that will be used for encrypted traffic from/to the protected subnet. Multiple Secure Tunnels (up to 4) Can be configured when Flow Mode is set to Basic VPN and Dead Peer Detection is enabled in the key used for this rule. • Remote Service Name: If Flow Mode is set to VPN with Virtual Tunneling, the Remote Service defined in Virtual Tunneling should be configured. To To add a VPN Rule: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane appears. 3. From the VPN pane, check the VPN Rules option button. The VPN Rules table is displayed. 4. From the VPN Rule table, click Add. The VPN Rule window appears. 5. The VPN Rule window, set the parameters according to the explanations provided above. 6. Click Ok. Your preferences are recorded. Doc. No.: 8261 193 LinkProof User Guide Configuration Notes: • • Dead Peer detection mechanism is relevant only when working in Basic VPN Flow mode. To prevent protected traffic to be transferred in clear text the following IP addresses should be used in the grouping tables: — In VPN with Virtual Tunneling Flow mode use local and remote gateway IPs in the grouping tables — • In Combined private & VPN lines Flow mode use the local and remote protected subnets. When using VPN with Virtual Tunneling Flow mode: — No NAT or Static NAT must be configured for the local gateway IP — Packet by Packet - The distribution mode for the local service should be set to: Per Packet. — Virtual Tunneling uses the LP dispatch method for load balancing. If there are problems with packets arriving out of order it is recommended to change dispatch method to hash Cost Based Load Balancing This section explains how LinkProof calculates the weight of the ISP links according to the cost of the link, as well as by previous supported load balancing factors (i.e. Dynamic Proximity and load). When buying or leasing a new link today, network administrators must take into account not only the capacity of the link but also the price, which has to be paid to the service provider. The price paid is calculated by the service provider according to its preferred cost model. There are a few cost models by which service providers calculate the cost of their lines: • Fixed usage price, limited to a certain bandwidth (called also "Flat Rate"). For example $100 for a certain link per month. • Cost depending on the actual usage of bandwidth, so that users pay when the lines are used. For example - $10 per Mbps. • An enhancement of the above examples can be a model which combines the above mentioned models, meaning it has a prepaid bandwidth level up to a certain threshold and for any exceeding bandwidth the price is per usage. • For example: $100 prepaid up to 2 Mbps and $20 per Mbps from 2Mbps and above. Companies, which own more than one ISP link and use load-balancing traffic between their links, need to take into account both the load of the link, the capacity of the link as well as the cost of each link. When making a load balancing decision LinkProof can take into consideration link cost as well. LinkProof then calculates the weight of the ISP links according to the cost of the link as well as previous supported load balancing factors (i.e. Dynamic Proximity and load). The user must define the cost models by which their links are priced To configure cost 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the Cost tab. The Cost pane appears. 3. From the Cost pane, check the Cost Admin Status checkbox to enable the cost feature. 194 Doc. No.: 8261 LinkProof User Guide 4. Enter a value for the Cost Weight to define the weight of the cost parameter in the load balancing decision. Notes: i If there is a static proximity entry for the destination, the router is chosen according to this entry. ii If the farm Dispatch Method is set to Cyclic, Cost parameters are not taken into consideration. 5. Click Add to configure cost levels for the routers. The Edit Router Cost Table window appears. 6. From the Edit Router Cost Table window, set the following parameters according to the explanations provided: Parameter Description Router Name: Defines the Router. Method: The pricing method by which the cost calculation will be done. Can be either Absolute (for "Flat Rate" price model) or Per Kpbs Represents the upper limit of each cost level depending on the value of the Billing Mode for this router, this parameter can represent total bandwidth (inbound+outbound), inbound bandwidth only or outbound bandwidth only. Threshold: The Price set for this cost level is valid for the bandwidth strip between the Threshold of the previous level (or 0 if no previous level) and the Threshold of this level. Bandwidth Unit: The possible units for price calculation. Can be 10 Kpbs, 100 Kbps, 1000 Kbps. If the Method field is set to Per Kbps and the Bandwidth Unit is set to 100 Kbps for example, the value entered in the Price field represents price for 100Kbps. This parameter is relevant only if cost Method is Per Kbps. The amount of money paid per Bandwidth Unit if Method is Per Kbps or per entire bandwidth level is method is Absolute. Price: Note: 7. A value of 0 in this field means that the configured amount of bandwidth has already been paid for. Click Ok. Your preferences are recorded. Notes: i Doc. No.: 8261 A "ladder model' can be configured by defining several entries for the same NHR with ascending Bandwidth Thresholds. 195 LinkProof User Guide ii It is possible that packets that belong to an open session cause the bandwidth used to pass the bandwidth limit for this NHR. If the Cost feature is disabled then the NHRs bandwidth limit is represented by the Kbps limit value (set via the NHR table), otherwise is determined by the lower value between Kpbs limit and the Bandwidth Threshold of the highest cost level. It is possible for system administrators to configure for each NHR whether packets should be discarded once this bandwidth limit is reached. This is done by setting the Bandwidth Limit Exception flag to Enabled in the NHR table. Data Compression This section explains the concept of Data Compression feature, which is used to accelerate applications response time and significantly reduce overall bandwidth requirements in Intranet environments. This section includes the following topics: • • Data Compression Overview, page 196 Data Compression in LinkProof, page 196 Data Compression Overview In today's economic environment, businesses must find ways to reduce their operational costs. For enterprises with numerous branch offices, connectivity costs represent a significant portion of their overall operational costs. Even a small reduction in connectivity costs at each branch is multiplied at the enterprise level. The result is that enterprises are required to meet seemingly opposite demand. There is the need to reduce their connectivity costs, as well as meeting the need for high-availability and growing bandwidth requirements of intra-enterprise connectivity. LinkProof incorporates Data Compression, which is designed to accelerate applications response time and significantly reduce overall bandwidth requirements in Intranet environments Data compression schemes used in internet working devices are referred to as lossless compression algorithms. These schemes reproduce the original bit streams exactly, with no degradation or loss, a feature required by routers and other devices to transport data across the network. Lossless compression algorithms use two basic types of encoding techniques • Statistical: Searches for frequencies of different symbols. • Dictionary: Searches for the existence of certain sequences. Statistical compression, which uses a fixed, usually non-adaptive encoding method, is best applied to a single application where the data is relatively consistent and predictable. The traffic on internet works is neither consistent nor predictable, statistical algorithms are, in general, not suitable for encoding data for compression on routers, and dictionary-based algorithms are used. Please note that lossless data compression algorithms cannot guarantee to compress (reduce) all input data sets. Examples of which are data already compressed like ZIP files or JPEG files, or encrypted data, such as IPSec, that does not contain repeatable sequences. Data Compression in LinkProof LinkProof has implemented a data compression solution based on the IPComp standard (RFC 2393) that describes a protocol intended to provide lossless compression for Internet Protocol datagrams in an Internet environment. As compression algorithm it uses the lossless, dictionary-based, Deflate (zlib) algorithm. Traffic that cannot be compressed, such as already compressed or encrypted traffic is forwarded in its original form. 196 Doc. No.: 8261 LinkProof User Guide To implement a data compression solution between two sites, a LinkProof device is required at each site. As mentioned before encrypted traffic is not compressible, traffic must be first compressed and then encrypted. Using LP Branch VPN at both ends of the connection, it is possible to compress first and then encrypt. Note: The compression functionality requires a special software license. Data Compression Configuration To activate the compression capability user is required only to enable the Compression flag on the group of routers (farm) for which data should be compressed. To enhance the efficiency and flexibility of the compression feature, you can apply the compression only on certain hosts/subnets or applications by using different flows for compressed traffic and non-compressed traffic. To configure Data Compression: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the Traffic Redirection window, click the Farms tab. The Farms pane appears. 3. From the Farms pane, select an existing farm or click Add to create a new farm. The Edit LinkProof Farms window appears. 4. From the Edit LinkProof Farms window, click the Traffic Settings tab. 5. From the Traffic Settings tab enable Compression. VPN Compression Configuration When compression of VPN traffic on LP Branch is required, the compression must be activated in the IKE key and not in the farm, as in this case it is part of the VPN process. To configure VPN Compression: 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane appears. 3. From VPN pane, check the Key Management option button. The Key Management table appears. 4. From the Key Management table, click Add. The Key Configuration window appears. 5. Set the key parameters according to the explanations on page Configuring Keys, page 191 and enable the compression flag. 6. Click Ok. Your preferences are recorded. Compression Scenarios The following scenarios are supported for compression: • • • Private Intranet Configuration, page 198 Combined Private/VPN Intranet Configuration, page 199 VPN Intranet Configuration, page 201 Doc. No.: 8261 197 LinkProof User Guide Private Intranet Configuration NHR 1B NHR 1A Site B Site A NHR 2A Figure 20 - NHR 2B Private Intranet Compression Configuration Properties: • • The two sites are connected by two private links. Compression is required on both links. Site A is also connected to sites not equipped with compression enabled LinkProof. To set up a configuration for this environment: Site A: 1. Configure farm ‘Compress_fm’ that includes NHR1A and NHR2A and has the Compression flag enabled. 2. Configure farm ‘Regular_fm’ that includes NHR1A and NHR2A but has the Compression flag disabled. 3. Configure flow ‘Compress_A’ that includes the ‘Compress_fm’ farm, and ‘Regular_A’ that includes the ‘Regular_fm’ farm. 4. Configure the following flow policies: Index Source Destination Flow 1 SiteA_subnet SiteB_subnet Compress_A 2 SiteA_subnet any Regular_A Site B: 1. Configure farm ‘Compress_fm’ that includes NHR1B and NHR2B and has the Compression flag enabled. 2. Configure flow ‘Compress_B’ that includes the ‘Compress_fm’ farm. 198 Doc. No.: 8261 LinkProof User Guide 3. Configure the following flow policies. Index Source Destination Flow 1 SiteB_subnet SiteA_subnet Compress_B Notes: i Same physical routers can be part of farms for which compression is enabled and farms for which compression is not enabled. ii In a farm for which compression is enabled, compression is applied for all logical routers that belong to the farm. This means that the same traffic (source and destination and application) cannot be load balanced between a link over which compression is applied and a link for which compression must not be applied. Combined Private/VPN Intranet Configuration NHR 1A NHR 1B Site B Site A NHR 2A Figure 21 - NHR 2B Combined VPN/Private Compression Configuration Properties: • • The two sites are connected by one private link and one public link with VPN. Compression is only on private link. CRM and ERP applications between the two sites (HTTP) are transferred via the private link only, the rest of the traffic via the VPN. To set up a configuration for this environment: Doc. No.: 8261 199 LinkProof User Guide Site A: 1. Configure farm ‘Compress_fm’ that includes NHR2A and has the Compression flag enabled. 2. Configure farm ‘Regular_fm’ that includes NHR1A and has the Compression flag disabled. 3. Configure flow ‘Compress_A’ that includes the ‘Compress_fm’ farm and ‘Regular_A’ that includes the ‘Regular_fm’ farm. 4. Configure the following flow policies: Index Source Destination Service Flow 1 SiteA_subnet SiteB_subnet HTTP Compress A 2 SiteA_subnet SiteB_subnet None Regular_A Site B: 1. Configure farm ‘Compress_fm’ that includes NHR2B and has the Compression flag enabled. 2. Configure farm ‘Regular_fm’ that includes NHR1B and has the Compression flag disabled. 3. Configure flow ‘Compress_B’ that includes the ‘Compress_fm’ farm and ‘Regular_B’ that includes the ‘Regular_fm’ farm. 4. Configure VPN Rules to the VON gateway in site A. 5. Configure the following flow policies: Note: 200 Index Source Destination Service Flow 1 SiteB_subnet SiteA_subnet HTTP Compress B 2 SiteB_subnet SiteA_subnet None Regular_B The same traffic (source and destination and application) cannot be load balanced between a link over which compression is applied and a VPN link Doc. No.: 8261 LinkProof User Guide VPN Intranet Configuration NHR 1A NHR 1B Site B Site A NHR 2A Figure 22 - NHR 2B VPN Intranet Compression Configuration Properties: • The two sites are connected by two public link with VPN. Compression must be applied within the VPN process. To set up a configuration for this environment: Site A (Site B is identical): 1. Configure farm ‘VPN_fm’ that includes NHR1A and NHR2A and has the Compression flag disabled, and Packet Translation set to VPN. 2. Configure flow ‘VPN_A’ that includes the ‘VPN_fm’ farm. 3. Configure an IKE key with compression flag enabled. 4. Configure VPN rules between the two VPN gateways. Doc. No.: 8261 201 LinkProof User Guide 202 Doc. No.: 8261 LinkProof User Guide Chapter 6 - Redundancy This chapter explains redundancy features and provides common examples of the different LinkProof redundancy configurations, and includes the following sections: • • • LinkProof Redundancy, page 203 Proprietary ARP Redundancy, page 207 Proprietary ARP Redundancy, page 207 LinkProof Redundancy This section introduces LinkProof redundancy capabilities and provides an explanation of polling and teaching and how these redundancy schemes are incorporated into the LinkProof configuration. This section includes the following topics: • • • • Introducing LinkProof Redundancy, page 203 Active / Backup Setup, page 204 Interface Grouping, page 205 Mirroring, page 206 Introducing LinkProof Redundancy Radware recommends to install LinkProof devices in pairs, to provide fault tolerance in the case of a single device's failure. Two processes are involved in the redundancy scheme: polling and teaching. The two LinkProofs have a mechanism that allows them to poll each other: • The polling mechanism allows the Backup device to constantly mirror the Main device and to ensure the Main device is alive. • The teaching mechanism is used by the Backup device when the Main device is down. This is how the takeover takes place. This way, one LinkProof can always recognize whether another LinkProof is up or down. In LinkProof, physical IP addresses are configured to poll other LinkProof physical IP addresses. In LinkProof Redundancy Scheme, page 204, the interface addresses of LinkProof 2 are configured to poll the addresses of LinkProof 1 and the interface addresses of LinkProof 1 are configured to poll the addresses of LinkProof 2. The teaching process is performed in the following way: once LinkProof interface considers the other LinkProof interface to be down, it must assume responsibility for the failed IP address. For example, in LinkProof Redundancy Scheme, page 204, if LinkProof 1 fails and LinkProof 2 decides to pick up for it, LinkProof 2 must assume responsibility for IP addresses of LinkProof 1. Each pair of LinkProofs can function in an Active / Backup Setup. To achieve redundancy between pairs of LinkProof devices, the following methods are supported: • Proprietary ARP, working with Address Resolution Protocol that is used to monitor the other device in pair and to check its availability. Using proprietary ARP redundancy, at the fail-over time the IP Addresses of the Main device are managed by the backup device and are associated with the Backup device’s MAC Address. Doc. No.: 8261 203 LinkProof User Guide • VRRP, working with Virtual Router Redundancy Protocol, that enables to maintain dynamic redundancy using a virtual router. With VRRP, IP Addresses are associated with the Virtual MAC Addresses that are owned by the Main device, and are taken over by the backup device at fail-over time. Router 2 Router 1 Network B&C Port 2 MAC B Port 1 MAC A IP B 2 IP B 1 Port 2 MAC D Port 1 MAC C IP A 1 IP A 2 Network A Users Figure 23 - LinkProof Redundancy Scheme Active / Backup Setup In the case of an Active / Backup configuration, the main LinkProof device performs regular LinkProof operation, handling all the inbound sessions to the Virtual Addresses and distributing traffic among the servers in the farm. The Backup LinkProof device is configured with identical forms containing the exact same servers and farm settings. This device acts as a hot standby and does not perform load balancing as long as the Main device is active. The Backup LinkProof periodically verifies that the Main device is available. When Backup LinkProof detects that the Main LinkProof fails, the Backup device resumes control for the IP address of its main partner, letting all devices on the network know that the Backup device is now responsible for the services of the Main device. When the Backup device takes control over the services, it continues to monitor the Main device. As soon as the Main device is back online, the Backup device releases the services. 204 Doc. No.: 8261 LinkProof User Guide Interface Grouping To provide a complete solution for redundancy against all failures, LinkProof employs a mechanism called Interface Grouping. If LinkProof notices that one of its physical ports is down, it intentionally brings all other active ports down. When a physical port on LinkProof goes down, because of a cable failure, switch port failure, hub failure, or other problems, LinkProof performs the following tasks: 1. LinkProof examines the configuration to see if any IP addresses were configured on the port that just went down. 2. If there were IP addresses configured on the port that went down, LinkProof deactivates all other active ports. 3. If there were no IP addresses configured on the port that went down, nothing happens and normal operation continues. Notes: i Using Regular VLAN, when any of the ports associated with a VLAN is down, Interface Grouping is triggered. ii Using Switched IP VLAN, Interface Grouping is triggered only when all ports on a Switched IP VLAN are down. iii When Using Vlan with interface groupings group may go down as a result of a failing interface. In such an event all traffic to the interfaces belonging to the group will be discarded including management traffic. Selective Interface Grouping One of the common installations of LinkProof is the LinkProof redundancy installation. In many instillations of this kind, both the main and redundant LinkProof have a separate Interface for management, which is used solely for management purposes and not for handling actual traffic. An issue may occur if the management interface goes down, since it causes Interface Grouping on the Main device to become activated resulting the Backup device taking control. This issue occurs since the management interface is an IP interface, which when down effects Interface Grouping. LinkProof has the capability of defining, which interfaces initiate interface grouping and which don't. A new table has been introduced, Master Interface Grouping. Through this table you can define for each interface whether the interface should initiate Interface Grouping if it becomes down (interface's Port Status is set to Included), or not. Notes: i If an interface, which is part of a VLAN, becomes down and its Port Status is set to Included, it does not initiate Interface Grouping. ii When an interface, which has its Port Status set to Included, becomes up after it became down, Interface Grouping is turned off immediately and the device regains control (becomes the Main device). No reboot is required To configure Selective Interface Grouping: 1. From the main window, select the Main device icon, then hold the Shift (or Ctrl) key, and select the Backup device, and click Link. The Redundancies window appears. Doc. No.: 8261 205 LinkProof User Guide 2. From the Redundancies window, click Master Interface Grouping. The Master Interface Grouping window appears. 3. From the Master Interface Grouping window, select the port that you want to exclude from Interface Grouping, and then in the Port Status field select Excluded and click Update. Your preferences are recorded. Backup Interface Grouping The Backup device takes control only if *all* the interfaces of the Main device are out of service. This solves the following problem: if an active and a backup device, each connected to a switch, and the switches are cross-connected. When the cable cross-connecting the switches fails, this is communicated to the main device and so the interface grouping is not triggered, but the Backup device cannot communicate to the Main and so the Backup takes over. This causes downtime in the service. When the Backup Interface Grouping parameter is enabled, the Backup device takes over only when all IP interfaces defined in its Redundancy Table fail. Respectively, the Backup device releases those interfaces only when all the Main device's interfaces are up.When Backup Interface Grouping is not activated, the Backup device takes control once one interface of the Main device (defined in the Redundancy Table) is out of service. Respectively, the Backup device releases the interface once all the interfaces of the Main device are available. To enable Interface Grouping and Backup Interface Grouping: 1. From the main window, select the Main device, then hold the Shift (or Ctrl) key, and select the Backup device, and click Link. The Redundancies window appears. 2. From the Redundancies window, click Advanced Redundancy. The Advanced Redundancy dialog box appears. 3. From the Device Name drop-down list, select the device for which you want to define the advanced parameters. 4. To enable Interface Grouping, check the Interface Grouping checkbox and click Ok. 5. To enable Backup Interface Grouping, check the Backup Interface Grouping checkbox and click Ok. Mirroring Mirroring enables a redundant Backup device to maintain a copy of the dynamic tables of the Main device, by sending a snapshot of the Client Table information contained on the Main device to the Backup device. If the Main device fails, the Backup device seamlessly resumes the sessions, ensuring that the request for service is forwarded to the same server in the farm which handled the session before the Main device failure. Mirroring is recommended for use with very state sensitive and long term sessions, such as Telnet or FTP. However, this feature should not be activated with HTTP applications where sessions are short and a reload mechanism is built-in or transparent. Mirroring should not be used in conjunction with the Dynamic Session ID Tacking feature. When enabling Mirroring on a Backup LinkProof, the device must be reset. Setting up Mirroring affects the general LinkProof performance. Notes: i 206 When setting up mirroring, it is recommended to use the same LinkProof software version for the main and for the backup devices. Doc. No.: 8261 LinkProof User Guide ii It is not recommended to use mirroring in conjunction with Layer 7 features that requires Delayed Bind. This includes Dynamic session ID Persistency, Layer 7 Policies, SSL ID tracking so on. To configure Mirroring: Mirroring parameters must be configured both on the Main device and on the Backup device. 1. From the main window, select the two devices by holding down the Shift key and click Link. The Redundancies window appears. 2. From the Redundancies window, click Mirroring. The LinkProof Mirroring dialog box appears. 3. From the LinkProof Mirroring dialog box, set the following parameters according to the explanations provided: Client Table Mirroring: % of Table to Backup: Enables or disables client table mirroring. Default: Disabled. The percentage of Client Table to send to the Backup device. The newest percentage is always sent to the backup device. Default: 100%. Mirror Update Time: 4. How often the Main device sends information to the Backup device. Default: 10 seconds. Click Ok to apply the Setup and close the dialog box. Proprietary ARP Redundancy This section explains how the LinkProof platform employs the Address Resolution Protocol (ARP) to check the availability of its partner. The ARP method ensures that the Radware device is available and that the network connections between the devices are up. The section includes the following topics: • • • Proprietary ARP, page 207 Backup Fake ARP, page 208 Advanced Forwarding, page 213 Proprietary ARP The proprietary method, the LinkProof platform employs the Address Resolution Protocol (ARP) to check the availability of the partner. The ARP method ensures that the Radware device is available and that the network connections between the devices are up. If the Main device fails, the Backup device takes control and continues seamlessly operating between clients and servers that had been established on the primary device. With Proprietary ARP redundancy, the Backup device manages the polling process by continuously polling the Main device, using the ARP protocol, see Table 15 on page 208. When the Main device fails, the teaching process is realized when the Backup device sends Doc. No.: 8261 207 LinkProof User Guide broadcast ARPs informing its network neighbors that the IP Addresses of the Main device are now associated with its own MAC Addresses. This ensures that all traffic destined to the IP Addresses of the Main device arrives to the Backup device. Table 15: Polling Parameters Parameter Description Polling Interval How often the Backup device polls the Main device (in seconds). Timeout Default: 3. The number of polling attempts that are made before the Backup device takes over. Default: 12. Backup Fake ARP When two LinkProof devices are working in the redundant mode, the Backup device constantly monitors the health of the Main device. Once the Backup device detects that the Main device fails, the Backup device takes control, which means that the Backup device now owns the IP addresses of the Main device. The Backup device sends gratuitous ARP to all local stations informing that the main device IP addresses now correspond to the MAC addresses of the Backup device. This process ensures smooth redundancy from the main device to the backup. When the Main device is operational again, it uses the same technique. The main sends gratuitous ARP to all local stations informing them that the main device IP addresses now correspond to the MAC addresses of the Main device. In order to speed up this process, the Backup device also publishes that the IP addresses of the main correspond to the MAC addresses of the Main device. This is a fake ARP, as one device (the backup) publishes the other device (the main). The fake ARP might confuse some Layer 3 switches, as they update their ARP Tables by the source MAC of the packet, rather than by the MAC in the information part of the packet. The Backup Fake ARP option is enabled by default and can be disabled if needed. Backup Device in VLAN Using Redundancy with Bridging, the backup device must remain completely silent on the network in order to avoid broadcast storms. In such case, this behavior must be set using the Backup device in VLAN parameter. To enable Backup Fake ARP and Backup Device in VLAN: 1. From the main window, select the Main LinkProof device icon, then hold the Shift (or Ctrl) key, and select the Backup device, and click Link. The Redundancies window appears. 2. From the Redundancies window, click Advanced Redundancy. The Advanced Redundancy dialog box appears. 3. From the Device Name drop-down list, select the device for which you want to define the advanced parameters. 4. To enable Backup Fake ARP, check the Backup Fake ARP checkbox and click Ok. 5. To enable Backup Device in VLAN, check the Backup Device in VLAN checkbox and click Ok. 208 Doc. No.: 8261 LinkProof User Guide Example: Proprietary Redundancy with Routing Proprietary Redundancy with Routing illustrates the scheme for a proprietary redundancy configuration with routing. Router 2 200.1.1.20 Router 1 100.1.1.20 Interface 2 100.1.1.10 200.1.1.10 Interface 1 10.1.1.10 Interface 2 100.1.1.11 200.1.1.11 Interface 1 10.1.1.11 Local Network 10.1.1.x Figure 24 - Proprietary Redundancy with Routing To Configure Proprietary Redundancy with Routing: 1. Set the default gateway of the local network to the IP address of Main LinkProof using 10.1.1.10. 2. Add a main device and backup device to the APSolute Insite map, set IP addresses and routing as needed. 3. Add Router1 and Router 2 to the map. Set Farm 1 with Router 1 and Router 2 on LinkProof 1 and on LinkProof 2. 4. From the main window, select the Main device, then hold the Shift (or Ctrl) key, and select the Backup device, and click Link. The Redundancies window appears. 5. From the Relation Type drop-down list, select IP Active-Backup. 6. In the Main Device area you can view the name and IP address of the main device. These are read-only fields. 7. In the Backup Device area you can view the name and IP address of the backup device. These are read-only fields. 8. From the Redundancies window, click Add to define which IP addresses of the Backup device corresponds to IP addresses of the Main device. Doc. No.: 8261 209 LinkProof User Guide Insert as many entries as needed, for each IP Interface where redundancy is provided. In the network design of this example, add: Main Device Backup Device 10.1.1.10 10.1.1.11 100.1.1.10 100.1.1.11 200.1.1.10 200.1.1.11 9. Set Polling Interval and Time-out for each entry, see Table 15 on page 208. 10. From the Redundancies window, click Advanced Settings and set the following parameters for each device according to the explanations provided: For the Main device: For the Backup device: Select Interface Grouping, see enable Interface Grouping and Backup Interface Grouping:, page 206. When needed, select Backup Interface Grouping, see enable Interface Grouping and Backup Interface Grouping:, page 206. Select the Backup Fake ARP checkbox, see enable Backup Fake ARP and Backup Device in VLAN:, page 208. 11. Set up mirroring, see configure Mirroring:, page 207. Note: Make sure that LinkProof settings on the Main and Backup devices are corresponding. For example, every VIP who’s mode is set to regular on the main device, is configured with mode backup in the backup device, as is the case with NAT Addresses and so on. 12. To trigger an automatic configuration update of the secondary device in a redundant configuration, from the Redundancies window, click Copy Configuration. The configuration file of the Main device is used, and is modified as needed. Then the file is sent to the backup device. The old configuration in the backup device is deleted. Note: The Copy Configuration button is enabled only when at least one IP Interface is set for redundancy. 13. Click Ok to accept your preferences and exit the window. The redundancy relation is visually displayed on the map. 210 Doc. No.: 8261 LinkProof User Guide Example: Proprietary Redundancy with Bridging The example in Proprietary Redundancy with Bridging, page 211 illustrates the scheme for proprietary redundancy with bridging. Router 2 200.1.1.20 Router1 100.1.1.20 Interface 2 200.1.1.10 Interface 2 200.1.1.11 LinkProof 1 LinkProof 2 Interface 1 100.1.1.10 100.1.1.11 Interface 1 Local Network 100.1.1.x Figure 25 - Proprietary Redundancy with Bridging Properties: Network side and server side are on the same IP subnet. To Configure Proprietary Redundancy with Bridging: 1. Set the default gateway of the local network to the IP address of the Main LinkProof device using 10.1.1.10. 2. Add a Main device and Backup device to the APSolute Insite map, and set IP addresses and routing as needed. 3. Add Router 1 and Router 2 to the map, set Farm 1 with Router 1 and Router 2 on LinkProof 1 and on LinkProof 2. 4. From the main window, select the Main device, then hold the Shift (or Ctrl) key, and select the Backup device, and click Link. The Redundancies window appears. 5. From the Relation Type drop-down list, select IP Active-Backup. Doc. No.: 8261 211 LinkProof User Guide In the Main Device area you can view the name and IP address of the main device. These are read-only fields. In the Backup Device area you can view the name and IP address of the backup device. These are read-only fields. 6. From the Redundancies window, click Add to define which IP addresses of the Backup device corresponds to IP addresses of the Main device. 7. Insert as many entries as needed, for each IP Interface where redundancy is provided. In the network design of this example, add: Main Device Backup Device 100.1.1.10 100.1.1.11 200.1.1.10 200.1.1.11 8. From the Redundancies window, click Add and set Polling Interval and Time-out for each entry, see Polling Parameters, page 208. 9. From the Redundancies window, click Advanced Settings and set the following parameters according to the explanations provided for each device: For the Main device: For the Backup device: Select Interface Grouping, see enable Interface Grouping and Backup Interface Grouping:, page 206. When needed, select Backup Interface Grouping, see enable Interface Grouping and Backup Interface Grouping:, page 206. Select the Backup Device in VLAN checkbox and the Backup Fake ARP checkbox, see enable Backup Fake ARP and Backup Device in VLAN:, page 208. 10. Set up mirroring, see configure Mirroring:, page 207. Note: Make sure that LinkProof settings on the Main and Backup devices are corresponding. For example, every VIP who’s mode is set to regular on the main device, is configured with mode backup in the backup device, as is the case with NAT Addresses and so on. 11. To trigger an automatic configuration update of the secondary device in a redundant configuration, from the Redundancies window, click Copy Configuration. The configuration file of the Main device is used, and is modified as needed. Then the file is sent to the backup device. The old configuration in the backup device is deleted. Note: The Copy Configuration button is enabled only when at least one IP Interface is set for redundancy. 12. Click Ok to accept your preferences and exit the window. The redundancy relation is visually displayed on the map. 212 Doc. No.: 8261 LinkProof User Guide Advanced Forwarding The LinkProof routing mechanism includes a table called IP Fast Forwarding Table (IPFFT). IPFFT includes routing information for the purpose of saving CPU time while calculating routing decisions. A large IPFFT (over 100,000 entries) or IPFFT that overflows due to lots of traffic needs to be routed. IPFFT performance may impair the overall performance of the LinkProof device. The Advanced Forwarding feature uses a more efficient algorithm in the IPFFT that can keep it the IPFFT small. To configure Advanced Forwarding using WBM 1. Select Router > IP Router > Operating Parameters > Advanced Fast Forwarding Status. 2. From the ARP Proxy drop-down list select enable or disable. 3. Click Set. To configure Advanced Forwarding using CLI 1. Type in the command net route advanced-forwarding set <disable or enable>. 2. Press Enter. VRRP Redundancy This section explains Virtual Router Redundancy Protocol defined in RFC 2338 is a standard protocol that enables dynamic router redundancy. This section includes the following topics: • • • • Introducing VRRP, page 213 VRRP Redundancy Notes, page 215 VRRP nxn Redundancy, page 219 Direct Server Connection with VRRP, page 219 Introducing VRRP VRRP (Virtual Router Redundancy Protocol) defined in RFC 2338 is a standard protocol that enables dynamic router redundancy. If the Main device fails, VRRP ensures that the Backup device takes over, and traffic is forwarded to it. The basic concept in VRRP is that of a Virtual Router (VR). A VR has a Virtual Router Identifier (VRID) and one or more IP addresses associated with it. Each VR has a VRMAC, which is a MAC address associated with the VR. This saves the need for a MAC address update in case of a fail-over. The VRMAC address is determined by the VRID, and does not need to be configured manually. Typically, the same VR is configured on multiple devices to achieve redundancy between them for the VR. Each device has a priority for a VR, the main device for the VR is the device with the highest priority. Using VRRP, the main device constantly sends advertisements to other VRRP routers, to indicate that it is online. When the advertisements stop, the main device is assumed to be inactive. A new Main device is then selected for this VR, that is the device with the next highest priority for that VR. Doc. No.: 8261 213 LinkProof User Guide For a typical Main-Backup scenario, a VR is required for each interface of LinkProof. In a standard LinkProof Setup, 2 VRs are required: VR-I For the Internet side of LinkProof, is associated to the IP address of the main LinkProof. VR-S For the server side of LinkProof. You need to configure all VRs on each LinkProof device, and associate the appropriate IP addresses with each VR. Typically, the physical address of the external side of LinkProof and the farm address are associated with VR-I. The physical address of the server side of the LinkProof is associated with VR-S. You need to set a priority for each VR on each LinkProof. The priorities for all VRs on the main LinkProof may be 255, to indicate it is the Main device, and a lower value on the backup device. Using VRRP, it is possible to set up more than one redundant LinkProof to backup a main LinkProof with hierarchy. To configure VRRP Redundancy: 1. From the main window, select the two devices by holding down the Shift button, and click Link. The Redundancies window appears. 2. From the Redundancies window, from the Relation Type drop-down list, select VRRP. 3. From the Master Device area, you can view the name and IP address of the device. These are read-only fields. 4. From the Backup Device area, you can view the name and IP address of this device.These are also read-only fields. 5. To assign virtual routers to both the Master and Backup devices, click Add. The Edit VRRP Table window appears. 6. From the Edit VRRP Table window, set the following parameters according to the explanations provided: Interface: The Interface Number. VR ID: The virtual router’s identification number. Enable Virtual Router: (checkbox) Priority: Default: F-1. Value range:1-255. Enables or disables the administrative status of this VR. Default: Disabled. Defined with the values 1-255, where the highest priority (255) must be assigned to the VR that is associated with a device’s physical IP address (IP address that the device owns). Default: 100. Primary IP: 214 The primary IP address. The device adds a default value unless the user defines one. Doc. No.: 8261 LinkProof User Guide Authentication Type: The type of authentication, No Authentication or Text Authentication. Default: No Authentication. Authentication Key: Password up to 8 characters in length. Advertisement Interval: The interval at which packets are checked. Default: 1 second. Defines the takeover procedure for the VR when a device fails and then resumes functioning. Preemption Mode: When a device with a certain priority fails, the device with the next highest priority takes control of the VR. When the device with the higher priority for this VR resumes functioning, the Preemption Mode decides whether it must retake control of the VR from the device with the lower priority. Values are True, the higher priority device takes over the VR, and False. The device with the lower priority maintains control of the VR. This mode is only applicable when more than two devices share a VR. Note: The router that owns the IP address associated with the VR is an exception to this definition, as it always preempts independently of this flag’s setting. Default: True. Protocol: Name of the IP protocol for LinkProof (not configurable), 7. To define which IP Addresses are backed-up with VRRP, click Associated IP. The Associated IP Address dialog box appears. 8. From the Associated IP Addresses dialog box, insert an entry for each IP address that you want to associate with each configured VR. Typically, LinkProof and VIP addresses are associated with the VR used for the external side of the device, as well as Virtual DNS Addresses. LinkProof addresses must be associated with the VR used for the internal side of the device. Static NAT Addresses must be associated either with the VR for the external side of the LinkProof or with the internal one, depending on the configuration. Note: When assigning an IP address to a VRID the user should make sure that there is an existing IP Interface belonging to the same subnet. Example: If you add IP address 192.168.10.200 / 24, there is an Interface with a Physical Address of 192.168.10.1 / 24 9. Click Ok to apply the Setup and exit the window. VRRP Redundancy Notes Provided below is a list of points that should be taken into consideration with the initial use of VRRP. • • VRRP is not supported in a VLAN network design, using Regular VLANs, excluding designs with server Direct Connection. Zero cannot be configured as a VRID number. Doc. No.: 8261 215 LinkProof User Guide • Each VRID must be a unique ID number. This is true even for VRIDs on different interfaces. • If two Radware devices belong in the same subnet, and each device is backed up by a VRRP router, the VRID numbers for both devices must also be different. When using interface grouping: • • • • If a certain VRID’s Admin Status is Disabled, then either all VRIDs in that device are disabled too, or all copies of that VRID in other devices are disabled as well. If on a certain interface, a Radware device has IP Addresses which belong to a subnet that the Backup device does not have on that interface, then it is the users’ responsibility to configure the Radware device with a primary IP Address that belongs to a subnet which the Backup device has. Upon creating a VR on a port, there must be at least one IP interface configured on that physical port. Ensure that the same parameters are configured in both devices for each VRID. Example: Redundant LinkProof Configuration with VRRP The example in Redundant LinkProof Configuration with VRRP illustrates the scheme for redundant LinkProof configuration with VRRP. Router 1 100.1.1.20 Router 2 200.1.1.20 Port 1 Port 1 100.1.1. 200.1.1.11 200.1.1.10 LinkProof 1 LinkProof 2 Virtual Address Regular 100.1.1.100 Backup 200.1.1.10 Port 2 10.1.1.1 Port 2 10.1.1.1 Firewall 1 Figure 26 - Firewall 2 Redundant LinkProof Configuration with VRRP Properties: • 216 Network side and server side are on different subnets. Doc. No.: 8261 LinkProof User Guide • • • Virtual IP addresses served by the LinkProofs are 100.1.1.100 and 200.1.1.100 usually handled by LinkProof 1. Routers 100.1.1.20 and 200.1.1.20 are assigned to the farm that is managed by LinkProof 1. Redundancy is performed using VRRP protocol. To configure Redundant LinkProof with VRRP: 1. Set the default gateway of the Firewall to the IP address of LinkProof 1using 10.1.1.10. 2. Add LinkProof 1 and LinkProof 2 to the APSolute Insite map, set IP addresses and routing as appears in Redundant LinkProof Configuration with VRRP, page 216. 3. Add Router 1 and Router 2 to the map, set Farm 1 with Router 1 and Router 2 on LinkProof 1 and on LinkProof 2. 4. Add Firewall 1 and Firewall 2 to the map, set Farm 2 with Firewall 1 and Firewall 2 on LinkProof 1 and on LinkProof 2. 5. Set the VRRP for LinkProof 1(Master Device): a. b. Double-click the LinkProof 1 icon. The LinkProof Setup window appears. From the LinkProof Setup window, click Redundancies. The LinkProof Redundancies window appears. c. From the Relation Type drop-down list, select VRRP. d. Click Add on the left side to add VRs to the master device configuration, and set the following parameters according to the explanations provided: Interface: F-1 VRID: 100 Enable Virtual Router: Selected Priority: 255 Primary IP: 100.1.1.10 Interface: F-1 VRID: 100 Enable Virtual Router: Selected Priority: 255 Primary IP: 200.1.1.10 Interface: F-2 VRID: 10 Enable Virtual Router: Selected Priority: 255 Primary IP: 10.1.1.10 e. Doc. No.: 8261 Access the Associated IP Addresses Table by clicking on Associated IP. The Associated IP Address window appears. 217 LinkProof User Guide f. From the Associated IP Address window, set the following parameters according to the explanations provided: Interface: F-1 VRID: 100 IP Address: 100.1.1.10 Interface: F-1 VRID: 100 IP Address: 200.1.1.10 Interface: F-2 VRID: 10 IP Address IP Address 10.1.1.10 g. Click Add. 6. Set the VRRP for LinkProof 2 (Backup Device): a. 218 In the same window, set the backup device VRRP. From the Edit VRRP table, set the following parameters according to the explanations provided: Interface: F-1 VRID: 100 Enable Virtual Router: Selected Priority: 100 Primary IP: 100.1.1.11 Interface: F-1 VRID: 100 Enable Virtual Router: Selected Priority: 100 Primary IP: 200.1.1.11 Interface: F-2 VRID: 10 Enable Virtual Router: Selected Priority: 100 Primary IP: 10.1.1.11 Doc. No.: 8261 LinkProof User Guide b. Access the Associated IP Addresses Table by clicking Associated IP. The Associated IP Address window appears. c. From the Associated IP Address window, set the following parameters according to the explanations provided: Interface: F-1 VRID: 100 IP Address IP Address 100.1.1.100 (VIP Address) Interface: F-1 VRID: 100 IP Address IP Address 200.1.1.100 (VIP Address) Interface: F-2 VRID: 10 IP Address: IP Address 10.1.1.10 (LinkProof IP Address) d. Click Add. 7. From the Redundancies window, click Advanced Redundancy. The Advanced Redundancy dialog box appears. 8. From the Advanced Redundancy dialog box, select the Interface Grouping checkbox for the main device. 9. From the Advanced Redundancy dialog box, select the Backup Interface Grouping checkbox for the backup device if needed. VRRP nxn Redundancy Multiple LinkProof devices can be configured to achieve a full redundancy scheme between any number of devices. This can be extended for any number of devices, using a hierarchy of priorities between VRIDs to reflect the order of backup precedence between LinkProof devices. Direct Server Connection with VRRP VRRP with Switched IP VLAN allows direct connection of servers to LinkProof in conjunction with routing and bridging. In this configuration, servers with dual Network Interface Card are directly connected to LinkProof devices. LinkProof uses routing (Direct Server Connection with VRRP and Routing, page 220) or bridging Redundant LinkProof Configuration with VRRP and Direct Connection, page 221) between the external network connected to routers or switches, and the internal network connected to servers. Servers are connected directly to the interfaces of LinkProof. A cross cable is required in order to connect the two LinkProof devices together (using Giga, or Fast Ethernet ports). The interfaces to which the servers are connected and the interface used for connecting the two LinkProof devices, are associated to a Switched IP VLAN. This puts all the servers on a single switch. Doc. No.: 8261 219 LinkProof User Guide Using bridging, you need to configure a Regular VLAN including the switch IP VLAN and the LinkProof interface to the external side. This creates a bridge between the Switched VLAN and the interface to the external side. When needed, multiple LinkProof interfaces can be added to this Regular VLAN. Using routing with Layer 2 or Layer 3 switches, either connecting LinkProof and servers or connecting LinkProof to the external subnet, you must avoid configuration that contains a loop. For example, having a cross cable between the switches as well as between LinkProof devices, or connecting each LinkProof to 2 cross-connected switches where the 2 connections are on the same Switched IP VLAN on LinkProof, must be avoided. Routers Switch IP VLAN 1 on LinkProof-L Switch IP VLAN 1 on LinkProof-R Switch IP VLAN 2 on LinkProof-L Switch IP VLAN 2 on LinkProof-R Figure 27 - Direct Server Connection with VRRP and Routing Configuration Notes for Direct Server Connection with Routing: • • • • • This configuration is supported with VRRP and Switched IP VLAN only. Firewalls are connected directly to the interfaces of LinkProof. Cross cables are required in order to connect the two LinkProof devices together (using Giga, or Fast Ethernet ports). The interfaces to which the firewalls are connected to and the interface used for connecting the two LinkProof devices are associated to a Switched IP VLAN. This puts all the firewalls on a single switch. An IP address (from the blue subnet) should be associated with the Switched IP VLAN in each device. LinkProof configuration remains as usual as well as LinkProof redundancy configuration. The default gateway of firewalls and routers is the IP address of the respective Switched IP VLAN of the active LinkProof. Note: • 220 When using dual NIC, where the active NIC is determined by ping to the default gateway, set a virtual DNS with IP 10.1.1.20 on LinkProof. This IP should be the default gateway of the servers. In the Associated IP Addresses Table window configure the following entries: Interface=100002, VRID=10, Associated IP=10.1.1.20. LinkProof is using routing between the blue subnet (of the firewalls) and the orange (routers) subnet. This is essential in order to avoid loops in the network. Doc. No.: 8261 LinkProof User Guide • When adding or removing ports to a Switch IP VLAN that is already associated to a VRID, you must set the VRID Admin Status to Down, make the change and then set the VRID Admin Status to Up again. Interface Grouping Used with Direct Connection To support redundant configuration with direct server connectivity, the interface grouping operation is modified. Interface grouping is always part of the LinkProof redundancy mechanism. Enabling interface grouping on the Main device ensures that if one of the interfaces of the device fails, the device closes all its other interfaces and becomes invisible to the network. Using switched VLAN, the grouping takes place only when all interfaces that were configured in a switched VLAN are down. Interface grouping is released when the all interfaces in a switched VLAN are up. Using Switched VLAN as part of a Regular VLAN, grouping takes place only when all interfaces in a Switched VLAN are down, or when any other port in the Regular VLAN is down. Interface grouping is released when all interfaces in a switched VLAN are up and when all other ports in the Regular VLAN are up. Example: Redundant LinkProof Configuration with VRRP and Direct Connection The example in Redundant LinkProof Configuration with VRRP and Direct Connection, page 221 illustrates the scheme for a redundant LinkProof configuration with VRRP and direct connection. VRRP with Switched IP VLAN allows direct connection of servers to LinkProof. Router 1 Router 2 30.1.1.1 30.1.1. Switched IP VLAN 100.1.1.10 100.1.1.2 Port 1 Port 5 Switched IP VLAN 100.1.1.11 200.1.1.2 Regular 100.1.1.100 Backup 200.1.1.100 Port 1 Port 5 Port 2 Port 2 Port 4 Port 3 Switched IP VLAN 10.1.1.1 Dual NIC Firewall 1 10.1.1.1 Figure 28 - Port 4 Switched IP VLAN 10.1.1.1 Firewall 2 10.1.1.2 Redundant LinkProof Configuration with VRRP and Direct Connection Properties: • Firewalls are directly connected to LinkProof, possibly with dual NIC. Doc. No.: 8261 221 LinkProof User Guide • • • • • Each router is connected directly to a different LinkProof and they are inter-connected as well (subnet 30.1.1.x). Route towards the other router should be configured on each router. Network side and server side are on different subnets. The virtual IP addresses served by the LinkProofs is 100.1.1.100 and 200.1.1.100 usually handled by LinkProof 1. Firewalls 10.1.1.1 and 10.1.1.2 are assigned to the farm managed by LinkProof 1. Redundancy is performed using the VRRP protocol. To configure Active LinkProof (LinkProof 1): 1. Define LinkProof 1: From the main window, double-click the LinkProof icon. The LinkProof Connect to Device window appears. Type the device‘s IP address: 100.1.1.10 and click Ok. 2. Define VLANs on LinkProof 1: a. b. From the main window, double-click the LinkProof icon, the LinkProof Setup window appears. From the LinkProof Setup window, click Networking > VLAN. The LinkProof Virtual VLAN window appears. c. From the LinkProof Virtual VLAN window, select the IP VLAN Interface 100002 and assign ports 2 and 4. d. From the Type drop-down list, select Switch, ensure the Protocol is set to IP. Click Ok. e. Repeat steps c and d and assign ports 1 and 5 to VLAN 100003. f. From the LinkProof Setup window, click Add. The Edit LinkProof Interface dialog box appears. g. From the Edit LinkProof Interface dialog box, set the following parameters according to the explanations provided: IF Num: 100002 IP Address: 10.1.1.10 Network Mask: 255.255.255.0 IF Num: 100003 IP Address: 100.1.1.10 Network Mask: 255.255.255.0 IF Num: 100003 IP Address: 200.1.1.10 Network Mask: 255.255.255.0 h. Click Ok. 3. Add 2 routers to the map: a. 222 From the LinkProof toolbar, click Add and from the drop-down menu add a Router. The Router window appears. Doc. No.: 8261 LinkProof User Guide b. From the Router window, set the following parameters according to the explanations provided: For the first server, set: Server Name: Router 1 IP Address: 100.1.1.20 c. Add the second server, by setting the following parameters according to the explanations provided Server Name: Router 2 IP Address: 200.1.1.20 d. 4. Click Ok. Add 2 firewalls to the map: a. From the LinkProof toolbar, click Add and from the drop-down menu add a Firewall. In the Firewall window, set the following parameters according to the explanations provided for each server; For the first server, set: Server Name: Firewall 1 IP Address: 10.1.1.1 b. Add the second server, by setting the following parameters according to the explanations provided Server Name: Firewall 2 IP Address: 10.1.1.2 c. 5. Click Ok. Add 2 farms to LinkProof: FM1: Firewall Farm to load balance inbound traffic via the firewalls. FM2: Router Farm to load balance outbound and inbound traffic via the routers. a. b. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, for Farm Type select Firewall and define the farm name, for example: Internal Firewall. e. From the Edit LinkProof Farms window, click the Traffic Settings tab and set the parameters as required: f. Add the farm servers. From the Farm Servers tab, click Add. The LinkProof Farm Firewall Server window appears. g. From the LinkProof Farm Firewall Server window, select servers as specified in step “i” below. h. From the LinkProof Farm Firewall Server window, click Traffic Settings and set the parameters as required. Doc. No.: 8261 223 LinkProof User Guide i. Repeat this procedure for all farms. For each farm define servers and load balancing parameters according to the explanations provided: Farm Name: Firewall Farm Router Farm Server Name: Firewall 1 Router 1 Server Address: 10.1.1.1 100.1.1.20 Server Name: Firewall 2 Router 2 Server Address: 10.1.1.2 200.1.1.20 j. Click Ok. Your preferences are recorded. 6. Define the Redundancy for LinkProof1: a. b. Double-click the LinkProof icon. The LinkProof Setup window appears. From the LinkProof Setup window, select Redundancies. The LinkProof Redundancies window appears. c. From the LinkProof Redundancies window, click Advanced Redundancy. The Advanced Redundancy window appears. d. From the Advanced Redundancy window, check the Interface Grouping checkbox and click Ok. 7. From the Relation Type drop-down list, select VRRP. 8. From the LinkProof Redundancies window, click Add. The Edit VRRP Table dialog box appears. 9. From the Edit VRRP Table dialog box, set the following parameters for LinkProof 1 according to the explanations provided: 224 Interface: 100003 VRID: 100 Enable Virtual Router: Selected Priority: 255 Primary IP: 100.1.1.10 Interface: 100003 VRID: 100 Enable Virtual Router: Selected Priority: 255 Primary IP: 200.1.1.10 Interface: 100002 VRID: 10 Enable Virtual Router: Selected Doc. No.: 8261 LinkProof User Guide Priority: 255 Primary IP: 10.1.1.10 10. From the LinkProof Redundancies window, click Associated IP. The Associated IP Address window appears. 11. From the Associated IP Address window, set the following parameters according to the explanations provided: Interface: 100003 VRID: 100 Associated IP: 100.1.1.100 (VIP Address) Interface: 100003 VRID: 100 Associated IP: 200.1.1.100 (VIP Address) Interface: 100003 VRID: 100 Associated IP: 100.1.1.10 (LinkProof IP Address) Interface: 100003 VRID: 100 Associated IP: 200.1.1.10 (LinkProof IP Address) Interface: 100002 VRID: 10 Associated IP: 10.1.1.10 (LinkProof IP Address) 12. Click OK. Note: Doc. No.: 8261 When using dual NIC, where the active NIC is determined by ping to the default gateway, set a virtual DNS with IP 10.1.1.20 on LinkProof. This IP should be the default gateway of the firewalls. In the Associated IP Addresses Table window configure the following entries: Interface=100002, VRID=10, Associated IP=10.1.1.20. 225 LinkProof User Guide To configure Backup LinkProof (LinkProof-2) 1. Define LinkProof 2: From the main window, double-click the LinkProof icon. The LinkProof Connect to Device window appears. Type the device‘s IP address: 100.1.1.11 and click Ok. 2. Define VLAN on LinkProof 1: a. b. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. From the LinkProof Setup window, click Networking > VLAN. The LinkProof Virtual VLAN window appears. c. From the LinkProof Virtual VLAN window, select the IP VLAN Interface 100002 and assign ports 3 and 4. d. From the Type drop-down list, select Switch, ensure the Protocol is set to IP. Click Ok. e. Repeat steps c and d and assign ports 1 and 5 to VLAN 100003. f. From the LinkProof Setup window, click Add. The Edit LinkProof Interface dialog box appears. g. From the Edit LinkProof Interface dialog box, set the following parameters according to the explanations provided: IF Num: 100002 IP Address: 10.1.1.11 Network Mask: 255.255.255.0 IF Num: 100003 IP Address: 100.1.1.11 Network Mask: 255.255.255.0 IF Num: 100003 IP Address: 200.1.1.11 Network Mask: 255.255.255.0 h. Click Ok. 3. Add 2 farms to LinkProof: FM1: Firewall Farm to load balance inbound traffic via the firewalls. FM2: Router Farm to load balance outbound and inbound traffic via the routers. a. b. 226 From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. c. From the Farms pane, click Add. The Edit LinkProof Farms window appears. d. From the Edit LinkProof Farms window, for Farm Type select Firewall and define the farm name, for example: Internal Firewall. e. From the Edit LinkProof Farms click the Traffic Settings tab and set the parameters as required: Doc. No.: 8261 LinkProof User Guide f. Add the farm servers. From the Farm Servers tab, click Add. The LinkProof Farm Firewall Server window appears. g. From the LinkProof Farm Firewall Server window, select servers as specified in step “i” below. h. From the LinkProof Farm Firewall Server window, click Traffic Settings and set the parameters as required. i. Repeat this procedure for all farms. For each farm define servers and load balancing parameters according to the explanations provided: Farm Name: Firewall Farm Router Farm Server Name: Firewall 1 Router 1 Server Address: 10.1.1.1 100.1.1.20 Server Name: Firewall 2 Router 2 Server Address: 10.1.1.2 200.1.1.20 j. Click Ok. Your preferences are recorded. Note: 4. The default router of the firewalls 10.1.1.1 and 10.1.1.2 is the 10.1.1.10 address of LinkProof 1, or when using dual NIC, the default gateway of firewalls is the Virtual DNS address 10.1.1.20. Define the redundancy for LinkProof 2: a. b. Double-click the LinkProof icon. The LinkProof Setup window appears. From the LinkProof Setup window, click Redundancies. The LinkProof Redundancies window appears. c. From the LinkProof Redundancies window, from the Mode drop-down list, select VRRP. d. Click Add. The Edit VRRP Table dialog box appears. e. From the Edit VRRP Table dialog box, set the following parameters for LinkProof1 according to the explanations provided: Interface: 100003 VRID: 100 Enable Virtual Router: Selected Priority: 100 Primary IP: 100.1.1.11 Interface: 100003 VRID: 100 Enable Virtual Router: Selected Priority: 100 Primary IP: 200.1.1.11 Doc. No.: 8261 227 LinkProof User Guide Interface: 100002 VRID: 10 Enable Virtual Router: Selected Priority: 100 Primary IP: 10.1.1.11 f. Click Ok. 5. From the LinkProof Redundancies window, click Associated IP. The Associated IP Address window appears. 6. From the Associated IP Address window, set the following parameters according to the explanations provided: Interface: 100003 VRID: 100 Associated IP: 100.1.1.100 (VIP Address) Interface: 100003 VRID: 100 Associated IP: 200.1.1.100 (VIP Address) Interface: 100003 VRID: 100 Associated IP: 100.1.1.10 (Main LinkProof IP Address) Interface: 100003 VRID: 100 Associated IP: 200.1.1.10 (Main LinkProof IP Address) Interface: 100002 VRID: 10 Associated IP: 10.1.1.10 (Main LinkProof IP Address) 7. Click Ok. 8. When using firewalls with dual NIC, where active NIC is determined using ping to default gateway, configure a virtual DNS with IP address 10.1.1.20, with Redundancy Mode on 228 Doc. No.: 8261 LinkProof User Guide the Backup. In the Associated IP Addresses Table window, click Insert and set the following parameters according to the explanations provided: Interface: 100002 VRID: 10 Associated IP: 10.1.1.120 Doc. No.: 8261 229 LinkProof User Guide 230 Doc. No.: 8261 LinkProof User Guide Chapter 7 - Security This chapter provides a general overview of the Synapps Security modules and the sub modules within as well as an explanation of the signatures data base and Radware Security update service (SUS). Also provided in this chapter is an explanation of the tuning process. This chapter includes the following sections: • • • • • • • • • • Security Overview, page 231 Intrusions, page 241 DoS/DDoS, page 258 SYN Flood Protection, page 275 Protocol Anomalies, page 283 Anti-Scanning, page 293 Managing Signatures Database, page 299 Security Tuning, page 305 Security Events, page 310 Security Reports, page 314 Security Overview This section provides an introduction to the LinkProof Security modules, their configuration, security policies and connectivity. This section includes the following topics: • • • • • • Security Introduction, page 231 Security Modules, page 232 Configuring Security Modules, page 234 Configuring Security Policies, page 235 Enabling Protection and Setting up General Security Parameters, page 235 Defining Connectivity, page 239 Security Introduction Radware’s LinkProof isolates, detects and blocks application attacks at multi-Gigabit speed protecting against viruses, worms, DoS and intrusions, anomalies and scanning for immediate high capacity application security. LinkProof provides secure Internet connectivity with high performance, maintaining the legitimate traffic of end users and customers. LinkProof performs deep packet inspection at multi-gigabits speed, to provide security from the network layer up to the application layer. LinkProof provides multi-layer security approach that combines several mechanisms for attack detection with advanced mitigation tools such as: • • • • • Intrusions DoS Anomalies SYN Flood Anti-Scanning Doc. No.: 8261 231 LinkProof User Guide Detecting The Security module performs detection of known and unknown attacks. Known attacks are detected by searching for attacks’ signatures within the scanned packets. The Security module or intrusions uses a constantly updated signatures database for updated attack detection. Known attack detection is applied by defining Protection Policies. A profile binds together network addresses and physical ports with a profile of attack protection. Unknown attacks are detected using protocol anomaly inspection. The Security module detects IP protocol anomalies and URI protocol anomalies using the Anomaly module/tool. IP protocol anomalies stand for IP packet fragmentation. URI protocol anomalies may be URI fragmentation or buffer overflow. Protecting The Security module protects network and application level resources against attacks destined for the internal IP addresses of the network elements or for attacks destined for the device. Protection is provided for applications, operating systems, network equipment and resources behind the device. Preventing The Security module enables real-time prevention of the attacks within the defined network. The attack attempts are blocked by terminating the sessions as they are recognized either by dropping the malicious packets or by resetting the connection. Both source and destination reset options are supported. The Security module also protects against network port scanning using the Anti-Scanning module/tool. Hackers perform scanning prior to launching an attack, looking for open TCP or UDP ports on the target machine. Blocking the scanning prevents attacks being launched. Reporting When the Security module detects an attack, the module reports about the security event. An event consists of complete traffic information, including source and destination IP addresses, TCP/UDP port numbers, physical interface, date and time of attack and so on. Events’ information is registered internally via the device log file and alerts table, or externally via the Syslog channel, SNMP Traps or e-mails. With APSolute Insite you can produce advanced statistic reports such as top attacks, total attack traffic, attacks per IP address, and more. Radware Security Update Service on the Web Radware's Security Update Service delivers immediate and ongoing security filter updates, protecting against the latest security exploits including viruses, worms and malicious attack signatures to safeguard your applications, network and users. Radware Security Update Service is available on a one-year or multi-year subscription basis for all LinkProof and SynApps Security customers. Note: Refer to the “Radware Security Zone” available from the Radware web site for up-to date security informatiom at http://www.radware.com/content/ support/securityzone/serviceinfo/default.asp Security Modules LinkProof Security is comprised of the following modules: • • • 232 Intrusions DoS/DDOS SYN Floods Doc. No.: 8261 LinkProof User Guide • • Anomalies Anti-Scanning Intrusions Intrusion prevention is a security technology that attempts to identify intrusions against computer systems and prevent their damage by blocking attacks. Application level attacks are aimed against mission critical applications. These attacks threaten application integrity and bring networks and applications down. Most of attacks are over port 80, and therefore cannot be blocked by access control devices. LinkProof Intrusions module provides protection against application specific attacks, which are targeted to damage various network resources and disable the attacked system. These attacks include the following categories: • • • Web Server Attacks that are intended to damage or exploit Web servers. E-mail attack - sending worms via the E-mail. Attacks on services, such as FTP, RPC and so on. DoS/DDoS When hackers send mass volumes of traffic, they overload networks or servers, thus causing denied access for real users. This is known as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic that was recognized as DoS attack using predefined action. The Denial of Service (DoS) attacks are intended to compromise the availability of a computing resource. Usually DoS attacks include ICMP floods, UDP floods and TCP-SYN floods that consume network bandwidth and prevent normal transport of the legitimate traffic. DoS Shield, describes the process of protection against Denial of Service attacks provided by the LinkProof DoS Shield module.This module provides protection against flooding of UDP, TCP and ICMP. Radware's security scheme, implemented by the DoS Shield module which is part of the SynApps architecture, provides organizations with extensive Denial of Service (DoS) detection and protection capabilities while maintaining high network throughput. LinkProof DoS protection module provides real time DoS protection through the use of an advanced sampling mechanism. This mechanism compares sampled traffic with a list of attacks signatures (attacks in Dormant state), which are part of the LinkProof attack database. The attacks’ signatures are looking for known flood tools by recognizing unique bit patterns within the sample traffic. Once the activation threshold of an attack in the Dormant state is met, its status changes to Currently Active, which means that each and every packet is matched with the signature file of this Currently Active attack. If a match is found, the packet is dropped. In case there is no match the packet is forwarded to the network. This unique mechanism facilitates DoS and DDoS protection for high capacity networks. SYN Floods A SYN flood attack is a denial of service attack where the attacker sends a huge amount of please-start-a-connection packets and then no follow up packets. LinkProof provides protection against any type of SYN flood attack, irrespective of the tools that are used to launch the attack. This protection service utilizes a mechanism called SYN Cookies that performs delayed binding (terminates TCP sessions) and inserts a certain signature into the TCP sequence field. SYN Flood Protection is a service intended to protect the hosts located behind the device and the device itself from SYN flood attacks by performing delayed binding. Doc. No.: 8261 233 LinkProof User Guide The SYN Flood attack is performed by sending a SYN packet without completing the TCP three-way handshake. Another type of SYN Flood attack is done by completing the TCP three-way handshake, but no data packets are sent afterwords. Radware provides complete protection against both types of SYN Flood attacks. After the completion of the three-way handshake, LinkProof only processes requests that include the signature that was inserted previously. This mechanism guarantees that only legitimate requests are sent to the servers, while half open TCP connections, aimed to consume servers’ resources, are terminated by the LinkProof and do not flood the servers, as well as the LinkProof itself. The attacks are detected and blocked by means of SYN Flood Protection Policies. The reports regarding the current attacks appear in the Active Triggers table. Anomalies To avoid detection, hackers may use evasion techniques, such as splitting packets and sending attacks in fragments. Fragmented packets are suspected of containing an attack. An attack that contains fragmented packets is called Protocol Anomaly attack. The Protocol Anomaly attacks are detected and blocked using the Protocol Anomaly Protection mechanism. The Anomalies module provides protection using three sub-groups: • • Protocol_Anomalies group Fragment Attack protection, including: — HTTP Fragmentation protection — IP Fragmentation protection • Buffer Overflow protection Protection against Protocol Anomaly attacks is achieved by dropping the malicious packets. Anti-Scanning Prior to launching an attack, a hacker will normally try to identify what TCP and UDP ports are open. An open port represents a service, application or a backdoor. Open ports that were left open unintentionally can create a serious security problem. The Anti-Scanning module provides a mechanism aimed to prevent hackers from gaining this information by blocking and altering server replies sent to the hacker. The Anti-Scanning module provides protection against network and port scanning including the following groups: • • Scanning: Provides protection against known scanning tools Scanning-generic protection: Provides protection against scanning tool awaiting the positive reply (SYN-ACK for TCP or UDP reply). The filters in this group block all traffic returned from the scanned server. Configuring Security Modules Creating a new profile allows you to aggregate Attack Groups, Advanced Attacks or Basic Attacks. You can set a profile(s) for each security module and then associates the protection profile with the port/VLAN/network settings from the Connect and Protect Table. Configuring security for LinkProof via APSolute Insite is performed in the Connect and Protect Table. You deploy security services in the following steps: • • 234 Configure connectivity - This is done by defining either port groups or IP address range per row in the Connect and protect table. Per each connectivity row, set security services according to the module breakdown. Doc. No.: 8261 LinkProof User Guide Configuring Security Policies The Connect and Protect Table allows you to create a security policy to which you can assign protection profiles. You may add protection profiles to the policy from any or all of the security modules. Every row in the Connect and Protect Table represents a policy. Note: When creating a security policy you must initially define Port/Net Settings. To access the Connect and Protect Table. From the LinkProof main application window select Security. The Connect and Protect Table appears. Note: The Index number represents the policy number. Clicking on S enables and disables policies. The policies are applied regardless of the policy number without any order of policy number. Configuring a security policy maybe divided into three stages: enabling security, connecting and protecting. To configure security policies: 1. Enable Security: enable the security modules and define the general security parameters, see Enabling Protection and Setting up General Security Parameters, page 235. 2. Configure connectivity: define either port groups/VLANs or IP address ranges per row in the Connect and Protect Table, see Defining Connectivity, page 239. 3. Define the Protection according to the protection module. For each connectivity row you can set security services according to the module breakdown. • • • • • Set Set Set Set Set up the Intrusion module parameters the DoS/DDoS module parameters up the SYN Flood module parameters up the Anomaly module parameters up the Anti-Scanning module parameters Enabling Protection and Setting up General Security Parameters The Radware security solution provides a multi-layer security approach that combines several mechanisms for attack detection with advanced security modules, including: Intrusions, DoS/DDoS, Anomalies, SYN Flood Protection, Anti-Scanning. The security modules are configured in the Connect and Protect Table, and the mechanisms for attack detection are configured in the Security Parameters window. In addition you can set the general security parameters in that window. The following general security settings can be performed in the Security Parameters window: • • • • • Application Security DoS Shield Protocol Anomaly Protection Reporting Security Tables Tuning Doc. No.: 8261 235 LinkProof User Guide Application Security Parameters Application Security is a mechanism that delivers advanced attack detection and prevention capabilities. This mechanism is used by several security modules to provide maximum protection for network elements, hosts and applications. Note: Before using Intrusions, DoS/DDoS, Anomalies, and Anti-Scanning, you must enable the Application Security mechanism and set its parameters. To set the Application Security Parameters: 1. From the Connect and Protect Table, click Settings, OR from the main window, doubleclick the device icon and then select Global > Security Settings > Edit Settings. The Security Parameters window appears. 2. From the Application Security Parameters pane, select Start Protection and click Ok. Information boxes appear notifying that the device must be rebooted. 3. Follow the messages displayed in the Information boxes. Once the device is rebooted, the Attacks DB Version text box displays the number of the version of the Signatures database that is currently used by Application Security and DoS Shield. 4. From the Action text box, set the action that is taken in case an attack is detected: Drop: The packet is discarded. Forward: The packet is forwarded to the defined destination. Reset Source: Sends TCP-Reset packet to the Packet Source IP. Reset Destination: Sends TCP-Reset packet to the destination address 5. The value that you set in this window appears as default value during the setting of the custom attack. 6. Click Apply > Ok. You can start using the following security modules: Intrusions, DoS/ DDoS, Anomalies, and Anti-Scanning. DoS Shield Parameters The DoS Shield mechanism implements the sampling algorithm, and accommodates traffic flooding targeted to create denial of the network services. This mechanism is included in the DoS/DDoS security module. Note: Prior to configuring the DoS/DDoS security module, you must enable DoS Shield and set its general parameters. To enable DoS Shield and set its general parameters: 1. From the Connect and Protect Table, click Settings, OR from the main window doubleclick the device icon and then select Global > Security Settings > Edit Settings. The Security Parameters window appears. 236 Doc. No.: 8261 LinkProof User Guide 2. From the DoS Shield Parameters pane, select Start DoS Shield Protection and click Ok. Information boxes appear notifying that the device must be rebooted. 3. Follow the messages displayed in the Information boxes. Once the device is rebooted, the Attacks DB Version text box displays the number of the version of the Signatures database that is currently used by Application Security and DoS Shield. 4. From the DoS Shield Parameters pane, set the following parameters according to the explanations provided: Enables the Panic mode. Panic Mode (checkbox): Panic mode - you can limit the number of the enabled security Attacks, which are activated when the network is under attack. During the unrecognized attack disabled filters that are defined as Panic become enabled and function as Dormant state filters. Note: Action: Packet Sampling Rate: In reaction to the panic mode activation, only the filters that are configured to function in the Panic mode are activated. Defines how DoS Shield treats attacks. When the Drop option is selected, the packed is discarded. When the Forward action is selected, the packet is forwarded to the desired destination. Default value is Drop. The rate in which packets are sampled and compared to the Dormant Attacks. You can configure a number that indicates per how many packets the sampling is performed. Default is 100, meaning 1 out of 100 packets is checked. How often DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. Default is 5 seconds. Sampling Time (seconds): Overload Mechanism: Doc. No.: 8261 Note: If Sampling Time is very short, meaning that there are frequent comparisons of counters to thresholds, regular traffic bursts might trigger attacks. If Sampling Time is too long, it is impossible to detect attacks quickly enough. Sets the device behavior when traffic load approaches the device's maximum processing capacity. Possible options are Drop Excess Traffic, or Forward Excess Traffic (without examining it). The default value is Drop Excess traffic. Note: Only the excess traffic is affected by the operation of the Overload Mechanism.Using the Overload Mechanism ensures that the device CPU utilization does not exceed 90%. 237 LinkProof User Guide 5. Click Apply > Ok. You can start using the DoS/DDoS security module. Protocol Anomaly Protection Permeates The Protocol Anomaly Protection parameters are the general parameters of the Anomalies security module. Note: Before using Anomalies, you must enable the Application Security mechanism and set its parameters. To define Protocol Anomaly Protection parameters: 1. From the Connect and Protect Table, click Settings, OR from the main window, doubleclick the device icon and then select Global > Security Settings > Edit Settings. The Security Parameters window appears. 2. From the Protocol Anomaly Protection Parameters pane, define the following parameters according to the explanations provided: Min Fragment Size: The minimum size of a fragmented IP packet permitted. A shorter packet length is treated as IP protocol anomaly and is dropped. The default value is 512. Max URI Length: The maximum URI length permitted. If URI is longer than the configured value, this URI is considered as illegitimate and is dropped. The default value is 500. Min Fragmented URI Packet Size: The minimum permitted size of an incomplete URI in an HTTP request. A shorter packet length is treated as URI protocol anomaly and is dropped. The default value is 50. 3. Click Apply > Ok. The Security Parameters window closes. Reporting Parameters You can enable the reporting channels used by Radware devices to get information about the security events. The following reporting channels are available: • • • Traps E-mails Logging • • Security Terminal Echo Security Syslog To define the reporting channels for security reports: 1. From the Connect and Protect Table, click Settings, OR from the main window doubleclick the device icon and then select Global > Security Settings > Edit Settings. The Security Parameters window appears. 2. From the Reporting pane, select the reporting channels that you want to use. 3. In the Reporting Interval text box, type number of seconds that defines frequency in which the reports are sent though the reporting channels. 238 Doc. No.: 8261 LinkProof User Guide 4. In the Max Alerts Per Report text box, type number of seconds that defines the maximum number of security events that can appear in each report. 5. Click Apply > Ok. Your preferences are recorded. Defining Connectivity When creating a security policy, you must initially define connectivity. This is performed by defining either port groups/VLANs or IP address range for each policy in the Connect & Protect table. Policies are represented by rows in the Connect & Protect Table. For each connectivity row, you can set security services according to the module breakdown (Intrusions, DoS/DDoS, Anomalies, SYN Flood, Anti-Scanning). Configuring Port Groups Port Groups allows you to define which ports are to be scanned. A port group can be defined to include the ports you wish to scan. To create a new Port Group: 1. From the main window, click the device and click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click in the Port/VLAN column. The Settings pane appears. 3. From the Settings pane, click Add Port Group. The Edit Physical Port Group dialog box appears. 4. From the Edit Physical Port Group dialog box, type a name for the new group and then select the ports to be associated with that group. 5. Click Apply and Ok. To define previously created Port/Port Groups: 1. From the Connect and Protect Table, double-click in the Port Group column. The Settings pane appears below. 2. From the Settings pane, select the relevant port groups from the drop-down list, e.g F1, F-2. 3. Click Apply. Your preferences are recorded. Configuring VLANs You can define which VLANs to scan. To define VLANs: 1. From the main window, select the device and click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click in the Port/VLAN column. The Settings pane appears. 3. From the Settings pane, click Add VLAN Tag. The Edit VLAN Tags Group dialog box appears. Doc. No.: 8261 239 LinkProof User Guide 4. From the Edit VLAN Tag Groups dialog box, set the following parameters according to the explanations provided: Group Name: Group Mode: VLAN Tag: VLAN Tag From: VLAN Tag To: A user defined name for the VLAN group. The VLAN Mode can be one of the following: • Discrete - an individual VLAN tag as defined in The interface parameters of the device. • Range - a group of sequential VLAN tag numbers as defined in the interface parameters of the device. The VLAN tag number. The first VLAN tag in the range. The last VLAN tag in the range. 5. Click Apply > Ok. The Edit VLAN Tag Groups dialog box closes. Configuring Networks You may need to define which network IP address range is to be scanned. To configure a new network: 1. From the Connect and Protect Table, double-click anywhere in the Networks column. The Settings pane appears. 2. From the Settings pane, click Add New Network. The Edit Network window appears. 3. From the Edit Network window, set the parameters according to the explanations below: Network Name: Enter in a user identified name for the Network Network Mode: Select the Network Mode, either: • IP Mask • IP Range From Address: Define the From Address range. To Address: Define the To Address range. 4. Click Ok. Your preferences are recorded. To define a network from the predefined list: 1. From the Connect and Protect Table, double-click anywhere in the Networks column. The Settings pane appears. 2. From the Settings pane, set the following parameters according to the explanations provided: 240 From Address: Define the From Address range. To Address: Define the To Address range. Check Packets: Determines the profile inspection direction, one way or two way. Doc. No.: 8261 LinkProof User Guide Note: Chapters 7 through 9 provide an explanation of the Security modules and how to configure them. Intrusions This section explains protection against intrusions into your network, and includes the following topics: • • • • Introduction to Intrusions, page 241 Intrusion Prevention Profiles, page 246 How to use the Intrusion Prevention Module, page 246 Creating a New User Defined Intrusion Prevention Profile, page 255 Introduction to Intrusions The Intrusion Prevention module, which is part of the Security modules, provides advanced intrusion detection and prevention capabilities providing maximum protection for network elements, hosts and applications. The module prevents various intrusion attempts including worms, Trojan horses, buffer overflow and one packet attacks. Types of Attacks Attacks’ recognition is performed by comparing each packet to the set of signatures stored in a comprehensive Attacks Signature Database. The attacks handled by the Application Security can be divided according to the following types: • • • Network-oriented attacks Operation System oriented attacks Application oriented attacks Network Oriented Attacks Network based attacks use network layer packets, such as IP, TCP, UDP or ICMP packets, in order to either learn about or damage, a destination host, as follows: • Mis-formed packets that can cause a server to crash, such as Ping of Death, or a ping packet in which the source address is the same as the destination address, like in Land Attack. Operating System Oriented Attacks Operating System (OS) oriented attacks are designed to break into the server exploiting vulnerabilities of server’s operating system. The target of the OS-oriented attack is usually to disable the application server functionality by damaging its flow or one of its resources. The Application Security module protects against the following OS-oriented attacks: • Simple server attacks attempt to exploit the known vulnerabilities of a server's operating system. An example for such an exploit is utilizing the vulnerabilities of the default installations of known software applications. Enabling the Web related Protection Policies in the Intrusion Prevention module, protects your Web servers from such attacks. For example Welchia worm uses TCP port 135 for infecting Host, exploiting vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface, which is an MS Windows vulnerability. Doc. No.: 8261 241 LinkProof User Guide • • Advanced attacks attempt to gain access via back doors left open in the system for the administrators' use, or via Trojan horses, which are hidden parts of the code, providing you access to restricted areas. Intrusion Prevention protects against these attacks by enabling Back door related Protection Policies (for example Back Orifice). Buffer Overflow Attacks Application-Oriented Attacks Application-oriented attacks are designed to break into application servers. Such attacks can be recognized by searching for known signatures of each application in the packets. For example, a specific path, or a particular command that appears in a packet. Attacks of the application-oriented type attempt to exploit vulnerabilities in the applications. Intrusion Prevention protects against these attacks by enabling Web related Protection Policies For example: • • SQL Injection Attacks Cross Site Scripting Attacks Attack Groups The Intrusions Protection module provides protection against one packet or one session attack. Table 16 on page 242 shows the attack groups included: Table 16: Radware Supplied Attack Groups 242 Attack Description Top-N The "Top-N" group contains signatures of attacks that have the highest activity in the wild. This group is updated whenever Radware's SOC finds it necessary. The signature subset in "Top-N" can be compiled of various services and can be later moved to (or from) an appropriate group. Worms The "Worms" group contains signatures of attacks classified as Internet worms. The types of worms in this group include: mass-mailing worms, vulnerability exploiting worms and network-aware worms. Signatures in the "Worms" group stop the propagation of the worms listed in the group. IIS The "IIS" group contains signatures of attacks that exploit the vulnerabilities found in the Microsoft IIS Web Service. Signatures in this group protect against HTTP implementation attacks, default Web page attacks, ISAPI extension attacks and SSL attacks. HTTP-Apache The "HTTP-Apache" group contains signatures of attacks that exploit the vulnerabilities found in Apache HTTPd and other modules. Signatures in this group protect against HTTP implementation attacks, default servlet attacks and vulnerabilities found in Apache modules HTTP-MISC The "HTTP-MISC" group contains signatures of attacks that exploit vulnerabilities found in miscellaneous Web services. Signatures in this group protect against HTTP implementation attacks, the exploitation of various Web applications and against information disclosure attacks. Doc. No.: 8261 LinkProof User Guide Table 16: Radware Supplied Attack Groups (cont.) Attack Description Web The "Web" group contains signatures of attacks that perform command injection into Web services. Signatures in this group prevent the command's injection into Web applications. Command injection allows command execution on the affected host with the privileges of the Web server. CGI The "CGI" group contains signatures of attacks that exploit CGI vulnerabilities in Web applications. Signatures in this group prevent the exploitation of vulnerabilities found in CGI scripts that could allow an attacker to compromise the affected host. XSS The "XSS" group contains signatures of attacks that perform cross-site scripting in Web applications. In cross-site scripting, a script is injected into a dynamic HTML page. When viewed by other users, the page is redirected to malicious sites, using the users' local environment credentials without them being aware of it. Signatures in this group prevent the cross-site scripting on the affected host that can lead to information theft and Web session hijacking. SQLInjection The "SQL_Injection" group contains signatures of attacks that perform SQL database modifications. Signatures in this group prevent the SQL queries' injection via Web applications. A successful SQL query injection may lead to information disclosure, data modification and data corruption. Cold Fusion The "ColdFusion" group contains signatures of attacks that exploit vulnerabilities in the ColdFusion Web service. Signatures in this group prevent the exploitation of vulnerabilities found in ColdFusion Web service, which may compromise the affected host. FrontPage The "FrontPage" group contains signatures of attacks that exploit vulnerabilities in the FrontPage Web Service. Signatures in this group prevent the successful exploitation of vulnerabilities found in FrontPage Web service, which may compromise the affected host. SMTP_AS The "SMTP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous SMTP servers. Signatures in this group prevent the exploitation of vulnerabilities found in SMTP implementation from miscellaneous vendors, and prevent the propagation of Internet worms. Telnet_AS The "Telnet_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous Telnet servers. Signatures in this group prevent the exploitation of vulnerabilities found in Telnet implementation from miscellaneous vendors. Doc. No.: 8261 243 LinkProof User Guide Table 16: Radware Supplied Attack Groups (cont.) 244 Attack Description FTP_AS The "FTP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous FTP servers. Signatures in this group prevent the exploitation of vulnerabilities found in FTP implementation from miscellaneous vendors. SQL_AS The "SQL_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous SQL servers. Signatures in this group prevent the exploitation of vulnerabilities found in SQL implementation from miscellaneous vendors NetBIOS The "NetBIOS" group contains signatures of attacks that exploit vulnerabilities in NetBIOS service. Signatures in this group prevent the exploitation of vulnerabilities found in NetBIOS implementation. DNS_AS The "DNS_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous DNS servers. Signatures in this group prevent the exploitation of vulnerabilities found in DNS implementation from miscellaneous vendors. POP3_AS The "POP3_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous POP3 servers. Signatures in this group prevent the exploitation of vulnerabilities found in POP3 implementation from miscellaneous vendors. IMAP_AS The "IMAP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous IMAP servers. Signatures in this group prevent the exploitation of vulnerabilities found in IMAP implementation from miscellaneous vendors. RPC-Unix The "RPC-Unix" group contains signatures of attacks that exploit vulnerabilities in the Sun RPC service. Signatures in this group prevent the exploitation of vulnerabilities found in Sun RPC implementation from miscellaneous vendors. ICMP_AS The "ICMP_AS" group contains signatures of attacks that exploit vulnerabilities in ICMP services. Signatures in this group prevent the exploitation of vulnerabilities found in ICMP implementation from miscellaneous vendors. Finger The "Finger" group contains signatures of attacks that exploit vulnerabilities in Finger service. Signatures in this group prevent the exploitation of vulnerabilities found in Finger implementations from miscellaneous vendors, and prevent information gathering attempts. Buffer_Overflow The "Buffer_Overflow" group contains signatures of attacks that exploit various services by overflowing the declared buffer. Signatures in this group prevent the attempts of buffer overflow exploitation in those services that do not fit the other service groups. Exploitation of vulnerabilities found in those services would compromise the affected host. Doc. No.: 8261 LinkProof User Guide Table 16: Radware Supplied Attack Groups (cont.) Attack Description SNMP_AS The "SNMP_AS" group contains signatures of attacks that exploit vulnerabilities or bad configuration in SNMP service. Signatures in this group prevent the access to SNMP services with public community strings, and protect from exploits of vulnerabilities found in SNMP implementation. Shellcodes The "Shellcodes" group contains signatures of shellcodes that are used to exploit buffer overflow vulnerabilities. Signatures in this group prevent the shellcode execution on various services that are vulnerable to buffer overflow. Brute-Force The "Brute-force" group contains signatures of password brute force attacks in miscellaneous services. Signatures in this group prevent the password-guessing attacks (brute force) in miscellaneous services. DoS The "DoS" group contains signatures of denial-ofservice attacks on miscellaneous services and protocol implementations. Signatures in this group prevent the denial-of-service attacks against miscellaneous services and protocols. Backdoors_Inbound The "Backdoors_ Inbound" group contains signatures of backdoor communication that enters the infected host. Signatures in this group prevent the backdoor inbound communication, and prevent the backdoor from being controlled remotely. Backdoors_Out-bound The "Backdoors_ Outbound" group contains signatures of backdoor communication that exits the infected host. Signatures in this group prevent the backdoor outbound communication, and prevent the backdoor from being controlled remotely. Protocol_Anomalies The "Protocol_Anomalies" group contains signatures of miscellaneous protocol misbehaviors. Signatures in this group prevent the usage of miscellaneous protocol anomalies that could indicate a new exploitation of protocol vulnerability or a denial-ofservice attack. Archive The "Archive" group contains signatures of miscellaneous outdated attacks. Signatures in this group prevent the outdated attacks that are not valid nowadays. The group may include various types of attacks and attacks from miscellaneous groups. Unassigned_Filters The "Unassigned_Filters" group contains signatures that, for various reasons, did not fit other groups. Signatures in this group are custom signatures designed for specific network environments. Using the signatures from this group in other environments can cause false positives or severely degraded performance. Doc. No.: 8261 245 LinkProof User Guide Note: Groups can change according to Signature File version. Intrusion Prevention Profiles An Intrusion Prevention Profile is a mechanism that scans traffic of a particular Network and a physical port. The traffic classification is performed within the predefined network range with pre-configured traffic direction. All the packets that pass through this range are examined by means of various Attacks. Intrusion Prevention Profiles are applied on Attack Groups. An Attack Group uses Basic Attacks and Advanced Attacks as building blocks. A Basic Attack represents a signature for blocking a single attack. When one Basic Attack cannot prevent an attack and you need to increase the protection capabilities, you can use an Advanced Attack. An Advanced Attack consists of two or more Basic Attacks and represents a logical AND between Basic Attacks. Intrusion Prevention Profiles can use only Attacks that are organized in Attack Groups. An Attack Group represents a logical OR between its Attack. Radware provides a comprehensive signatures database with attack signatures, divided into Attack Groups according to types of protection. For example, all attack signatures designed to harm IIS Web servers are grouped under the IIS Attack Group. The Intrusion Prevention Profiles built over a single Attack Group and defines the network conditions on which the attack is scanned. Each Intrusion Prevention Profile can be assigned to a policy. The policy specifies Network, Physical Inbound Port parameters and Direction. How to use the Intrusion Prevention Module Radware supplies the set of predefined Attack Groups that provide constant protection against all recent attacks, see Table 16 on page 242. You can use these groups to define prevention profiles. Most of the existing intrusions can be prevented using Radware groups. In addition to the Radware defined groups, you can create custom Attack Groups, custom Advanced attacks, and custom Basic attacks. For new users, it is recommended to define Intrusion Prevention profiles using Radware defined attacks only. To configure Intrusion Prevention using Radware Defined Attack Groups 1. Enable Intrusion Prevention and define the general parameters, see Application Security Parameters, page 236. 2. Define Intrusion Prevention Profile and apply it to the Connect and Protect Table, see Creating a New User Defined Intrusion Prevention Profile, page 255. To configure Intrusion Prevention using User Defined Attack Groups: 1. Enable Intrusion Prevention and define the general parameters, see Application Security Parameters, page 236. 2. Define custom Basic attacks, see Configuring Basic Intrusion Prevention Attacks, page 247. 3. Define custom Advanced attacks, see Configuring Advanced Intrusion Prevention Attacks, page 253. 4. Define custom Attack Groups, see Defining Custom Intrusion Prevention Attack Groups, page 254. 246 Doc. No.: 8261 LinkProof User Guide 5. Define Intrusion Prevention Profile and apply it to the Connect and Protect Table, see Creating a New User Defined Intrusion Prevention Profile, page 255. Configuring Basic Intrusion Prevention Attacks Basic Attack (Custom Intrusion Attacks Window, page 247) is the basic building block of the Intrusion Prevention Profile. Each basic attack constitutes protection against a specific attack, meaning that profile has a specific attack signature and protection parameters. Radware provides you with a set of pre-defined attacks however you may create user defined basic attacks. Figure 29 - Custom Intrusion Attacks Window The parameters of each Basic Attack are divided into the following categories: • • • • Description parameters Protocol definition parameters OMPC (Bit pattern) definition parameters Content definition parameters Description Parameters Description parameters (Table 17 on page 247) are the user-defined description of the custom attack. Table 17: Description Parameters Doc. No.: 8261 Parameter Description Attack Name: The name of the attack as you define it. Description: A description of the attack. 247 LinkProof User Guide Protocol Parameters Protocol definition parameters (Table 18 on page 248) define transmission protocol. Table 18: Protocol Parameters Parameter Description Protocol The protocol used, which is either IP, UDP, TCP or ICMP. Default: IP. The first port in the range of destination ports for UDP and TCP traffic only. The values can be: 0 - 65535. Destination Port Range: From Note: The defined value must be lower than the Destination Port Range: To value. Default value: 0. The last port in the range of destination ports for UDP and TCP traffic only. The values can be: 0 - 65535. Destination Port Range: To Note: The defined value must be greater than the Destination Port Range: From value. Default value: 0. The first port in the range of source ports for UDP and TCP traffic only. The values can be: 0 - 65535. Source Port Range: From Note: The defined value must be lower than the Source Port Range: To value. Default value: 0. The last port in the range of source ports for UDP and TCP traffic only. The values can be: 0 - 65535. Source Port Range: To Note: The defined value must be greater than the Source Port Range: From value. Default value: 0. OMPC (Bit pattern) Parameters Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses fixed offset masking. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are presented in Table 19 on page 248. Table 19: OMPC Parameters Parameter Description OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data can be N/A, oneByte, twoBytes, threeBytes or fourBytes. Default: N/A. 248 Doc. No.: 8261 LinkProof User Guide Table 19: OMPC Parameters (cont.) Parameter Description The fixed size pattern within the packet that OMPC rule attempts to find. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. OMPC Pattern Note: The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros. For example, if OMPC Length is twoBytes, OMPC Pattern can be:abcd0000. Default value: 00000000. Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/ TCP header. The value can be: 0 - 1513. Default value: 0. OMPC Condition The OMPC condition can be either N/A, equal, notEqual, greaterThan or lessThan. Default: N/A. The mask for the OMPC data. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. Note: OMPC Mask The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros. For example, if OMPC Length is twoBytes, OMPC Mask can be:abcd0000. Default value: 00000000. OMPC Offset Relative to Indicates to which OMPC offset the selected offset is relative to. In case the IP/UDP/ICMP protocols are selected, you can set the following parameters: None, IP Header, IP Data. In case the TCP protocol is selected, you can set the following parameters: None, IP Header, IP Data, TCP Data. Default value: None. Doc. No.: 8261 249 LinkProof User Guide Content Parameters Content parameters described in Table 20 on page 250 define the rule for a text/ content string lookup. This rule is intended for attacks recognition where the attack signature is a text/ content string within the packet payload. Table 20: Content Parameters Parameter Description Enables the user to search for a specific content type, which can be one of the following: • URL: In the HTTP Request URI Content Type • Host Name: In the HTTP Header • Text: Anywhere in the packet • HTTP Header Field: In the HTTP Header • Mail Domain: In the SMTP Header • Mail To: In the SMTP Header • Mail From: In the SMTP Header • Mail Subject: In the SMTP Header • Regular Expression: Anywhere in the packet • Header Type: HTTP Header field. The "Content" field includes the header field name, and the "Content data" field includes the field value • File Type: The type of the requested file in the http GET command (jpg, exe and so on) • Cookie Data: HTTP cookie field. The "content" field includes the cookie name, and the "content data" field includes the cookie value Default: N/A. Content Data Content Offset Refers to the search for the content within the packet which can be either: • N/A: Not available • URL: HTTP Get packets will be scanned for their URL data. • Text: For text in all packets. The location in the packet from which the checking of content is started. The value can be: 0 - 1513. Default value: 0. Application Security can search for content in languages other than English, for case sensitive or case insensitive text as well as hexadecimal strings. Values for this parameter include: • None Content Encoding • Case Insensitive • Case Sensitive • HEX • International Note: The value of this field corresponds to the Content Type parameter. Default: None. 250 Doc. No.: 8261 LinkProof User Guide Table 20: Content Parameters (cont.) Parameter Description Content Contains the actual value of the content search. Possible values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 23456789:;<=>?@ABCDEFGHIJKL MNOPQRSTUVWXYZ[\]^_`abcdefgh ijklmnopqrstuvwxyz{|}~. Content Language Contains the language (characters set), in which the content is written. Default language: English. The maximum length to be searched within the selected Content Type. The value can be: 0 - 1513. Content Max Length Note: The Content Max Length value must be equal or greater than the Offset value. Default value: 0. Application Security can search for data in languages other than English, for case sensitive or case insensitive data as well as hexadecimal strings. Values for this parameter include: • None Content Data Encoding • Case Insensitive • Case Sensitive • HEX • International Note: The value of this field corresponds to the Content Type parameter. Default: None. Tracking Parameters Tracking parameters which are described in Table 21 on page 252 defines how the attack is tracked and treated once it’s signature is recognized in the traffic. Each Application Security Attack is bound to a "Tracking" function that defines how the packet is handled when it is matched against the Attack. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action accordingly. There are two types of match functions: • The "immediate" type that makes decisions based on a single packet. The signature match between itself is considered as an indicator for the attack and the packet is dropped ("Drop All"). For example, MS Blast. Doc. No.: 8261 251 LinkProof User Guide • The "Threshold" or "Counter" functions. Those functions assume that the signature match alone is not enough for detecting a packet as offensive, since the packet may be legitimate unless the number of packets per a period of time exceeds a threshold that defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold within a predefined time slot are dropped. For example, ICMP flood attacks and DoS attacks. Table 21: Tracking Parameters Parameter Tracking Time Description Sets the amount of time (in milliseconds) in which the Threshold is measured. When a number of packets that is greater than the Threshold value passes through the device, during this defined time period, the device recognizes it as an attack. Default value: 1000. Threshold Sets the maximum number of attack packets that are allowed in each Tracking Time unit. The attack packets are recognized as legitimate traffic, when they are transmitted within the Tracking Time period. Default value: 10. Defines how the device decides which traffic to block or drop, when under an attack of this type. Values can be: • Drop All: Select this option when each packet of the defined attack is harmful. For example: Code Red and Nimda attacks. Tracking Type • Target Attack: Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a WEB server etc. For example: Ping Flood and DDoS attacks. • Source and Target Attack: Select this option when the attack type is a source and destination based attack, meaning the hacker is attacking from a specific source IP to a specific destination IP. For example: Port Scan attack. • Source Attack: Select this option when the defined attack is source-based, meaning the hacker attack can be recognized according to its source address. For example: Horizontal Port Scan, were the hacker scans a certain application port (TCP or UDP) to detect which servers are available on the network. Default: Drop All. Action Mode 252 • Drop: The packet is discarded. • Forward: The packet is forwarded to the defined destination. • Reset Source: Sends TCP-Reset packet to the packet Source IP. • Reset Destination: Sends TCP-Reset packet to the destination address. • Default: Takes the Action Mode parameter defined in the Security Parameters window. Doc. No.: 8261 LinkProof User Guide To create a Basic Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Intrusions column. The Settings pane appears. 3. From the Settings pane, click Custom Attack. The Custom Intrusion Attack window appears. 4. From the Custom Intrusion Attack window, select the Basic Attack option button 5. Set the new Basic Attack parameters as explained in Description Parameters, page 247. 6. Click Ok. The Custom Intrusion Attack window closes. The new basic attack appears in the Custom Group window. Configuring Advanced Intrusion Prevention Attacks The second building block of the Intrusion Prevention Profile is the Advanced Attack. The Advanced Attack represents a logical AND between two or more Basic Attacks. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one Basic Attack to protect against them. Figure 30 - Advanced Attacks Advanced attacks are made up of a collection of Basic Attacks, selected/removed from the Basic Attack list. Tip: You can create a new Advanced Attack using user defined Basic Attacks only. To create an Advanced Attack: 1. From the main window, click Security. The Connect and Protect Table appears. Doc. No.: 8261 253 LinkProof User Guide 2. From the Connect and Protect Table, click Custom Attack. The Custom Intrusion Attack window appears. 3. From the Custom Intrusion Attack window, select the Advanced Attack option button. The Advanced Attack pane appears. 4. Select the Basic Custom attacks from the Optional Basic Attacks list and add them to the Selected Attacks list by clicking the mover arrows. 5. Click the Settings tab and define the parameters for each Advanced Custom Intrusion Attack, see Table 21 on page 252. 6. Click Ok. The Advanced Attack pane closes. Defining Custom Intrusion Prevention Attack Groups The Custom Attack Group represents a logical OR between two or more Basic Attack or Advanced Attacks. The right panel of the Custom Attacks Groups window (Custom Attack Group Window, page 254) contains the list of all the existing groups. Figure 31 - Custom Attack Group Window Radware provides you with a set of predefined Custom Attack Groups as a part of the Signatures file. You can also add user defined Attack Groups using predefined Attacks or user defined Attacks. The predefined attack groups are divided according to types of protection. For example, all attack signatures designed to harm IIS Web servers are grouped under the IIS Attack Group. The groups can be activated within a Protection Profile, except for the Un-assigned group. The Attacks that effect performance or are probable to false positive, are gathered under Unassigned group and can be activated either by adding an Attack to an existing group or to a user defined group. To add a new Custom Attack Group: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Intrusions column. The Settings pane appears. 254 Doc. No.: 8261 LinkProof User Guide 3. From the Settings pane, select Custom Group. The Custom Attack Group window appears. 4. From the Custom Attack Group window, enter a relevant name for the new Attack Group. 5. Select the attacks you want to include in this group and move them to the Selected Attacks pane by clicking the mover arrows. Creating a New User Defined Intrusion Prevention Profile You can either select from the Radware predefined intrusion prevention Attack profiles or create your own custom profiles. To create a New User Defined Intrusion Prevention Profile: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click anywhere in the Intrusions column. The Settings pane appears. 3. From the Settings pane, click New Profile. The New Intrusion Prevention Profile window appears. 4. From the New Intrusion Prevention Profile window, enter a name for your new Intrusion Prevention Profile. The new profile appears in the Intrusion Prevention Profile pane. 5. To add attacks to your new profile, select the relevant attacks and move them to your profile using the mover arrows. Editing Attacks To edit an attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click anywhere in the Intrusions column. The Settings pane appears. 3. From the All Attacks list, select the attack you want to edit and click Edit Attack. The Custom Intrusion Attack window appears. 4. Edit the parameters of the attack. See Description Parameters, page 247. 5. Click Ok. Your preferences are recorded. Example: Configuring an Intrusion Prevention Profile for Protection Against MS Blast Worm The MSBlast worm was first detected at August 11th 2003. This worm appears to exploit known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface. The W32/Blaster worm exploits vulnerability in Microsoft's DCOM RPC interface. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. The access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com Doc. No.: 8261 255 LinkProof User Guide Affected Products This MSBlast worm affects the following Microsoft products: • • • • • Microsoft Microsoft Microsoft Microsoft Microsoft Windows Windows Windows Windows Windows NT® 4.0 NT 4.0 Terminal Services Edition 2000 XP Server™ 2003 Impact A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local System privileges or to cause a denial-of-service condition. Protection is obtained by adding two Custom Attacks and grouping them together. To create the MS Blast Worm Protection Policy: 1. From the main window, click Security. The Connect and Protect Table appears. 2. Create the first Basic Attack: a. b. c. 256 From the Connect and Protect Table, click anywhere in the Intrusions window. The Settings pane appears. From the Settings pane, click Custom Attack. The Custom Intrusion Attack window appears. From the Custom Intrusion Attack window, set the following parameters according to the explanations provided: Attack Name: blast_shell Protocol: TCP Destination Port (from): 4444 Destination Port (to): 0 Source Port (from): 0 Source Port (to): 0 OMPC Offset: 0 OMPC Offset Relative to: None OMPC Mask: 0000000 OMPC Pattern: 0000000 OMPC Condition: None OMPC Length: None Content Offset: 0 Content: msblast.exe Content Type: Text Attack Type: Application Security Content Max. Length 0 Content Encoding: Case Sensative Doc. No.: 8261 LinkProof User Guide Content Data Encoding: None Attack Description: Enter a user defined attack description 3. Click OK. The new custom attack is created and appears in the All Attacks list. 4. Create the second Custom Attack. a. b. Click Custom Attack. The Custom Intrusion Attack window appears. From the Custom Intrusion Attack window, set the following parameters according to the explanations provided: Basic Attack Name: blast_rpc Protocol: TCP Destination Port (from): 135 (RPC) Destination Port (to): 135 (RPC) Source Port (from): 0 Source Port (to): 0 OMPC Offset: 0 OMPC Offset Relative to: None OMPC Mask: 0000000 OMPC Pattern: 0000000 OMPC Condition: None OMPC Length: None Content Offset: 0 Content: 1F7457759580BFBB927F895A1ACEB1DE Content Type: Text Attack Type: Application Security Content Max. Length 0 Content Encoding: HEX Content Data Encoding: None Attack Description: Enter a user defined attack description c. Click Ok. The new custom attack is created and appears in the All Attacks list Important Note: when using versions earlier than LinkProof 3.73, LinkProof 2.73, LinkProof 8.0, CSD 4.0, CID 2.0, the following parameters must be modified in the above Attack: Content: ~'?bB Content Encoding: Case Sensitive 5. Create a new Custom Attack Group: Doc. No.: 8261 257 LinkProof User Guide a. b. From the Connect and Protect Table, click Custom Group. The Custom Attack Group window appears. In the Group Name field enter in the new group name: virus_custom. From the Custom Attack Group window, add the two new custom attacks that you created in the previous steps by selecting them from the All Attacks list and moving them to the Selected Attacks with the mover arrows. DoS/DDoS This section explains Dos and DDos attacks, and introduces the mechanism of DoS/DDoS protection profiles. This section includes the following topics: • • • Introduction to DoS/DDoS, page 258 DoS Shield Profiles, page 259 Application Security Profiles, page 270 Introduction to DoS/DDoS Radware's security scheme provides organizations with extensive Denial of Service (DoS) detection and protection capabilities while maintaining high network throughput. When hackers send mass volumes of traffic, they overload networks or servers, thus causing denied access for real users. This is known as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. Denial of service occurs as a result of various types of flooding caused by hackers, such as UDP, TCP and ICMP. The DoS/DDoS module provides protection against packet flooding, preventing by that way denial of service. When mitigating DoS attacks another challenge is to deal with hackers, who are becoming increasingly sophisticated. A basic DoS attack is considered as a single packet (TCP, UDP or ICMP) flooding, generated by common tools, which are available on the Internet. Basic SYN attacks can be accommodated by detecting incomplete TCP requests. However hackers may also use new techniques, and tools such as Naphta, which creates a Connection Attack by completing a TCP handshake without any data traffic. Another type of DoS attack can be caused by one or few packets attacks. These are attacks that exploit a server or network vulnerability, such as buffer overflows, Ping of Death, Land attack and so on. An intrusion attempt, unlike a DoS attack, is usually performed with a small amount of packets. Hackers, trying to penetrate a network server, will either use single session attacks or one packet attack targeting a service, application or even operating system vulnerability. Intrusions are handled and protected by a set of services, which include Intrusion protection, Anomalies and Anti Scanning. DoS/DDoS Protection Services To provide protection against denial of service, DoS/DDoS module incorporates two different services, mitigating DoS attacks: • • 258 DoS Shield Profiles: Sampling-based service that provides protection against packet flooding, which causes a denial of service effect. The protection is provided for TCP, UDP and ICMP floods. This service utilizes an advanced sampling mechanism, which reduces significantly the device CPU load, compared to packet-by-packet scanning. Application Security Profiles: Packet-by-packet scanning service provides protection against DoS attacks, using a signature based packet by packet scanning. Doc. No.: 8261 LinkProof User Guide The sampling-based service provides optimized performance in high throughput networks. Once an attack is detected, DoS Shield module sets the relevant attack filter for packet-bypacket inspection. The packet-by-packet scanning service is based on DoS protection group, named DOS. Creating a New User Defined Profile You can create a user defined profiles using one of the following mechanisms: • • Application Security Profiles DoS Shield Profiles To configure User Defined DoS Profile: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click anywhere in the DoS/DDoS column. The Settings pane appears. 3. If you select Application Security Profiles, the Application Security Profiles settings pane appears, see DoS Shield Profiles, page 259. 4. If you select DoS Shield Profiles, the DoS Shield Profiles settings pane appears, see Application Security Profiles, page 270. DoS Shield Profiles To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic that was recognized as DoS attack using predefined action. The concept is based on the fact that sporadic attacks, that consume negligible amounts of bandwidth can be tolerated by most of the networks and do not require any counter action. An attack becomes a threat to the network when it starts to consume large amounts of the network's bandwidth. The DoS Shield module detects the occurrence of such events with an advanced sampling algorithm and takes automatic actions to solve the problem. The combination of a unique sampling scheme with the strong computing power of the Application Switch platform provides maximum security with maximum speed. How the DoS Shield Module Works? The DoS Shield mechanism is based on working with two attack states: Dormant and Active. Dormant state indicates that the Sampling mechanism is used for the recognition prior to action activation. Attack in Dormant state can become active only if the number of packets that entered your network is beyond the pre-defined limit. Active state indicates that the action execution must be implemented on each packet that matches the attack Signature without sampling. The DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared with the list of attacks in Dormant state. When a pre-configured number of packets is met, the status of the attack is changed to Active. The DoS Shield module involves two mechanisms working in parallel. One statistically monitors the traffic to check if any of the attacks in Dormant state is active. When an attack is detected as active, this attack is handled by the second mechanism. Each packet passing through the device is compared to the list of the Currently Active Attacks. If no match is found, a portion of the packets is sent to be compared with Dormant Attacks and the rest of the packets are simply forwarded to the network, without being inspected against the Dormant Attacks list. Activation of the large number of the security Attacks, can cause a decline in overall performance. You can limit the number of the enabled security Attacks, while the rest of the filters remain disabled. The disable filters can be activated when the network is under attack. This can be performed using the Panic mode feature. When not all the defined filters Doc. No.: 8261 259 LinkProof User Guide are used, there might be a situation where the servers are under an unrecognized attack. In that case the DoS Shield module can operate in the Panic Mode. During the unrecognized attack disabled filters that are defined as Panic become enabled and function as Dormant state filters. Note: In reaction to the panic mode activation, only the filters that are configured to function in the Panic mode are activated. DoS Shield Traffic Flow When traffic arrives to the device, samples of the traffic are copied and inspected against each entry in the list of attacks in Dormant state to detect possible attacks. You can control the sampling rate by setting the number of packets that pass through the device before a packet is examined against the list of attacks in Dormant state, Packet Sampling Rate in DoS Shield Traffic Flow Diagram, page 261. You can also configure the duration of the sampling period over which the different thresholds are checked, Sampling Time in DoS Shield Traffic Flow Diagram, page 261. Whenever traffic matches an Attack filter, a counter is incremented. At the end of each Sampling Time, the counter value is normalized and compared to the thresholds configured for the attack. You can configure a Warning Threshold and an Activation Threshold for each attack. When the Warning Threshold is met, a warning message is sent notifying about the attack. When the Activation Threshold is met, the attack state is changed to Active, every packet passing through the device is inspected against that attack and the forwarding limit is executed. 260 Doc. No.: 8261 LinkProof User Guide Incoming Packet Sampling Match Compare to Dormant Attacks Copy of Sampled Packets No Match All packets No Operation Activation Threshold Passed No Match Match Compare to Currently Active Attacks List No Match Match Activate Attacks Pre-Configured Action Forward the Packet to the Destination Port Figure 32 - DoS Shield Traffic Flow Diagram When an attack is activated, the following actions are possible: • Bandwidth of traffic (kbps) that match a Currently Active Attack is limited when forwarding packets to the network. • When the forwarding limit is 0, all packets that match the Currently Active Attack are blocked. The status of a Currently Active attack reverts to Dormant when the amount of traffic matching the attack filter is smaller than the Attack Termination Threshold, for a duration of the Aging Period for that attack. The Aging Period allows you to set a number of Sampling Time periods, over which the counters of that attack must not cross the Termination Threshold, in order for this attack to considered to be over, and its status reverted to Dormant. Termination of the attack is also reported to the management station. You can also pre-configure an attack as Currently Active. In that case every packet passing through the device is always matched against that attack filter, regardless of the Attack Termination Threshold. How to use the DoS Shield Module The Dormant Attacks database consists of attacks supplied by Radware. These attacks provide constant protection against all recent denial of service attacks. Each attack includes protection filters that are configured to detect and block malicious packets. You can use these attacks to define prevention profiles. Most of the existing denial of service attacks can be prevented using Radware attacks. Doc. No.: 8261 261 LinkProof User Guide In addition to the Radware defined attacks, you can add user defined attacks to this database. The parameters that are part of the Sampling (DoS Shield Traffic Flow Diagram, page 261) process can be configured using the DoS Shield mechanism. For new users, it is recommended to define DoS Shield prevention profiles using Radware defined attacks only. The DoS Shield module enables you to perform the following actions: • • • To activate attack(s) provided by Radware. To create new attack(s). To view all the information about an attack in the Attack Dynamic Information table, see Attacks Dynamic Info, page 268. To configure DoS Shield using Radware Defined Attacks: 1. Enable DoS Shield protection and set the general parameters, see DoS Shield Parameters, page 236. 2. Create a new DoS Shield profile and apply the new profile to the Connect and Protect Table, see Creating a new DoS Shield Profile, page 267. To configure DoS Shield using User Defined Attacks: 1. Enable DoS Shield protection and set the general parameters, see DoS Shield Parameters, page 236. 2. Add Basic Service, see Configuring Basic DoS Shield Services, page 262. 3. Add Advanced Service, see Configuring Advanced DoS Shield Services, page 264. (Optional step) 4. Define the DoS Shield attacks, see Defining DoS Shield Attacks, page 265. 5. Create a new DoS Shield profile and apply the new profile to the Connect and Protect Table, see Creating a new DoS Shield Profile, page 267. Configuring Basic DoS Shield Services A basic element of DoS Shield profiles is a Basic Service. Radware provides a list of predefined services. You can create your own services (Basic Service Configuration, page 263). The LinkProof Classes window allows you to create a new service. 262 Doc. No.: 8261 LinkProof User Guide Figure 33 - Basic Service Configuration The parameters of LinkProof DoS Classes are divided into the following categories: • • • • New Service parameters Protocol definition parameters OMPC definition parameters Content definition Parameters New Service Parameters The user defined description of the service. Table 22: New Service Parameter Description Service Name: The service that is used to provide protection against the attack. You can select the service from the list defined in the Service Type. Description: Enter a relevant description of the service. Protocol Parameters Protocol definition parameters define transmission protocol. For the detailed parameters description refer to Table 18, “Protocol Parameters,” on page 248. OMPC Parameters Offset Mask Pattern Condition (OMPC) is a set of filter parameters that define a rule for pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses fixed offset masking. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are described in Table 19, “OMPC Parameters,” on page 248. Doc. No.: 8261 263 LinkProof User Guide Content Parameters Content parameters define the rule for a text/ content string lookup. This rule is intended for attacks recognition where the attack signature is a text/ content string within the packet. For the detailed parameters description refer to Table 20, “Content Parameters,” on page 250. To add a Basic Service: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The DoS Settings pane appears. 3. From the DoS Settings pane, select the DoS Shield Profiles and then click Classes. The LinkProof Classes window appears. 4. From the LinkProof Classes window, click Add Regular and define the parameters according to the explanations above. 5. Click Update Active Classes and then click Add Service. 6. Click Ok. The Classes window closes and the new Basic Service can be used to define an attack, see Defining DoS Shield Attacks, page 265. Configuring Advanced DoS Shield Services Using Basic Services you can define an Advanced Service (Advanced Attacks Window, page 273). The Advanced Service represents a logical AND between two or more Basic Services. Advanced services are made up of a collection of Basic Services, selected from the Basic Services list. You can create the Advanced Service using the user defined Basic Services only. 264 Doc. No.: 8261 LinkProof User Guide Figure 34 - Advanced Service Configuration To create an Advanced Service: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, select DoS Shield Profiles and click Classes. The LinkProof Classes window appears. 4. From the LinkProof Classes window, click Add Advanced. The Advanced Service pane appears displaying the following parameters: — Service Name: The name of the Advanced Service. — Basic Services Names: The list of all the user defined Basic Services. 5. In the Service Name text box, type the name of the new Advanced Service. 6. From the Basic Services list, select the Basic Services that you want to include in the Advanced Service. 7. Click Update Active Classes and then click Add Service. 8. Click Ok. The Classes window closes and the new Advanced Service can be used to define an attack, see Configuring Basic DoS Shield Services, page 262. Defining DoS Shield Attacks Profiles consist of attacks that are defined in the Attacks Table. Doc. No.: 8261 265 LinkProof User Guide Figure 35 - Edit Attacks Table The Attacks Database contains attacks provided by Radware. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks. Table 23 on page 266 describes the attack’s parameters. Table 23: Edit Attacks Table Parameter Service Type Description Enables selection of services from the following categories: • Basic Service - selecting from the Basic services list. • Service Name Advanced Service - selecting from the Advanced services list. The service that is used to provide protection against the attack. You can select the service from the list defined in the Service Type. When this threshold is exceeded, a warning message is sent to the management station. Warning Threshold (Kbps) Activation Threshold (Kbps) Forwarding Limit when Active (Kbps) Note: You can select a value of "Do Not Alert" (or 0). This is only relevant when the attack is not Active. When this threshold is exceeded, the status of the attack is changed to Active. Note: This is only relevant when the Attack Status was configured as Dormant. The number of packets matching the attack that can be forwarded in each second when the attack is Active. A value of Drop All (or 0) means that all packets must be blocked. Value other than Drop All is used for attacks that match a pattern of legitimate traffic, for example UDP Flood attacks. Termination Message Threshold (kbps) If for the duration of the Attack Aging Period this threshold is not exceeded, a notification message is sent indicating that the attack may be over. Typically, this threshold is higher than the Termination Threshold and lower than Attack Activation Threshold. You can also select "Do Not Alert" (or 0). Termination Threshold (Kbps) If for the duration of the Attack Aging Period this threshold is not exceeded, the status of the attack reverts to Dormant. You can also select Do not Deactivate (or 0). The number of Sampling Time units required for Deactivating an attack. Aging Period (sec.) 266 In order to ensure the attack is considered to be terminated due to a momentarily reduction of the amount of traffic matching its pattern, the attack termination is decided only after several Sampling Time units have passed in which attack traffic was below the Termination Threshold. The same concept applies for the Alert Termination. You can also select "No Deactivation" (or 0). Default value is 5. Doc. No.: 8261 LinkProof User Guide Table 23: Edit Attacks Table Parameter Description • Dormant - The attacks that are processed through the Sampling mechanism to recognize known signatures • Active - The attacks that are compared packetby-packet to the signatures database • Panic - The attack is in the Panic state. In this state the number of activated filters is limited to achieve better overall performance. In case an unrecognized attack takes place, the module activates only the filters that are required to block the attack • Disabled - The attack’s filters are disabled. Attack Status When this value is originally set as Dormant, it is automatically updated when traffic patterns match the attack thresholds. This also allows the administrator to manually add/remove attacks to/from the Active Attack list. An attack that is manually set to Active or Disabled is not automatically added or removed from the Active Attack list, and the thresholds is not relevant for such an attack. Attack Name A user defined name for this attack, maximum 30 characters. The Attack Name is used when DoS Shield sends information about attack status changes. Attack Message Text A message that is associated with the attack. To add a new attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, select DoS Shield Profiles. The DoS Shield Profiles pane appears. 4. From the DoS Shield Profiles pane, click Custom Attack. The Edit Attacks Table appears. 5. From the Edit Attacks Table, set the parameters as explained in Edit Attacks Table, page 266. 6. Click Ok. The Edit Attacks Table window closes and the new attack appears in the All DoS Attacks List. Creating a new DoS Shield Profile Once the attacks are defined, you can create a new profile. To define a new DoS Shield profile: 1. From the main window, click Security. The Connect and Protect Table appears. Doc. No.: 8261 267 LinkProof User Guide 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, select DoS Shield Profiles. The DoS Shield Profiles pane appears. 4. From the DoS Shield Profiles pane, click New Profile. The New Profile dialog box appears. 5. In the Profile Name text box, type the name of the new profile and click Ok. The New Profile dialog box closes and the new profile appears in the DoS Prevention Profiles pane. 6. From the All DoS Attacks List pane, select the attack(s) that you want to add to the new profile and click Add. The selected attack appears in the DoS Prevention Profiles pane. 7. Select the cell in the Connect and Protect Table where you want to apply the new DoS/ DDoS profile and click Apply. The name of the new profile appears in the selected cell. Attacks Dynamic Info The Attacks Dynamic Info window displays information regarding the current condition of the attack. The table is updated in real-time. Note: This window is read only. Figure 36 - Note: 268 Attacks Dynamic Info You can sort the DoS Shield Attack Dynamic Info table according to every column in the table. Doc. No.: 8261 LinkProof User Guide Table 24 on page 269 describes the attack Dynamic Info table parameters. Table 24: Attacks Dynamic Info Parameter Description Attack ID A unique number for identifying of attack. Sampling Counter: Number of bits matching this attack in the current Sampling Time. This counter is used against the Warning Threshold, Activation Threshold, Termination Message Threshold and Termination Threshold. Active Counter: Number of bits matching this attack in the last second, examining every bit. This counter is used only for limiting the amount of traffic matching an Active attack. Alert Status: The status of the alert can be: Not Sent, Alert Sent, Activation Alert Sent, Dropping Alert Sent. Attack Status: • Dormant - The attacks that are processed through the Sampling mechanism to recognize known signatures • Active - The attacks that are compared packetby-packet to the signatures database • Panic - The attack is in the Panic state. In this state the number of activated filters is limited to achieve better overall performance. In case an unrecognized attack takes place, the module activates only the filters that are required to block the attack • Disabled - The attack’s filters are disabled. Termination Alert Counter: Number of intervals in which the Sampling Counter was below the Termination Message Threshold, when the value of this counter reaches the Aging Period value, a Termination Alert message is sent. Termination Counter: Number of intervals in which the Sampling Counter was below the Termination Threshold, when the value of this counter reaches the Aging Period value, an Attack Terminated message is sent and the Attack Status reverts to Dormant. Last Attack Detection Time: Time when this attack took place last time. Last Attack Detection Date: Date when this attack took place last time. Last Attack Termination Time: Time when this attack was last terminated. Last Attack Termination Date: Date when this attack was last terminated. Doc. No.: 8261 269 LinkProof User Guide To view the Attacks Dynamic Info window: 1. From the main window, click Security. The Connect and Protect window appears. 2. From the Connect and Protect window, click anywhere in the DoS column. The DoS pane appears. 3. From the DoS pane, select the DoS Profiles option button and then select Attacks Dynamic Info. The Attacks Dynamic Info window appears as shown in Table 36 on page 268. Application Security Profiles Application Security profiles are incorporated in the mechanism of protection and prevention against the denial of service attacks. These profiles deliver advanced intrusion detection and prevention capabilities providing maximum protection for network elements, hosts and applications. Application Security profiles are predefined traffic detectors that scan the incoming traffic in order to identify known attack signatures. The profiles use various attacks that find the malicious packets and make decisions in accordance with the predefined settings. How to Use the Application Security Module Radware supplies the set of predefined Attack Groups that provide constant protection against all recent attacks. You can use these groups to define prevention profiles. Most of the existing intrusions can be prevented using Radware groups. In addition to the Radware defined groups, you can create custom Attack Groups, custom Advanced attacks, and custom Basic attacks. For new users, it is recommended to define Application Security protection profiles using Radware defined attacks only. To configure Application Security using Radware Defined Attacks: 1. Enable Application Security protection and set the general parameters, see Application Security Parameters, page 236. 2. Create a new Application Security profile and apply the new profile to the Connect and Protect Table, see Creating a new Application Security Profile, page 274. To configure Application Security using User Defined Attacks: 1. Enable Application Security and set the Application Security general parameters, see Application Security Parameters, page 236. 2. Define Basic Attacks, see Configuring Basic Application Security Attacks, page 271. 3. Define Advanced Attacks, see Configuring Advanced Application Security Attacks, page 272 (optional). 4. Define Custom Attack Groups, see Application Security Custom Attack Groups, page 273. 5. Create a new Application Security profile and apply the new profile to the Connect and Protect Table, see Creating a new Application Security Profile, page 274. 270 Doc. No.: 8261 LinkProof User Guide Configuring Basic Application Security Attacks Basic Attacks (Custom DoS Attack Window, page 271) are the basic building blocks of the DoS Attack. Each Basic Attack constitutes protection against a specific attack, meaning each Basic Attack has a specific attack signature and protection parameters. Radware provides you with a set of pre defined attacks. You can also create user defined Basic Attacks. Figure 37 - Custom DoS Attack Window The parameters of each Basic Attack are divided into the following categories: • • • • Description parameters Protocol definition parameters OMPC definition parameters Content definition parameters Description Parameters Description parameters (Table 17 on page 247) are the user defined descriptions of the attack. Parameter Description Attack Name The name of the attack as you define it. Attack Description A description of the attack. Protocol Parameters Protocol definition parameters define transmission protocol. For the detailed parameters description refer to Table 18, “Protocol Parameters,” on page 248. Doc. No.: 8261 271 LinkProof User Guide OMPC (Bit Pattern) Parameters Offset Mask Pattern Condition (OMPC) is a set of filter parameters that define a rule for pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses fixed offset masking. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are presented in Table 19, “OMPC Parameters,” on page 248. Content Parameters Content parameters define the rule for a text/ content string lookup. This rule is intended for attacks recognition where the attack signature is a text/ content string within the packet payload. For the detailed parameters description refer to Content Parameters, page 250 on Content Parameters, page 250. Tracking Parameters Tracking parameters define how the attack is tracked and treated once it’s signature is recognized in the traffic. Each Application Security Attack is bound to a "Tracking" function that defines how the packet is handled when it is matched against the Attack. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action accordingly. There are two types of match functions: • The "immediate" type that makes decisions based on a single packet. The signature match between itself is considered as an indicator for the attack and the packet is dropped ("Drop All"). For example, MS Blast. • The "Threshold" or "Counter" functions. Those functions assume that the signature match alone is not enough for detecting a packet as offensive, since the packet may be legitimate unless the number of packets per a period of time exceeds a threshold that defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold within a predefined time slot are dropped. For example, ICMP flood attacks and DoS attacks. For the detailed parameters description refer to Tracking Parameters, page 252 on Tracking Parameters, page 252. To create a Basic DoS Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The DoS Settings pane appears. 3. From the DoS Settings pane, click Custom Attack. The Custom DoS Attack window appears. 4. From the Custom DoS Attack window, select Basic Attack. 5. Set the new Basic DoS Attack parameters as explained in Configuring Basic Application Security Attacks, page 271. 6. Click OK. The Custom DoS Attack window closes. The new attack can now be viewed in the Custom Group window. Configuring Advanced Application Security Attacks The second building block of the DoS Attack is the Advanced Attack (Advanced Attacks Window, page 273). The Advanced Attack represents a logical AND between two or more Basic Attacks. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them. Advanced Attacks are made up of a collection of Basic Attacks, selected and removed from the Basic Attack list. You can create the Advanced Attacks using the user defined Basic Attacks only. 272 Doc. No.: 8261 LinkProof User Guide Figure 38 - Advanced Attacks Window To create an Advanced Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, click Custom Attack. The Custom DoS Attack window appears. 4. From the Custom DoS Attack window, select the Advanced Attack option button. The following parameters appear: — Attacks Description: The name of the Advance Attack that you define. — Optional Basic Attacks: The list of all the user defined Basic Attacks. — Selected Attacks: Basic Attacks that you want to include in the new Advanced Attack. 5. In the Attack Name text box, type the name of the new Advanced Attack. 6. From the list contained in the Optional Basic Attacks box, add Basic Attacks to the Selected Attacks list using the mover arrows. 7. Click Ok. Application Security Custom Attack Groups • The Custom Attack Group represents a logical OR between two or more Basic Attack or Advanced Attacks. The right pane of the Custom Attacks Groups window (Custom Attack Group Window, page 254) contains the list of all the existing groups. Doc. No.: 8261 273 LinkProof User Guide Figure 39 - Custom Attack Group Window Radware provides you with a set of predefined Custom Attack Groups as a part of the Signatures file. You can also add user defined Attack Groups using predefined Attacks or user defined Attacks. The predefined attack groups are divided according to types of protection. For example, all attack signatures designed to harm IIS Web servers are grouped under the IIS Attack Group. The groups can be activated within a Protection Profile, except for the Un-assigned group. The Attacks that effect performance or are probable to false positive, are gathered under Unassigned group and can be activated either by adding an Attack to an existing group or to a user defined group. To add a new Custom Attack Group: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, select Custom Group. The Custom Attack Group window appears. 4. From the Custom Attack Group window, enter a relevant name for the new Attack Group. 5. Select the attacks you want to include in this group and move them to the Selected Attacks pane using the mover arrows. Creating a new Application Security Profile Once the attacks are defined, you can create a new profile. To define a new Application Security profile: 1. From the main window, click Security. The Connect and Protect Table appears. 274 Doc. No.: 8261 LinkProof User Guide 2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The Settings pane appears. 3. From the Settings pane, select Application Security Profiles. The Application Security Profiles pane appears. 4. From the Application Security Profiles pane, click New Profile. The New Profile dialog box appears. 5. In the Profile Name text box, type the name of the new profile and click Ok. The New Profile dialog box closes and the new profile appears in the Application Security Profiles pane. 6. From the All DoS Attacks List pane, select the attacks that you want to add to the new profile and click Add. The selected attack appears in the Application Security Profiles pane. 7. Select the cell in the Connect and Protect Table where you want to apply the new DoS/ DDoS profile and click Apply. The name of the new profile appears in the selected cell. SYN Flood Protection This section explains SYN floods and describes how SYN Flood protection works, and includes the following topics: • • • • • Introduction to SYN Flood Protection, page 275 Before Setting Up SYN Flood Protection, page 277 SYN Flood Protection General Settings, page 278 Creating Custom SYN Attacks, page 280 SYN Flood Reporting, page 283 Introduction to SYN Flood Protection SYN Flood Protection is a service intended to protect the hosts located behind the device and the device itself from SYN flood attacks by performing delayed binding. A SYN flood attack is a denial of service attack where the attacker sends a huge amount of please-start-a-connection packets and then no follow up packets. The SYN Flood attack is performed by sending a SYN packet without completing the TCP three-way handshake. Another type of SYN Flood attack is done by completing the TCP three-way handshake, but no data packets are sent afterwords. Radware provides complete protection against both types of SYN Flood attacks. The attacks are detected and blocked by means of SYN Flood Protection Policies. The reports regarding the current attacks appear in the Active Triggers table. How Delayed Binding Works? Delayed Binding is a process (Delayed Binding Process, page 276) in which the device alters fields such as the sequence number of the TCP stream from the client to the destination server. The subsequent session fetches the information that was requested in the original session, and only when that information is gathered, it is returned to the client via the original session. Doc. No.: 8261 275 LinkProof User Guide Client Server LinkProof 1 SYN 2 SYN-ACK 3 ACK 4 HTTP-GET New Client Entry SYN SYN-ACK ACK HTTP-GET Figure 40 - Delayed Binding Process Once a SYN Flood attack is identified, the device activates a protection mechanism known as SYN Cookies. Delayed Binding Process, page 276 illustrates the delayed binding process including the following steps: 1. A client initiates a request by sending a SYN. The SYN message includes the destination port number and a TCP sequence number, which represents the connection with the first segment from client’s side. 2. The device sends a SYN-ACK back to the client. The device creates a special initial TCP sequence number. The sequence number is created in such a manner that it encodes a time stamp and relevant SYN packet data in the SYN-ACK packet sent to the client. 3. The client sends an ACK for the device. When a client responds with an ACK packet, the device uses the SYN Cookie to verify legitimate client responses. 4. Once the TCP handshake is completed, the client sends a data packet, in this example: HTTP-GET. When the GET request is sent to the device with the SYN Cookie, the device verifies the SYN Cookie. If the client response found in the SYN Cookie is legitimate, the device creates a new client entry. If required, the device makes load balancing decision. Then, the device selects the destination server and initiates the three-way TCP handshake with it. The core of Delayed Binding is the ability to handle two sessions and pass the information between them. The device has to alter information such as the sequence number and the source address from one session to another. SYN Cookies can be used for any TCP port or application, where "usual" delayed bind is typically used for HTTP sessions. The benefit of SYN cookies over "usual" delayed bind is that when SYN Cookies are used, no memory resources on the device (for example Session Table entries) are allocated for sessions before the 3-way handshake is complete. This assures that device memory resources are not overloaded due to the SYN Attack. 276 Doc. No.: 8261 LinkProof User Guide SYN-ACK Reflection Attacks Prevention SYN-ACK Reflection Attacks Prevention is intended to prevent reflection of SYN attacks and reduce SYN-ACK packet storms that are created as a response to DoS attacks. When the device is under SYN attack, it sends a SYN-ACK packet with an embedded cookie, in order to prompt the client to continue the session. In case of DoS SYN attacks, two problems may arise: • Third parties can use the SYN-ACK replies to launch attacks on selected sites by adopting the selected site's address as the source IP address of the attack. • The SYN-ACK packets create a storm of reflected traffic that consumes bandwidth and may block legitimate traffic. SYN-ACK Reflection Attacks Prevention responds to the challenge of the DoS SYN reflection attack by limiting the amount of SYN-ACK packets sent to a specific IP address. This mechanism works in the following way: 1. The limiting action is applied when the amount of SYN- ACK packets exceeds the defined threshold. 2. The threshold represents the number of uncompleted TCP sessions, and is calculated by comparing each Source IP address and the total number of SYN packets that arrived to the device with the number of completed TCP sessions. The time interval for this threshold is set per second. 3. The threshold is user defined (recommended values are pre-configured as defaults), see SYN Flood Protection, page 275. 4. The limitation of SYN-ACK packets does not affect the SYN attack detection (start/stop) mechanism. 5. Once the limiting action is applied, the device ignores any additional SYN packets arriving from the specific IP address that is the source of the attack. Note: The device behavior in the case of Distributed SYN attack remains unchanged. To configure SYN Flood Protection: 1. Enable the Session Table, see enable Layer 4:, page 277. 2. Set the Session Table Lockup Mode to Layer 4, see enable Layer 4:, page 277. 3. Enable SYN Flood Protection and set SYN Flood General Parameters, see SYN Flood Protection General Settings, page 278. 4. Create a new custom SYN Attack Profile, see Creating Custom SYN Attacks, page 280. 5. View the SYN Flood Order, see Viewing SYN Flood Order, page 281. Before Setting Up SYN Flood Protection Before activating the SYN Flood Protection module, you need to configure the Session Table to operate at Layer 4, as SYN attack detection can take effect only when the device operates at Layer 4. To enable Layer 4: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. Doc. No.: 8261 277 LinkProof User Guide 2. From the LinkProof Setup window, select Global. The Global pane appears. 3. From the Global pane, select the Session Table Settings option button and click Edit Settings. The Session Table Settings window appears. 4. From the Session Table Settings window, set the following parameters according to the explanations below: Session Table Status: Enabled Session Table Lookup Mode: Full Layer 4 5. Click Ok to exit all windows. Note: When using the SYN Flood Protection Filters (that are part of the Security module) you must set the inbound and outbound traffic to operate in the process mode. SYN Flood Protection General Settings Once you configured the Session Table to operate in the Layer 4 mode, you can enable SYN Flood protection and configure its general parameters. Table 25 - SYN Protection Parameters Parameter Description SYN Flood Protection Status Enables/ Disables SYN Flood Protection mode. (checkbox) Default: Enabled. Whether to calculate syn protection statistics (number of SYNs and requests packets), also for SYN Flood Global Statistics SYN protection enabled policies, or only for the Status (checkbox) triggers. Default: Enabled. Timeout to complete the TCP 3-way handshake. SYN Protection Timeout Range: 0-10 (0 means no timeout). Default: 5 seconds. SYN Protection Threshold Up Ratio Percentage of uncompleted SYNs compared to total opened sessions within 1 second, used to invoke SYN Protection. Range: 0-100. Default: 30. 278 Doc. No.: 8261 LinkProof User Guide Table 25 - SYN Protection Parameters Parameter Description Percentage of uncompleted SYNs compared to total opened sessions, used to shut SYN Protection. Measured per 1 second. Note: SYN Protection Threshold Down Ratio The "SYN Protection Threshold Down Ratio" value must be lower than the "SYN Threshold Up Ratio". In case you define an equal or higher value, the Device responds with an error message instructing to set a lower value. Range: 0-100. Default: 20. SYN Protection Tracking Time Invoke (or shut) SYN Protection if SYN threshold is passed for more than the defined time interval Range: 1-10. Default: 5. SYN Protection Minimum SYNs for trigger Absolute minimum figure of uncompleted SYNs compared to total opened sessions within 1 second, used to invoke SYN Protection. Value: >= 0. Default: 2500. Activate the SYN-ACK Reflection Attack Prevention mechanism using the following modes: • Enable: The prevention mode. SYN-ACK Reflection Protection Mode • Report Only: The report-only mode (no prevention). • Disable: The mechanism is disabled. Default: Disable. Amount of SYN packets per second that are sampled SYN-ACK Reflection SrcIP and their source IP is to be monitored. Sampling per second Range: 0-10000. Default: 100. SYN-ACK Reflection Maximum SYN Cookies Per Source The limiting threshold that represents the maximum number of uncompleted TCP sessions per source IP per second, that will be answered. Any session exceeding this frequency will be ignored. Range: 1 - 100,000. Default: 1,000. Maximum Traps per Time Interval Maximum number of SYN Flood and ACK reflection traps per defined time interval. Value: >0. Default: 100. User defined time interval for limiting traps. Traps Time Interval (seconds) Value: >0 Default: 60 seconds. Doc. No.: 8261 279 LinkProof User Guide To enable SYN Flood protection and configure the general parameters: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, select Global > SYN Flood Protection Settings and click Edit Settings. The SYN Flood Protection Settings window appears. 3. From the SYN Flood Protection Settings window, set the parameters as explained in Security Tuning Parameters, page 306 and click Apply > Ok. Creating Custom SYN Attacks Radware provides you with a set of SYN attacks. In addition you can create user defined attacks. Figure 41 - Custom SYN Attack To create a Custom SYN Attack: 1. From the main window, click Security. The Connect and Protect window appears. 2. From the Connect and Protect window, click anywhere in the SYN Floods column. The Settings pane appears. 3. From the Settings pane, click Custom Attack. The Custom SYN Attack window appears. 4. From the Custom SYN Attack window, set the following parameters according to the explanations provided:. 280 Attack Name: Enter the name of your new attack. Protocol: TCP Destination Port Range (To) Enter the destination port range. Doc. No.: 8261 LinkProof User Guide Destination Port Range (From) Enter in the destination port from range. Attack Description: Enter in a user defined attack description. 5. Click Ok. Your preferences are recorded. Adding SYN Attack to the Selected SYN Attacks List Once a custom attack is created, you can add this attack to the list of the Selected SYS Flood attacks. This list contains attacks that have been selected to provide the protection. To add a predefined SYN Attack to the Selected SYN Attacks: 1. From the All SYNs Attack list, select the attack you wish to add. 2. Click Add. The SYN Policy Details window appears. 3. From the SYN Policy Details window, set the following parameters according to the explanations provided: Policy Index: Verification Type: Enter in the Index number. This defines the order in which the device processes the SYN Attack Profiles. Define the process of completing the TCP session: • Ack: session is completed when the Ack packet arrives (following a SYN / SYNACK packets exchange). • Request: session is completed when the first data request packet arrives (following a SYN / SYN-ACK / ACK packets exchange). Select either: • Enabled: Activates full SYN Flood protection. Protection Mode: 4. • Triggered: Activates SYN Flood protection only when an attack is identified. • Disabled: SYN Flood protection is disabled. Click Ok. The selected attack appears now in the Selected SYN Attacks List. Viewing SYN Flood Order Clicking on View SYN Order allows you to view the index order in which the device processes the SYN Flood Profiles. To view the SYN Flood Order: Doc. No.: 8261 281 LinkProof User Guide From the SYN Flood Settings pane, click View SYN Order. The SYN Protection Policies window appears, as shown below: Figure 42 - SYN Protection Policies To edit an Attack: 1. From the All SYN Attacks list, select the attack you wish to edit. 2. Click Edit. The Edit SYN Attacks window appears. 3. From the Edit SYN Attacks window, set the following parameters according to the explanations provided: Attack Name: Enter the name of your new attack. Protocol: TCP Destination Port Range (To) Enter the destination port range. Destination Port Range (From) Enter in the destination port from range. Attack Description: Enter in a user defined attack description. 4. Click Ok. Your preferences are recorded. 282 Doc. No.: 8261 LinkProof User Guide SYN Flood Reporting You can view active SYN Flood attacks via the Active Triggers Table. Table 26 on page 283 presents the parameters of the Active Triggers Table. Table 26: Active Triggers Table Parameter Description The type of the identified attack: • SYN Flood Trigger: The identified attack is a specific attack from the list of known attacks. • SYN Enabled Policies: The identified attack is one of the attacks that are included in all the enabled policies. • SYN Protection Total: Displays the total number of identified attacks. • SYN ACK Reflection: The identified attack is a SYN ACK Reflection attack. Type: IP Address: Source IP for type "SYN ACK Reflection", and dest IP for all other types. L4 Port: Destination L4 port (relevant only to type "SYN Flood Trigger"). RX Port: The physical port on the device through which the attack enters. Active Time: The number of seconds from the moment the attack was recognized. Last Sec SYN counter: How many SYNs were recognized in the last second. Last Sec Verified counter: How many ACKs were recognized in the last second. Average SYN counter: The average of the SYNs that were recognized from the moment the attack began. Average Verified counter: The average of the ACKs that were recognized from the moment the attack began. Total SYN: Total number of SYN packets for this trigger. Total Dropped sessions: Total number of unverified sessions for this trigger. To view the Active Triggers Table: 1. From the main window, click Security. The Connect and Protect table appears. 2. From the Connect and Protect table, click in the SYN Floods column. The SYN Floods Settings pane appears. 3. From the SYN Floods Settings pane, click Active Triggers. The Active Triggers Table appears. Protocol Anomalies This section explains Protocol Anomaly attacks and includes an explanation of the Anomalies Module and Stateful Inspection. This section contains the following topics: Doc. No.: 8261 283 LinkProof User Guide • • • Introduction to Protocol Anomalies, page 284 How to Use the Anomalies Module, page 284 Stateful Inspection, page 290 Introduction to Protocol Anomalies To avoid IDS, hackers may use evasion techniques, such as splitting packets and sending attacks in fragments. Fragmented packets are suspected of containing an attack. An attack that contains fragmented packets is called Protocol Anomaly attack. The Protocol Anomaly attacks are detected and blocked using the Protocol Anomaly Protection mechanism. Protocol Anomaly attacks are recognized according to the packet’s size. The size of the fragmented packets exceeds boundaries of the predefined length. Protection against Protocol Anomaly attacks is achieved by dropping the suspected packets. Protocol Anomaly Protection provides protection against two types of protocol anomalies: • • IP protocol anomalies URI anomalies IP Protocol Anomalies IP protocol anomalies refer to IP fragmentation, which is an evasion technique where the hacker deliberately fragments packets. The hacker uses many small fragmented packets in order to either cause a server to crash or to evade firewall defenses. For example, the Ping of Death Fragmentation attack uses many small fragmented packets which when reassembled at the destination exceed the maximum allowable size for an IP datagram. This can cause the victim host to crash, hang or reboot. URI Protocol Anomalies IP fragmentation concept can be applied for packets that contain "fragments" of a URI. When the size of the URI packet exceeds the lower boundary of the predefined length, this packet may contain fragmented URI. When the size of the URI packet exceeds the higher boundary of the predefined length, this is an indication for buffer overflow. The hacker uses packets where the URL is split across multiple packets. This attack enables hackers to insert malicious data into the Web server. The Anomalies Module The Anomalies module provides protection using three sub-groups: • • • Protocol_Anomalies group Buffer Overflow protection (MAX URI Length parameter) Fragment Attack protection, including: — HTTP Fragmentation protection (MIN fragmented URI packet Size parameters) — IP Fragmentation protection (MIN Fragment Size parameters) How to Use the Anomalies Module Radware supplies the set of predefined Attack Groups that provide constant protection against all recent attacks. You can use these groups to define prevention profiles. Most of the existing intrusions can be prevented using Radware groups. Once a new protection profile is defined, you can add Stateful Inspection to it. In addition to the Radware defined groups, you can create custom Attack Groups, custom Advanced attacks, and custom Basic attacks. For new users, it is recommended to define Anomalies protection profiles using Radware defined attacks only. 284 Doc. No.: 8261 LinkProof User Guide To configure Anomalies using Radware Defined Attacks: 1. Enable Anomalies, see Application Security Parameters, page 236. 2. Define the Protocol Anomalies general parameters, see Protocol Anomaly Protection Permeates, page 238. 3. Define Anomaly Flood Prevention Profile and apply it to the Connect and Protect Table, see Creating a User Defined Profile, page 289. 4. Add Stateful Inspection to the new profile (optional), see Stateful Inspection, page 290. To configure Anomalies using User Defined Attacks: 1. Enable Anomalies, see Application Security Parameters, page 236. 2. Define the Protocol Anomalies general parameters, see Protocol Anomaly Protection Permeates, page 238. 3. Define Basic attacks, see Configuring Basic Protocol Anomaly Attacks, page 285. 4. Define Advanced attacks (optional), see Configuring Advanced Protocol Anomaly Attacks, page 287. 5. Define Attack Groups, see Anti-Scanning Custom Attack Groups, page 298. 6. Define Anomaly Flood Prevention Profile and apply it to the Connect and Protect Table, see Creating a User Defined Profile, page 289. 7. Add Stateful Inspection to the new profile (optional), see Stateful Inspection, page 290. Configuring Basic Protocol Anomaly Attacks Basic Attacks (Custom Intrusion Attacks Window, page 247) are the basic building blocks of the Anomaly Prevention Profile. Each Basic Attack constitutes protection against a specific attack, meaning that profile has a specific attack signature and protection parameters. Radware provides you with a set of pre defined attacks. You can also create user defined Basic Attacks. Doc. No.: 8261 285 LinkProof User Guide Figure 43 - Custom Anomaly Attacks Window The parameters of each Basic Attack are divided into the following categories: • • • • Description parameters Protocol definition parameters OMPC definition parameters Content definition parameters Description Parameters Description parameters shown in Table 17 on page 247 are the user-defined description of the custom attack. Table 27: Description Parameters Parameter Description Attack Name The name of the attack as you define it. Description A description of the attack. Protocol Parameters Protocol definition parameters define transmission protocol. For the detailed parameters description refer to Protocol Parameters, page 248. 286 Doc. No.: 8261 LinkProof User Guide OMPC Parameters Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses fixed offset masking. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are presented in OMPC Parameters, page 248. Content Parameters Content parameters define the rule for a text/ content string lookup. This rule is intended for attacks recognition where the attack signature is a text/ content string within the packet payload. For the detailed parameters description refer to Content Parameters, page 250. Tracking Parameters Tracking parameters (Tracking Parameters, page 252) define how the attack is tracked and treated once it’s signature is recognized in the traffic. Each Application Security Attack is bound to a "Tracking" function that defines how the packet is handled when it is matched against the Attack. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action accordingly. There are two types of match functions: • • The "immediate" type that makes decisions based on a single packet. The signature match between itself is considered as an indicator for the attack and the packet is dropped ("Drop All"). For example, MS Blast. The "Threshold" or "Counter" functions. Those functions assume that the signature match alone is not enough for detecting a packet as offensive, since the packet may be legitimate unless the number of packets per a period of time exceeds a threshold that defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold within a predefined time slot are dropped. For example, ICMP flood attacks and DoS attacks. For the detailed parameters description refer to Tracking Parameters, page 252. To create a Basic Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Settings pane appears. 3. From the Settings pane, click Custom Attack. The Custom Protocol Anomaly Attack window appears. 4. From the Custom Protocol Anomaly Attack window, select the Basic Attack option button. 5. Set the new Basic Attack parameters, see Configuring Basic Protocol Anomaly Attacks, page 285. 6. Click Ok. The Custom Anomalies Attack window closes. Configuring Advanced Protocol Anomaly Attacks The second building block of the Anomaly Prevention Profile is the Advanced Attack. The Advanced Attack represents a logical AND between two or more Basic custom attacks. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic Attack to protect against them. Advanced attacks are made up of a collection of Basic Attacks selected and removed from the Basic Attack list. Doc. No.: 8261 287 LinkProof User Guide You can create Advanced Attacks using the user defined Basic Attacks only. Figure 44 - Advance Attacks window To create an Advanced Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Settings pane appears. 3. From the Settings pane, select Custom Attack. The Custom Protocol Anomaly Attack window appears. 4. From the Custom Protocol Anomaly Attack window, click Advanced Attack. The Advanced Attack pane appears which contains the following parameters: — Attacks Description: The name of the Advanced Attack - user defined. — Optional Basic Attacks: The list of all the user defined basic attacks. — Selected Attacks: Basic Attacks that you decided to include in the new Advanced Attack. 5. Select the Basic attacks from the Optional Basic Attacks list and add them to the Selected Attacks list by moving them with the mover arrows. 6. Click Ok. Setting Up Protocol Anomalies Attack Groups The Custom Attack Group represents a logical OR between two or more Basic Custom Attack or Advanced Custom Attacks. The right panel of the Custom Attacks Groups window contains the list of all the existing groups. 288 Doc. No.: 8261 LinkProof User Guide Radware provides you with a set of predefined Custom Attack Groups as a part of the Signatures file. You can also add user-defined Attack Groups using predefined Attacks or user-defined Attacks. The predefined attack groups are divided according to types of protection. For example, all attack signatures designed to harm IIS Web servers are grouped under the IIS Attack Group. The groups can be activated within a Protection Policy, except for the Un-assigned group. The Attacks that effect performance or are probable to false positive, are gathered under Unassigned group and can be activated either by adding a Attack to an existing group or to a user defined group. To add a new Custom Attack Group: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Settings pane appears. 3. From the Settings pane, select Custom Group. The Custom Attack Group window appears. 4. From the Custom Attack Group window, enter a relevant name for the new Custom Attack Group. 5. Select the attacks you wish to include in this group and move them to the Selected Attacks pane using the mover arrows to the Selected Attacks list. Creating a User Defined Profile To create a New User Anomaly Profile: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Settings pane appears. 3. From the Settings pane, click New Profile. The New Anomaly window appears. 4. From the New Anomaly window, enter a name for the new profile. 5. Click Ok. Your new profile appears in the Anomaly Flood Profiles list. Editing Attacks To edit an attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click anywhere in the Intrusions column. The Settings pane appears. 3. From the All Attacks list, select the attack you wish to edit and click Edit Attack. The Custom Intrusion Attack window appears. 4. You may now edit the parameters of the attack. 5. Click Ok. Your preferences are recorded. See Table , “Description Parameters,” on page 286. Doc. No.: 8261 289 LinkProof User Guide Stateful Inspection Stateful Inspection provides additional protection against application level attacks. Stateful Inspection accommodates attacks where the packets, exchanged between a client and a server, are legitimate, however the security threat is revealed when inspecting a sequence of packets within a session. Most of the attacks protected by the Stateful Inspection are cases of protocol miss-use, were a session does not obey the state transition defined by the specific protocol. Radware Stateful Inspection provides additional level of protection by preventing application-layer attacks, such as: • • TCP Flooding: SYN-ACK (reflector attack), TCP packet storms. Stealth scanning: sending TCP fin / rst /ack / syn-fin packets, etc. to detect what ports are open. • DNS reply flooding: Floods server using DNS replies (usually done as reflector attack) • ICMP Echo reply flooding: Floods server using echo replies a good example is Smurf (usually done as reflector attack). • WinNuke: WinNuking is a term for a simple procedure that malicious computer users use on other computer users on the Internet. Effects of this procedure include the victim's computer crashing, or loss of their connection to the Internet. The WinNuking procedure is a very simple one, exploiting a large bug in Windows 95/NT's Networking system. Basically, the program attaches it to port 139 of any Windows 95 computer, and sends "junk" into the port. Also known as an OOB (Out of Bounds) attack, this causes the networking system to bomb, and your computer crashes • FTP Bounce: In some implementations of FTP daemons, the PORT command can be misused to open a connection to a port of the attacker's choosing on a machine that the attacker could not have accessed directly. In Firewall implementation, stateful inspection provides protection against low-level corruption attacks, such as Ping of Death, Land Attack, IP Source Route attacks, IP Range Scan, and so on. Protection against this type of attacks is already provided by the Intrusion Prevention module and by the Anomalies module. To configure Stateful Inspection: To set the activate Stateful Inspection: 1. From the main window, click Security and then on Anomalies. The Anomalies window opens below the Connect & Protect table. 2. Create a new profile and add Stateful Inspection. The Stateful settings screen appears. Select the required set of protocols to perform stateful protection and then click OK. To set the Stateful Inspection Global Settings: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Anomalies pane appears. 290 Doc. No.: 8261 LinkProof User Guide 3. From the Anomalies pane, click Inspection Settings. The Inspection Settings window appears, as shown below: Figure 45 4. Inspection Settings From the Inspection Settings window, set the following parameters according to the explanations provided: Protection Status: Enable / Disable. You must set protection status to enable to start stateful protection. Define the Action mode: • Forward: The packet is forwarded to the defined destination. • Action Mode: Drop: In case of UDP or ICMP sessions the packet is dropped. For TCP and TCP based sessions providing this is the first packet of the session, then reset is sent to the originator. If this is not the first packet, then reset is sent both to the originator and the destination. Define the Startup mode, either: • On: Start protection immediately. Existing sessions will be dropped and only new sessions will be allowed. Startup Mode: Startup Timer: Doc. No.: 8261 • Off: Do not protect • Graceful: Start protection while maintaining existing sessions for a configurable time, defined by Startup Timer. The time to maintain existing sessions when Stateful Inspection feature is activated in Graceful mode. Sessions that were not closed after this time will be dropped. 291 LinkProof User Guide Operational Status: This enables the user to start/stop Stateful Protection without resetting the device. • On = protect • Off = do not protect. 5. Click Set. Your preferences are recorded. Stateful Inspection Aging Settings The Stateful Inspection aging Settings window allows you to view and change the aging parameters of the protocols protected by this feature. The aging parameter specifies the maximum idle time allowed between a request and a response per protocol or between two sequential packets. When the aging is passed, sessions are considered as old, and packets related with these sessions are dropped. Note: The user must tune the protocol aging with care. It is recommended to consult with Radware Support before making any changes in this table. To set Stateful Inspection Aging Settings: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anomalies column. The Anomalies pane appears. 3. From the Anomalies pane, click Inspection Settings. The Inspection Settings window appears. 4. From the Inspection Settings window, click Inspection Aging Settings. The Inspection Aging Settings window appears, as shown below: Figure 46 - Inspection Aging Settings. 5. Select the Protocol Index that you wish to change and then click Edit. The Edit Inspection Aging Settings window appears. 292 Doc. No.: 8261 LinkProof User Guide 6. From the Edit Inspection Aging Settings window, set the following parameters according to the explanations provided: Protocol Name: Enter the protocol name. Protocol Aging Value: The value of the aging parameters of the protocol in seconds. 7. Click Ok to exit all windows. Your preferences are recorded. Anti-Scanning This section explains scanning and anti-scanning techniques, as well as the Anti-Scanning module and how to configure it. This section contains the following topics: • • Introduction to Anti-Scanning, page 293 How to Use the Anti-Scanning Module, page 293 Introduction to Anti-Scanning Prior to launching an attack, hackers usually try to identify what TCP and UDP ports are open. An open port represents a service, application or a backdoor. Open ports that were left open unintentionally can create a serious security problem. Application Security provides a mechanism aimed to prevent hackers from gaining this information by blocking and altering server replies sent to the hacker. Network Scanning Legitimate traffic that is sent to a recipient in order to learn about the system and the applications, perpetrating future attacks. As the packets sent by the attacker are legitimate and legal, analyzing the whole flow of traffic is the only way to detect the scanning. Anti-Scanning Module The Anti-Scanning module provides protection against network and port scanning. The groups included in this module are: • • • Scanning: Provides protection against known scanning tools. Scanning Tools: The "Scanning-Tools" group contains signatures of miscellaneous network scanning tools. Signatures in this group protect your network from the scanning tools that attempt to scan your network. Scanning-Generic: The "Scanning-Generic" group contains attack filters that detect network horizontal scanning, in which a scanner runs a wide set of connection trials on different ports to the same machine address. As the scanning tools are waiting for the server positive reply, this group contains attack filters that detect and block all outgoing server traffic according to attack source and destination IP addresses (TCP or UDP positive reply packets). How to Use the Anti-Scanning Module Radware supplies the set of predefined Attack Groups that provide constant protection against all recent attacks. You can use these groups to define prevention profiles. Most of the existing intrusions can be prevented using Radware groups. In addition to the Radware defined groups, you can create custom Attack Groups, custom Advanced attacks, and custom Basic attacks. For new users, it is recommended to define Anomalies protection profiles using Radware defined attacks only. Doc. No.: 8261 293 LinkProof User Guide To configure Anti-Scanning using Radware Defined Attacks: 1. Enable Anti-Scanning and set the general parameters, see Application Security Parameters, page 236. 2. Define the Anti-Scanning profile and apply it to the Connect and Protect Table, see Creating a New User Defined Profile, page 298. To configure Anti-Scanning using User Defined Attacks: 1. Enable Anti-Scanning and set the general parameters, see Application Security Parameters, page 236. 2. Define Basic attacks, see Configuring Basic Anti-Scanning Attacks, page 295. 3. Define Advanced attacks (optional), see Configuring Advanced Anti-Scanning Attacks, page 296. 4. Define Attack Groups, see Anti-Scanning Custom Attack Groups, page 298. 5. Define the Anti-Scanning profile and apply it to the Connect and Protect Table, see Creating a New User Defined Profile, page 298. 294 Doc. No.: 8261 LinkProof User Guide Configuring Basic Anti-Scanning Attacks Basic Attacks (Custom Intrusion Attacks Window, page 247) are the basic building block of the Anti- Scanning Profile. Each Basic Attack constitutes protection against a specific attack, meaning that profile has a specific attack signature and protection parameters. Radware provides you with a set of pre defined attacks. You can also create user defined Basic Attacks. Figure 47 - Custom Intrusion Attacks Window The parameters of each Custom Attack are divided into the following categories: • • • • Description parameters Protocol definition parameters OMPC definition parameters Content definition parameters Description Parameters Description parameters shown in Table 28 on page 295 are the user-defined description of the custom attack. Table 28: Description Parameters Parameter Description Attack Name The name of the attack as you define it. Description A description of the attack. Doc. No.: 8261 295 LinkProof User Guide Protocol Parameters Protocol definition parameters define transmission protocol. For the detailed parameters description refer to Table 18, “Protocol Parameters,” on page 248. OMPC Parameters Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses fixed offset masking. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are presented in Table 19, “OMPC Parameters,” on page 248. Content Parameters Content parameters define the rule for a text/ content string lookup. This rule is intended for attacks recognition where the attack signature is a text/ content string within the packet payload. For the detailed parameters description refer to Table 20, “Content Parameters,” on page 250. Tracking Parameters Tracking parameters shown in Table 21, “Tracking Parameters,” on page 252 define how the attack is tracked and treated once it’s signature is recognized in the traffic. Each Application Security Attack is bound to a "Tracking" function that defines how the packet is handled when it is matched against the Attack. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action accordingly. There are two types of match functions: • The "immediate" type that makes decisions based on a single packet. The signature match between itself is considered as an indicator for the attack and the packet is dropped ("Drop All"). For example, MS Blast. • The "Threshold" or "Counter" functions. Those functions assume that the signature match alone is not enough for detecting a packet as offensive, since the packet may be legitimate unless the number of packets per a period of time exceeds a threshold that defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold within a predefined time slot are dropped. For example, ICMP flood attacks and DoS ttacks. For the detailed parameters description refer to Table 21, “Tracking Parameters,” on page 252. To create a Basic Anti-Scanning Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The Settings pane appears. 3. From the Settings pane, click Custom Attack. The Anti-Scanning window appears. 4. From the Anti-Scanning window, select the Basic Attack option button. 5. Set the new Basic Attack parameters as explained in Table , “Description Parameters,” on page 247. 6. Click Ok. The Anti-Scanning window closes. Configuring Advanced Anti-Scanning Attacks The second building block of the Anti Scanning Profile is the Advanced Attack. The Advanced Attack represents a logical AND between two or more Basic custom attacks. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic Attack to protect against them. Advanced Attacks are made up of a collection of Basic Attacks, selected and removed from the Basic Attack list. 296 Doc. No.: 8261 LinkProof User Guide You can create the Advanced Attacks using the user defined Basic Attacks only. Figure 48 - Advanced Attack Window To create an Advanced Attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The Settings pane appears. 3. From the Settings pane, select Custom Attack. The Anti-Scanning window appears. 4. From the Anti-Scanning window, click Advanced Attack. The Advanced Attack pane appears which contains the following parameters: • • • Attacks Description: The name of the Advanced Attack that you define. Optional Basic Attacks: The list of all user defined Basic Attacks. Selected Attacks: Basic Attacks that you decide to include in the new Advanced Attack. In the Attack Name text box, type the name of the new Advanced Attack. 5. 6. Select the Basic Custom attacks from the Optional Basic Attacks list and add them to the Selected Attacks list using the mover arrows. 7. Click Ok. Doc. No.: 8261 297 LinkProof User Guide Anti-Scanning Custom Attack Groups The Custom Attack Group represents a logical OR between two or more Basic Custom Attack or Advanced Custom Attacks. The right panel of the Custom Attacks Groups window contains the list of all the existing groups. Radware provides you with a set of predefined Custom Attack Groups as a part of the Signatures file. You can also add user-defined Attack Groups using predefined Attacks or user-defined Attacks. The predefined attack groups are divided according to types of protection. For example, all attack signatures designed to harm IIS Web servers are grouped under the IIS Attack Group. The groups can be activated within a Protection Policy, except for the Un-assigned group. The Attacks that effect performance or are probable to false positive, are gathered under Unassigned group and can be activated either by adding a Attack to an existing group or to a user defined group. To add a new Custom Attack Group: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The Settings pane appears. 3. From the Settings pane, select Custom Group. The Custom Attack Group window appears. 4. From the Custom Attack Group window, enter a relevant name for the new Custom Attack Group. 5. Select the attacks you wish to include in this group and move them to the Selected Attacks list using the mover arrows. Creating a New User Defined Profile To create a new Use Defined Anti-Scanning Profile: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The Settings pane appears. 3. From the Settings pane, click New Profile. The New Anti-Scanning Profile window appears. 4. From the New Anti-Scanning Profile window, enter a name of the new profile. 5. Click Ok. Your new profile appears in the All Anti-Scanning Attacks list. Editing Attacks To edit an attack: 1. From the main window, click Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, double-click anywhere in the Anti-Scanning column. The Settings pane appears. 3. From the All Attacks list, select the attack you wish to edit and click Edit Attack. The Edit Anti-Scanning window appears. 4. You may now edit the parameters of the attack. See Description Parameters, page 247. 5. Click Ok. Your preferences are recorded. 298 Doc. No.: 8261 LinkProof User Guide Managing Signatures Database This section explains Signatures Database and updating and downloading signatures to the database both manually and automatically. This section includes the following topics: • • • • Application Security Signature File Update, page 299 Manual Update, page 299 Downloading and Updating, page 301 Scheduled Downloading and Updating, page 301 Application Security Signature File Update Application Security module uses the Application Security Signature File Update feature for constant updates of the signatures database. All devices with the Application Security module are updated using the latest Application Security Signature file, which is a database that contains a list of updated attacks. To guarantee maximum protection for your network, you must update the Application Security Signature file. The update is performed per device. During the update process APSolute Insite connects to Radware web site to check if you can get the file for the specified device. Note: To get Security Update Service, you need to purchase it separately. An updated Application Security Signature file can be found on the Radware website every Monday. If an emergency update is required, the website is updated in addition to weekly updates. Updating of the Application Security Signature file can be performed in the following ways: • • • Manual updating: if you have an update file that was downloaded manually from the website, you can update the Application Security Signature file manually. Manual downloading and updating: you can download the update file from the Radware website and perform the manual update using this file. Automatic downloading and updating: you can set automatic download and update of the Application Security Signature file. Tip: To provide the best protection to your network, it is recommended to set automatic daily updates. Manual Update If you have the updated file, you can update the Application Security Signature file manually. To update the Application Security Signature file: 1. From the SynApps menu, select Security Updates > Upload Attacks File. The Upload Attacks dialog box appears, displaying the list of devices that have Service Agreement. Doc. No.: 8261 299 LinkProof User Guide 2. To view the parameters of a certain device, select the line with the desired device. For each device in the Upload Attacks table, the following parameters are displayed: — Device (read only): The name of the selected device. — Current Version (read only): The current version of the device. — Attacks File Name: Type the name of the desired file, or click Browse to find the file. 3. From the Upload Attacks table, select the devices to which you want to send the selected Attack DataBase update and click Send Attacks File To Selected Devices. The Progress bar of each selected device displays the progress of sending of the Application Security Signature file to that device. The Progress Message box displays message about sending the file. Note: 300 You must choose only the devices that have Application Security Signature File Update Service Agreement with Radware Support. Doc. No.: 8261 LinkProof User Guide 4. Click Update Table, to update the Upload Attacks table with the new parameters. The selected devices are updated. Downloading and Updating You can download the signature files from the Radware Web site and then to perform the update. To update the Application Security Signature file: 1. From the SynApps menu, select Security Updates > Upload Attacks File. The Upload Attacks dialog box appears, displaying the list of devices that have Service Agreement. 2. Select the devices for which you want to update the Application Security Signature file and click Download Now. The updated Application Security Signature file is now downloaded from the Radware Website. 3. To view the parameters of a certain device, select the line with the desired device. For each device in the Upload Attacks table, the following parameters are displayed: — Device (read only): The name of the selected device. — Current Version (read only): The current version of the device. — Attacks File Name: The path to the Application Security Signature file that was downloaded from the Radware Web. 4. Click Update Table, to update the Upload Attacks table with the new parameters. 5. Select the devices to which you want to send the selected Attack DataBase update and click Send Attacks File To Selected Devices. The Progress bar of each selected device displays the progress of sending of the Application Security Signature file to that device. The Progress Message box displays message about sending of the file. The selected devices are updated. Scheduled Downloading and Updating You can set the automatic download of the upgrade files using the predefined schedule. Once the upgrade files are downloaded, you can update the Application Security Signature file. You can edit or remove the Application Security Signature file update settings from the Scheduler (For the explanations about Scheduler, refer to the APSolute Insite User Guide). To update the Application Security Signature file: 1. From the SynApps menu, select Security Updates > Attacks Update Settings. The Attacks Update Settings window appears. Doc. No.: 8261 301 LinkProof User Guide 2. To perform the Time settings, specify the Start Hour. Notes: i The End Hour option must not be used for this task. ii To set minutes, double-click in this box and then perform the settings. 3. To perform the Frequency settings, select an option button. 4. If you selected the Weekly option button, specify the day of the week on which the update is performed. 5. If you selected the Minutes option button, type the number of minutes in the Minutes text box. 6. Click Next. The Attacks Update Settings dialog box appears with the list of all the map devices. 302 Doc. No.: 8261 LinkProof User Guide 7. Select the devices for which you want to perform the Attack DataBase Update. Note: You must choose only devices that have Application Security Signature File Update Service Agreement with Radware Support. 8. Click Next. The Attacks Update Settings dialog box closes. The task appears in Scheduler, see APSolute Insite User Guide. 9. To update the Application Security Signature file, from the SynApps menu, select Security Updates > Update Devices. The Upload Attacks dialog box appears, displaying the list of devices that have Service Agreement. Doc. No.: 8261 303 LinkProof User Guide 10. To view the parameters of a certain device, select the line with the desired device. For each device in the Upload Attacks table, the following parameters are displayed: — Device (read only): The name of the selected device. — Current Version (read only): The current version of the device. — Attacks File Name: The path to the Application Security Signature file that was downloaded from the Radware Web site according to the predefined schedule. To use a different file, type the name of the desired file, or click Browse to find the file. 11. Select the devices to which you want to send the selected Attack DataBase update and click Send Attacks File To Selected Devices. The Progress bar of each selected device displays the progress of sending of the Application Security Signature file to that device. The Progress Message box displays message about sending of the file. Note: 304 You must select the devices from the list defined in the Step 7. Doc. No.: 8261 LinkProof User Guide 12. Click Update Table, to update the Upload Attacks table with the new parameters. The selected devices are updated. Note: You can configure auto-download to the devices or prompt for download. Security Tuning This section explains security tuning, as well as information on the session table and SYN table parameters. This section includes the following topics: • • • • Tuning Introduction, page 305 Security Tuning, page 306 Session Table Tuning, page 308 SYN Table Tuning, page 309 Note: It is strongly advised that device tuning only be carried out after consulting with Radware Technical Support. Tuning Introduction The Security Tables store information about sessions passing through the device and their sizes which are correlated to the actual amount of sessions. Some of the tables store information for every source-destination address pair of traffic going through the device, Layer-3 information. These pairs require an entry for each combination. Some of the tables need to keep information about Layer-4 sessions, which means that every combination of source-address, source-port, destination address and destination port requires its own entry in the table. Note: Layer-4 tables are usually larger than Layer-3 tables. For example, a typical TCP client, using HTTP, opens several TCP sessions to the same destination address. Each security table has its own Free-Up mechanism, which is responsible for clearing the tables of old entries that are no longer required, and ensuring that all detected attacks are reported properly so that the attack can be logged. The Free-Up Frequency for each table determines how often the device clears unnecessary entries from the table, and stores information about newly detected security events, in a dedicated internal alerts buffer. The alerts are then distributed to the Alerts Table, logoff, SNMP management station, and syslog server, as required by the configuration. The alerts buffer ensures that the device is not overloaded with alerts distribution. Doc. No.: 8261 305 LinkProof User Guide Security Tuning You can tune the Security tables according to your needs. Table 29 on page 306 presents description of the security tables and provides their tuning parameters. Table 29: Security Tuning Parameters Para-meter Alerts Table Log File Polling Time (ms) Target Table Source Table 306 Description Information on security events is registered internally via the device alerts table. Plat-form Memory Max Value AS II 256MB 10000 Mstr 256MB Accl 512MB 10000 Mstr 256MB Accl 1024MB 10000 Mstr 512MB Accl 512MB 10000 Mstr 512MB Accl 1024MB 10000 AS III With the Log File Polling Time parameter you can configure how often alerts are read from the internal alerts buffer and are sent to the Log File. If the environment of the device is busy, it is advisable to change this value to 1,000 ms. to ensure that all alerts are logged on time. 10000 ms. The Target Table contains AS II attacks detection mechanism, which is based on the destination addresses of the incoming traffic. If the number of packets sent to the same destination is AS III above the predefined limit, this is identified as an attack. 256MB 64000 Mstr 256MB Accl 512MB 64000 Mstr 256MB Accl 1024MB 64000 Mstr 512MB Accl 512MB 64000 The Target Table tuning parameter defines in how many sessions to check the destination address. Mstr 512MB Accl 1024MB 64000 The Source Table AS II contains attacks detection mechanism, which is based on the source addresses of the incoming traffic. If the number of packets sent from the same source is AS III above the predefined limit, this is identified as an attack. 256MB 64000 Mstr 256MB Accl 512MB 64000 Mstr 256MB Accl 1024MB 64000 Mstr 512MB Accl 512MB 64000 The Source Table tuning parameter defines in how many sessions to check the source address. Mstr 512MB Accl 1024MB 64000 Doc. No.: 8261 LinkProof User Guide Table 29: Security Tuning Parameters Para-meter Source & Target Table Description Plat-form The Source&Target Table AS II contains attacks detection mechanism, which is based on the source destination addresses of the incoming traffic. Each entry of this table contains source and destination addresses. If the number of packets sent from the same source to the same AS III destination is above the predefined limit, this is identified as an attack. The Source&Target Table tuning parameter defines in how many sessions to check the source address. Security Tracking Tables FreeUp Frequencycy (ms) DHCP Discover Memory Max Value 256MB 64000 Mstr 256MB Accl 512MB 64000 Mstr 256MB Accl 1024MB 64000 Mstr 512MB Accl 512MB 64000 Mstr 512MB Accl 1024MB 64000 The Free-Up Frequency AS II for each table determines how often the device clears unnecessary entries from the table, and AS III stores information about newly detected security events. 500 mms 500 mms The DHCP Discover table AS II contains attacks detection mechanism based on counting of IP requests for each MAC address. The requests are made using the Dynamic Host Configuration Protocol. When the number of IP requests for a particular AS III MAC address is above the predefined limit, an attack is identified. 256MB 64000 Mstr 256MB Accl 512MB 64000 Mstr 256MB Accl 1024MB 64000 Mstr 512MB Accl 512MB 64000 The DHCP Discover tuning parameter determines for how many MAC addresses to check the number of IP requests. Mstr 512MB Accl 1024MB 64000 To define Security tuning parameters: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. Doc. No.: 8261 307 LinkProof User Guide 2. From the LinkProof Setup window, select Global > Security Settings and click Edit Settings. The Security Settings window appears. 3. From the Security Settings window, set the tuning parameters as explained in Table 29 on page 306 and click Apply > Ok. Session Table Tuning Session Table tuning parameters are presented in Table 30 on page 308. Table 30: Session Table Tuning Parameter Description Session Table Status Plat-form Memory Default Value Max Value AS II 256MB Enabled 500,000 Mstr 256MB Accl 512MB Enabled 358,000 Mstr 256MB Accl 1024MB Enabled 358,000 Mstr 512MB Accl 512MB Enabled 983,000 Mstr 512MB Accl 1024MB Enabled 1,144,000 256MB 1024 16000 Mstr 256MB Accl 512MB 1024 16000 Mstr 256MB Accl 1024MB 1024 16000 Mstr 512MB Accl 512MB 1024 16000 Mstr 512MB Accl 1024MB 1024 16000 Table that keeps track of sessions that were not recorded in the AS III Client Table. AS II Session Passive Protocol Table that keeps track of passive protocols port commands, so that all related AS III sessions can be linked together. To define Session Table tuning parameters: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, select Global > Session Table Settings and click Edit Settings. The Session Table Settings window appears. 3. From the Session Table Settings window, set the tuning parameters as explained in Table 30 on page 308 and click Apply > Ok. Note: 308 It is strongly advised that device tuning only be carried out after consulting with Radware Technical Support. Doc. No.: 8261 LinkProof User Guide SYN Table Tuning SYN tables are used to define the SYN Flood protection. SYN Flood protection tuning parameters are presented in Table 31 on page 309. Table 31: SYN Table Tuning Parameter SYN Protection Table SYN Protection Requests Table Description Plat-form Memory Max Value AS II 256MB 1000000 Mstr 256MB Accl 512MB 1000000 Mstr 256MB Accl 1024MB 1000000 Mstr 512MB Accl 512MB 1000000 Mstr 512MB Accl 1024MB 1000000 256MB 32000 Mstr 256MB Accl 512MB 32000 Mstr 256MB Accl 1024MB 32000 Mstr 512MB Accl 512MB 32000 Mstr 512MB Accl 1024MB 32000 256MB 100000 Mstr 256MB Accl 512MB 100000 Mstr 256MB Accl 1024MB 100000 Mstr 512MB Accl 512MB 100000 Mstr 512MB Accl 1024MB 100000 Stores policies that AS II control the syn protection behavior for different types of traffic. For each traffic type the user can configure whether to: 256MB 4096 Mstr 256MB Accl 512MB 4096 Mstr 256MB Accl 1024MB 4096 a) always apply SYN protection Mstr 512MB Accl 512MB 4096 Mstr 512MB Accl 1024MB 4096 Stores data regarding the delayed binding process. An entry in the table exists from the time the AS III client completes the handshake until the handshake is complete. Stores the ack or data packet that the client sends, until the handshake with the server is complete and the packet is sent to the server. AS II AS III The Request table and the Syn Protection table must be about the same size. the triggers table should be much smaller. AS II SYN Protection Triggers Table SYN Protection Policies Table: Stores the active triggers the destination IPs/ports on which the devices AS III identifies an ongoing attack. b) apply SYN protection only when an attack is detected. c) never apply SYN protection. Doc. No.: 8261 AS III 309 LinkProof User Guide Table 31: SYN Table Tuning Parameter Description The amount of SYN packets per second that are sampled and their source IP is to be monitored. SYN ACK Reflec-tion IPs Table Session Table L3 SYN Flood Reports Plat-form Memory Max Value AS II 256MB 100000 Mstr 256MB Accl 512MB 100000 Mstr 256MB Accl 1024MB 100000 Mstr 512MB Accl 512MB 100000 Mstr 512MB Accl 1024MB 100000 AS III Keeps track of application Currently the parameter is not used. security reporting SYN flood attacks for Session Table in Layer 3. AS II Session Table SYN Triggers Creation Counts incomplete TCP sessions for detecting SYN Floods from the Session Table. AS III 256MB 100000 Mstr 256MB Accl 512MB 100000 Mstr 256MB Accl 1024MB 100000 Mstr 512MB Accl 512MB 100000 Mstr 512MB Accl 1024MB 100000 To define the SYN Flood Protection tuning parameters: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, select Global > SYN Flood Protection Settings and click Edit Settings. The SYN Flood Protection Settings window appears. 3. From the SYN Flood Protection Settings window, set the tuning parameters as explained in Table 31 on page 309 and click Apply > Ok. Note: It is strongly advised that device tuning only be carried out after consulting with Radware Technical Support. It Security Events This section describes security events, event reporting, and the list of event details. This section includes the following topics: • • 310 Events and Event Reporting, page 311 Event Details, page 311 Doc. No.: 8261 LinkProof User Guide Events and Event Reporting Events include errors and security events (attacks or protocol anomalies). A device can be configured to send information about an event whenever a security event takes place. For every security event, which is detected by the device, information can be generated using the following reporting channels: • Local Alerts that appear in the Alerts table. • Security Log, which are saved in a flash. • SNMP traps can be sent to APSolute Insite and a management station. • Syslog messages can be sent to a Syslog station. • E-mail messages can be sent to specific users. Reporting channels are configured individually, then enabled through the LinkProof main application window. Event Details Table 32 on page 311 summarizes event’s parametersDevices send the following types of information about a security event (attack):. Table 32: Events Parameters Parameter Description Risk The severity of the risk, either high, medium or low. Date/Time The date and time when the report was generated. Attack Name The name of the attack that was detected. Physical Port The actual port on the device from which the attack arrived. Action The attack action. Category The category of the attack: Anomalies, AntiScanning, DOS, Intrusion. Protocol The transmission protocol used in the attack: TCP/ UDP/ ICMP/IP. Source Address The IP address from which the attack arrived. Source Port TCP/UDP source port. Destination Address The IP address to which the attack is destined. Destination Port TCP/UDP destination port Radware Attack ID Radware’s unique identifier of the attack. Packet Count The number of packets in the attack. Packet Bandwidth The bandwidth of the attack since the latest trap was sent (KByte) Status The status of the attack: occur, start. Device IP The IP of the device to which the attack is associated to. Reporting Channels This section describes the different reporting channels and how to configure them. Doc. No.: 8261 311 LinkProof User Guide Sending Traps Traps can be sent from the device to any computer that you choose. You must enable the device to send SNMP traps to other computers, for example to the management station, by defining the computers as targets. Trap Notification is set up through the device’s Target Address table. For example, to ensure that the management station receives traps, enter it’s IP address into the Target Address table. You can specify SNMP parameters and select which type of notification it will receive. In the Community Table, you can designate that specific users have access to the traps. After configuring the device to send SNMP traps, enable the device to start sending traps. These procedures are explained in Chapter 2, see Configuring SNMP, page 29. To enable the device to send security traps: 1. From the main window, select Security. The Connect and Protect Table appears. 2. From the Connect and Protect Table, click Settings. The Security Reporting window opens. 3. In the Application Security Parameters area, ensure that Traps Sending is enabled. Click Apply to enable. E-mail Traps E-mail traps can be sent to specific users in a similar manner to the way in which SNMP traps are sent. To enable the device to send e-mail security traps: 1. From the main window, select General > Preferences. The Management Preferences window appears. 2. From the Management Preferences window, click Trap and SMTP. The Trap and SMTP pane appears. 3. From the Trap and SMTP pane, ensure that you provide the IP address for your SMTP server. Set the relevant parameters including: • Send E-mails on Errors: Select if you want to send an e-mail alert when an operational error occurs on the device. • One Trap: Generate only one trap per event. 4. From the main window, click Security. The Connect and Protect Table appears. 5. From the Connect and Protect Table, click Settings. The Security Reporting window appears. 6. From the Security Reporting window, in the Application Security Parameters area, ensure that E-mail Sending is enabled. 7. Click Apply to enable. Logging When the device recognizes security events, they are logged in an all-purpose cyclic Log File. The device’s Log File can be obtained at any time, but is of limited size. When the number of entries is beyond the permitted limit, the oldest entries are overwritten. You are notified regarding the status of the Log File utilization. The notifications appear when the file is 80% utilized, and 100% utilized. Configure one or more devices to perform logging to start the logging process. 312 Doc. No.: 8261 LinkProof User Guide To configure a device to perform event logging: 1. From the main window, click Security. The Connect and Protect Table window appears. 2. From the Connect and Protect Table, click Settings. The Security Parameters window appears. 3. From the Security Parameters window, in the Application Security Parameters area, ensure that Logging is enabled. The Attacks DB Version field displays the version number used for the local attack log database. 4. Click Apply. Note: Information in the Log File can be viewed by downloading it at the management station into a file. To download the Log File at the management station: 1. From the main window, click Security. The Connect and Protect Table window appears 2. From the Connect and Protect Table, click TFTP Log. The Download Log File window appears. 3. From the Download Log File window, enter the name you wish to assign to the file in the File Name text box. 4. Click Browse to select the directory where you require the file to be saved. 5. Select the External TFTP Server IP Address checkbox to specify the IP address for an external TFTP server. To use the default TFTP server, clear this checkbox. 6. Optionally, enable Clear Log File After Receive to clear the log file once the download is completed. 7. Select one of the option buttons, HTML, Excel, or Advanced to select the format in which you want to export the Log File. If you select the Advanced option button, click Advanced Settings. The Attacks Reports window appears. 8. From the Attack Reports window, select categories by which the report is filtered: Attack: The attack that you want to appear in the report. You can select the attack from the drop-down list that contains all the attacks that were recognized by the device. In case the Attack checkbox is not selected, the report includes all the attacks. Source IP: The range of Source IPs from which the attacks arrived that you want to appear in the report. Destination IP: The range of Destination IPs to which the attacks are targeted that you want to appear in the report. Attack Date: The range of dates in which the attacks were recognized by the device. 9. Select the checkboxes from the Select Fields section to define fields displayed in the report. Doc. No.: 8261 313 LinkProof User Guide 10. Click Create Top 10 Graph and choose an item from the drop-down list to create a graph of the 10 most frequently mentioned items in the report. 11. Click Ok to close the Attacks Reports window. 12. Click Receive. The Log File is downloaded and the status of the download is displayed. Tip: You can access logged security events via Security Reports. Syslog messages can be sent to a syslog station in a similar manner to the way SNMP traps are sent. To configure the device to send syslog messages: 1. From the main window, select General > Management Preferences > Device Access. The Device Access pane appears. 2. From the Device Access pane, in the SysLog Reporting area, enter the IP address of the device running the syslog service (syslog) in the Syslog Station Address field. 3. Select the Syslog Operation checkbox to enable syslog reporting. 4. Click Apply to implement your changes and click Ok to close the window. Security Reports This section includes explanations of security reports, attack reports, executive reports and how to generate them, and an explanation of the dashboard. This section includes the following topics: • • • • • • Security Reports Overview, page 314 Security Reports Main Window, page 316 Generating Attack Reports, page 320 Attack Logs, page 325 Executive Reports, page 330 Dashboard, page 331 Security Reports Overview Security Reports provide you with graphs, views and tools to understand attack activity and their impact on your network. You can view attack activity over time, types of attacks, the attack risk level, attack bandwidth, and attack sources and destinations. How Data Is Gathered You must initially select a LinkProof device, or group of devices, in order to generate data for the reports. LinkProof devices monitor attack activity. When the LinkProof device detects an attack, the security model logs data about a “security event.” A security event fits predefined attack profiles. Once reporting channels are configured, the device starts sending information about security events to the management station via SNMP Traps. The management station (running APSolute Insite) stores security event data and packet information in a local database. This information is used to create Security Reports that provide the information about the security events, see Events Parameters, page 311. Security Monitoring Tools Security monitoring tools include: 314 Doc. No.: 8261 LinkProof User Guide • Generating Attack Reports, page 320 • Attack Logs, page 325 • Executive Reports, page 330 • Dashboard, page 331 Each focuses on different types of analysis requirements. View of an Attack Report, page 315 shows the Attack Reports Desktop, which allows you to access all the reporting options. Figure 49 - View of an Attack Report In contrast, you can view individual security events via the Attack Logs. See Attack Logs, page 315. Attack Reporting Attack reports show you attack performance and impact on your network in a graphical layout. These historical reports show you attack activity over time. You can quickly view the top ten attacks to the system and how they change over a specified period. Attack reports are created using information selected from security event logs. Radware provides a set of predefined reports. Use these reports to examine the type of attacks affecting your defined network, and their volume, bandwidth or severity. These reports can be drilled down for further details. Along with predefined reports that provide pre configured types of network analysis, you can set filtering parameters to select your own parameters for viewing attack activity. Create graphs for high-level or drill-down views of network attacks. Reports can be tailored to specific reporting needs by creating customized filters. Attack Logs Attack Logs display individual security events in a tabular format. The logs even allow deep drill-down to the packet level itself. Whereas Attack Reports display the overall attack activity, the Attack Logs allow you to investigate individual security events. For further information about Attack Logs refer to Attack Logs, page 325. Doc. No.: 8261 315 LinkProof User Guide Figure 50 - Attack Logs Dashboard The Security Dashboard provides you with real time attack view displaying the most recent attack activity in the defined network. The Security Dashboard also provides extracts of key Attack Reports and the immediate performance of specific attacks. These reports graph the most intensive (top) attacks by packet volume. The Security Dashboard can be refreshed at user-defined intervals (every 2 minutes or more). You may also select the period to display the data (the last hour, last 2 hours, and so on). For further information on the Security Dashboard feature refer to Dashboard, page 331. Note: The Security Dashboard view is not available when multiple devices are selected. Security Reports Main Window Security Reports provides 2 methods or viewing and defining reports including Attack Logs, and Attack Reports. To view the Security Reports main window: From the main window, click the Security Reports tab. The Security Reports main window appears. 316 Doc. No.: 8261 LinkProof User Guide Viewing Attack Logs The Attack Logs window displays the security events in your network. For each security event, detailed information is displayed in the attack log. The attack log allows you to view the complete log of security events that have been reported in your network. To view the Attacks Logs window: 1. From the main window, click the Security Reports tab. The Security Reports main window appears. 2. From the Security Reports window, select the Attack Logs tab. The Attack Logs window appears, which includes the following features: — Attack Logs main toolbar — Attack Logs main display area — Log Views — Log Custom views Attacks Log main toolbar The Attack Logs main toolbar includes the following features: • • • • • • Device: From the device drop-down list you may select the relevant device for which to view reports for. Note: Only devices for which traps were collected appear on this list. Calendar: Clicking on the calendar button allows you to set the date and time period of the reports to be viewed. Alternatively you may use the From and To buttons. Display: Clicking the Display button allows you to see the type of attack depending on what was selected from the Log views list. Open New Window: Allows you to display the graph in a separate window by checking the “Open New Window” check box. Clear All: Clears all the entries from the Attack Log table. Once the button is pressed, a confirmation message appears, requesting the user to confirm the deletion of the Attack Log entries. Delete button: The Delete button enables you to delete the selected log file. You may also delete multiple log files by selecting numerous log files then clicking the Delete button. Doc. No.: 8261 317 LinkProof User Guide • Export button: Clicking on the Export button generates a report according to the type of report defined and then automatically saves it an appropriate file that is located in the same location as the installation file. Attack Logs main display area The Attack Logs main display area provides a list of individual security events in a tabular format. The logs even allow deep drill-down to the packet level itself. Log Views Log views allow you to determine the type of log attack you wish to view either: • • • • • All Attacks High Risk Medium Risk Low Risk Intrusions Log Custom Views Custom Log Views allow you to create your own custom made log view filter according to type, condition and arguments. Note: For further details on Attack Logs and how to view and configure them refer to Attack Logs, page 325. Viewing Attack Reports The Attack Reports main window allows you to view custom reports according to your requirements. To view the Attack Reports main window From the main window, click the Security Reports tab. The Security Reports main window appears. 318 Doc. No.: 8261 LinkProof User Guide The Attack Reports main window includes the following features: • • • • Attack Reports Main Toolbar Attack Reports Main Display Area Reports List Report Custom Views Attack Reports Main Toolbar The Attack Reports main toolbar includes the following features: • • • • • • • Device: From the device drop-down list you may select the relevant device for which to view reports for. Calendar: Clicking on the calendar tab allows you to set the date and time period of the reports to be viewed. Alternatively you may use the From and To buttons. Display: The Display drop-down list allows you to set the type of report to be displayed, according to either: — Bar display — Plot display — Pie display Open New Window: Allows you to display the graph in a separate window by checking the “Open New Window” check box. Show: Clicking on the Show button displays the type of Report according to what was selected in the Display and calendar. Dashboard: Clicking on the Dashboard button allows you to view immediate attack activity rather than activity over time. The Dashboard displays the most recent attack activity in the defined network. Information is constantly refreshed according to a configurable refresh rate. The Dashboard also provides extracts of key Attack Reports and the immediate performance of specific attacks. These reports graph the most intensive (top) attacks by packet volume. Export: Clicking on the Export button allows you to generate reports according to various formats and export the reports to a reports file located on your local station. For example: C/Program Files/CWI_1.55.03/Configware Insite/UserFiles/ StatisticReports/18-10-2004_09_14_57.html Export display options include: — • • Excel: Allows you to export a report in Excel format. Advanced Export: Allows you to produce a report according to: — Top ten Attackers per Target — • HTML: Allows you to export a report in HTML format. Top ten Targets per Attacker Executive Reports: Executive Security reports can be generated and exported in HTML format. Executive Reports can allow the generation of reports that are composed of more than one report graph, see Executive Reports, page 330. Attack Reports Main Display Area The Attack Reports main display area displays the current device icon and its IP address. Reports List The Reports list provides you with a list of security attacks. Predefined Attack Reports help you to explore Security attack patterns over time. Radware has created predefined reports for specific types of attack analysis. Attacks can be ranked by volume and by type. See Predefined Attack Reports, page 321. Predefined reports also include reports for groups of attacks, or attacks relating to a specific module including: • Intrusions Doc. No.: 8261 319 LinkProof User Guide • • • DoS Anomalies Anti-Scanning Report Custom Views The Report Custom Views features advanced filtering capabilities to both the Security Reporting and Attack Logs table. The new filtering capabilities allow applying multiple filters on the same data, set a Filter Condition and introduce a new Filter Type to the filter list. For example it is possible to define two filters (one according to Time and one according to Action) and apply them both to the same graph. Note: For further information on Attack Reports refer to Generating Attack Reports, page 320. Generating Attack Reports Attack Reports are generated using logs of security events, and comprise graphical analysis of attack statistics. Radware provides predefined reports, each of which focuses on a specific type or set of attacks. Each Attack Report graph can be further drilled down for greater granularity. double-clicking on a section of the graph provides you with the list of events that generated the area of the graph. Reports can also be customized for specific reporting needs by creating customized views. A view is generated by applying a filter to a predefined report. These customized views (filters) are saved and may be regenerated whenever needed. Reports can be exported to XML, HTML or Excel formats for future reference, or for analysis using external tools. Before You Start Before you start using Attack Reports, ensure that you have enabled security event reporting at the device. You must enable the device to send SNMP traps to the management station (running APSolute Insite). You must specify that your management station is the target for SNMP traps, and then start sending the traps. For explanations about how to enable your device to start sending traps, see Chapter 2 Configuring SNMP, page 29. Recording Security Traps Once you have configured the device to send traps, you must enable the management station to receive and record the security traps. Security traps are recorded into a local database. This database information is then used to create Security Reports. Collection of the security traps is enabled by default when APSolute Insite is launched. APSolute Insite continues to record traps until you stop this process. To stop security trap recording: From the main window, select SynApps > Stop Recording Security Traps. The local database retains the information already collected. Accessing Attack Reports Once you configure the device to send traps, and enable the management station to receive them, you are ready to generate reports. 320 Doc. No.: 8261 LinkProof User Guide To access Attack Reports: From the main window, click the Security Reports tab. The Attack Reports window appears, initially containing a map of the defined network. Once a report is generated, it is displayed in the main panel of the desktop. Selecting a Device In order to gather information for Security Reports, a device or group of devices must be selected to generate data. This is because LinkProof devices monitor attack activity, and once a device is selected, the Security Report knows from which source to draw data. Using the Security Reports tab desktop, you can select one or more LinkProof devices, whose security event logs are used to analyze attacks to your defined network. To select a device or group of devices: 1. From the main window, select Security Reports. The Security Reports main window appears. 2. From the Device drop-down list, select the device for which the reports are generated. Note: 3. The Device drop-down list contains a list of all the devices on the site map. To select a group of devices, click the icon. The Elements Selection window appears. From the Elements Selection window, select the devices for which you want to generate the report and click OK. Predefined Attack Reports Predefined Attack Reports help you to explore Security attack patterns over time. Radware has created predefined reports for specific types of attack analysis. Attacks can be ranked by volume and by type. Predefined reports also include reports for groups of attacks, or attacks relating to a specific module. Doc. No.: 8261 321 LinkProof User Guide Predefined reports allow you to focus attention on specific threats. Attack information is presorted, with the most important security event information plotted in easily read charts, for your convenience. The following predefined Attack Reports are available: • • • • • • • • Top Attacks: Graphs the top ten attacks, according to packet count per attack. Top Attacks by Category: Graphs the top ten attack groups (Intrusions, DoS, Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet count per group. Top Attack Targets: Graphs the top ten attack target destinations per IP Address. Top Attack Sources: Graphs the top attacks according to attack sources per IP Address. Top Attack Targets Bandwidth: Graphs the top ten attacks by Bandwidth Consumption. Number of Attacks Over Time: Graphs the changes in total number of attacks over a specified time period. Attacks by Severity: Graphs the attacks ranked by severity of risk: i.e. High/Medium/ Low by displaying a breakdown of all attack over a set period of time according to the attack severity. Top Attacks by Module: Graphs the top ten policies in use, ranked by packet volume per policy, per module (Intrusions, DoS, Anomalies, SYN Floods, and AntiScanning). Creating and Using Predefined Reports Once you decide which report you want to generate, use the Report List to create the reports. The Report List allows you to quickly select a predefined report. To generate a predefined report: 1. From the main window, select Security Reports. The Security Reports main window appears. 2. From the Security Reports window, select one or more devices from which the report is generated. 3. Specify the time frame for the report, using the From and To selection boxes or the Calendar. 4. Select the display parameter from the Display drop-down box (Pie, Plot, or Bar). — Bar: A regular bar presentation when the parameters are presented one next to the other. — Plot: The values are represented by dots that are connected by lines. — PIE: Available for top attack reports. Note: The options displayed vary according to the type of report selected. 5. Select a report from the Report List, such as Top Attack Targets. By default, Top Attacks is selected. 6. Now that all the basic report parameters have been selected, click Show. Your report is generated and displayed in the desktop. Report Display Formats Reports can be displayed in several chart formats: Pie, Plot or Bar. The options vary according to the type of report selected. 322 Doc. No.: 8261 LinkProof User Guide Changing from one chart type to another is simple. For example, it is possible to view the Top Ten Attacks report as a pie chart, where each attack is shown as a percentage of the overall volume of attacks, or as a bar chart, where each attack is displayed with packet count volume. To configure the display parameters: 1. From the main window, select Security Reports. The Security Reports window appears. 2. From the Display drop-down list, select a display option: 3. — Bar: A regular bar presentation showing attacks by volume. — Plot: Attacks by volume are represented by dots that are connected by lines. — Pie: Available for top attack reports, showing individual attack types and their volume as a percentage of the total attack volume. Click Show to redraw the chart. Drill Down Security Event Data Once you have created a report, you can drill down to the security events that relate to a particular attack. For example, you can choose a pie section, or a bar in the bar chart, and view the security events which created the attack. To drill down into your report data: 1. From the main window, select Security Reports. The Security Reports window appears. 2. From the Security Reports window, select a graph bar, a pie section, or a plot node from the Display drop-down list to display source events used to create the report, and then click Display. The relevant display is shown. 3. Double-click in any section. A list of events appears in a separate HTML page. The events list can be sorted by clicking in the top of any column. Comparing Reports Having created a report, you may want to compare it with another type of attack analysis. If you want to preserve the first report’s data temporarily, you can open the new report in a new window. Or, you can save your report by exporting it to a file, then creating the new report. Then, you can examine the old report data at any time. If generating a report the same window, the previous report graph is overwritten in the view. However, all the original data is still available in the log. Once you have generated your report, you can export it to a file. To save your report: 1. From the main window, click Security Reports. The Security Reports window appears. 2. From the Security Reports window, click Export. 3. Select whether to export the file to XML, HTML or Excel format. The report is saved and available for future examination. Doc. No.: 8261 323 LinkProof User Guide To open a new report in another window: 1. From the main window, click Security Reports. The Security Reports window appears. 2. Select the device and define the display as previously mentioned. 3. Click Open New Window in the toolbar. 4. Click Show.The new report is launched in a separate window. Customizing Attack Reports You can customize your analysis of attack data by creating customized views. The customized view employs a user designed filter to narrow analysis on a predefined report further. For example, after generating a report of Top Attacks, you may want to narrow the findings to activity on a particular subnet. You may also want to create a customized view for frequent use, such as for a time range to apply to all reports generated for the current month. In the customized view the Security Reports are filtered according to the parameters of the security event, see Events Parameters, page 311. Each customized view presents the attack data according to the corresponding event parameter. Once you have created a custom view, it appears in the Report Custom Views list. To apply the custom view’s filter, simply click the name of the view as it appears in the list. To create and apply a Custom view: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select Report Custom views. 3. From the Report Custom Views pane, click Add. The Add Report View Filter window appears. 4. From the Add Report View Filter window, in the Filter Name text box, enter a name for the custom view, such as “January.” 5. From the Filter Type drop-down list, choose the type of filter you want the custom view to use, such as Date & Time. 6. From the Filter Arguments area, fill in relevant information, such as a starting and ending date and time for the report and click OK. From the Report Custom Views area, the new custom view appears with the name you gave it. Click to Apply this view. 7. Define the parameters and click Show. The custom view’s filter is applied. To create a report for a subnet: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports toolbar, specify a device and a time frame for your report. 3. From the Report List, select a desired report, such as Top Attacks. 4. To examine the impact of the top attacks on a specific network segment, you must create a custom view and apply it to the report. 5. From the Report Custom Views area, click New. The Add Report View Filter window appears. 324 Doc. No.: 8261 LinkProof User Guide 6. From the Filter Name text box, enter a name for the filter, such as “Tokyo Financial Subnet.” 7. From the Filter Type drop-down list, choose Subnets. 8. From the Filter Arguments area, fill in the IP ranges for the subnets to be inspected. To filter for attacks starting from a particular network segment, fill in the source IP range. For attacks directed at a network segment, fill in the destination IP range. When finished, click OK. 9. From the Report Custom Views area, the new view appears with the name “Tokyo Financial Subnet”. Click to apply this custom view. 10. From the toolbar click Show. The new report is generated and displayed. To edit a custom view and apply it: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Report Custom Views area, select a filter and click Edit. The Edit Report View Filter window appears. 3. You can change the name, select a different Filter Type, and/or change the parameters in the Filter Arguments area. 4. Click OK. 5. From the Report Custom Views area, click View and define the parameters. 6. Click Show. The view is filtered. To remove a custom view (filter): 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Report Custom Views area, select a Filter. 3. Define the report parameters. 4. Click Show. The report is generated without a filter Attack Logs Attack logs displays the security events in your network. For each security event, detailed information is displayed in the attack log. The attack log allows you to view the complete log of security events that have been reported in your network. For the description of the event’s parameters that are presented in the Attack Log table, see Events Parameters, page 311. Required Setup In order to create the attack logs, ensure that you have enabled the LinkProof device to send traps to the management station. This procedure is explained in: Before You Start, page 320. Once the device is configured to send traps to the management station, enable your management station to record security events. The procedure is explained in: Recording Security Traps, page 320. Doc. No.: 8261 325 LinkProof User Guide Enable Logging at the Device After the device and management station are set up, once the device sends security event information to the management station, security events are recorded in the local database. You can then start examining the Security Event Log. To select a device: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select Attack Logs. The Attack Logs pane appears 3. You must specify a device, or group of devices, that will be used to generate the local security event database. If you have already specified a device, it will be the default setting. Otherwise, in the toolbar (at top) select a device from the Device drop-down list box. 4. To select a group of devices, click the icon. The Elements Selection window appears. From the Elements Selection window, select the devices for which you want to generate the report and click OK. Notes: i The Attack Log view in the desktop displays all security events in a table for centralized attack management. Details for each security event are displayed in columns, and the attack log can be sorted by double-clicking a column header. ii The Attack Log view can be narrowed to specific types of data using predefined views, to show attacks corresponding to specific levels of risk, or to type of attack. Or, you can create customized views, using selected filters, to examine specific types of attack information. iii The attack log displays security events relating to the filter selected, as shown below. Working with the Attack Log View Predefined views have been created for specific types of attack analysis. By default, the log view displays security events for all attacks. However, you may prefer to sort the log so that security events are shown according to risk factor. Or the View can show specific security events corresponding to types of attacks such as Intrusions, DoS, Anomalies or AntiScanning attacks. To apply a predefined filter to the Attack Log: 1. From the main window, select Security Reports. The Security Reports main window appears. 2. Click Attack Logs.The Attack Logs pane appears. 3. From the Attack Logs pane select a predefined filter from the Log View panel such as Intrusions. The log view is sorted to show only the entries which match your filter selection. 326 Doc. No.: 8261 LinkProof User Guide Upon opening a log, it is possible to sort the view by clicking on any column header. It is also possible to delete security events which are deemed unimportant to keep in the local database. To delete events from the Attack Log: 1. From the main window, select Security Reports. The Security Reports main window appears. 2. Click Attack Logs.The Attack Logs window appears. 3. Select one or more security events in the log view. 4. Click Delete from the toolbar. Viewing Attack Descriptions To drill down further, click a security event line. An attack description (taken from the Attack Database) is displayed for the particular event, in the lower panel of the desktop, as shown in Viewing Attack Descriptions., page 327. Figure 51 - Viewing Attack Descriptions. Table 33 on page 327 summarizes the information displayed in the Attack Description panel. Table 33: Attack Description Parameter Description Name: The name of the attack that was detected. Attack Description: A detailed description of the attack. False Positives: The identifying characteristics of the attack Known Issues: The current information that is know about the attack. Recommended Network Settings: The recommended settings to counteract the attack. Packet information includes: • • Source Destination Doc. No.: 8261 327 LinkProof User Guide • • • • • For Protocol Source Port Destination Port Length Bandwidth multiple packets, the scroll menu allows navigation between data captures. To display packet details for a security event: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select a security event. 3. Click Packets. The packet contents and information is displayed in the bottom panel. Working with Custom Log Filters To sort the log view according to your needs, create a Customized Log Filter, which allow you to analyze security events with maximum flexibility. It is possible to filter the log messages according to the customized views. You can create Custom log Filters according to the following filters: Table 34: Customized Log Filters Filter Description Date and Time Allows you to filter according to the time in which an event was logged. Subnets The subnet of the log filter either according to source or destination network Attack Name The name of the attack filter Category The category for the filter. Risk Create a filter according to the Attack Risk, either; High Priority, Medium Priority, Scheduled, Closed, False Positive. Radware ID Radware defined filters. Protocol The transmission protocol for the filter, either TCP, UDP or ICMP. Source Port TCP/UDP source Port Destination Port The TCP/UDP destination Port Physical Port The physical port on the device Status Defines the status of the filter. Action It is possible to filter the graph/logs according to the action performed on the attack. The possible values for the Action Filter Type are Drop or Forward. To create a log filter: 1. From the main window, click Security Reports. The Security Reports main window appears. 328 Doc. No.: 8261 LinkProof User Guide 2. From the Security Reports main window, select Attack Logs. The Attack Logs window appears. 3. From the Log Filters panel click Add. The Add Log View Filter window appears. 4. From the Filter Name text box, enter a name for the filter, such as “Saturday Attacks.” 5. From the Filter Type drop-down list box, choose the type of filter category, such as Date & Time. 6. From the Filter Condition drop-down list define whether the filter definition is equal or isn’t equal to the data being filtered. 7. From the Filter Arguments area, fill in the relevant information, such as a starting and ending date and time for the report. For example, specify that you want to examine events from 7 p.m. to midnight. Then click OK. 8. From the Log Filters area, the new filter appears with the name you assigned it. Check that it is correct and click Apply to apply this filter. To edit a log filter: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select Attack Logs. The Attack Logs pane appears. 3. From the Log Filters panel, click Edit. The Edit Log View Filter window appears. 4. From the Log Filters area, click the filter you want to change, then click Edit.The Edit Log View Filters window appears. You can change the name, type of filter, and/or filter details. 5. Click OK. Saving the Attack Log to a file When the device recognizes security events, they are logged in an all-purpose cyclic Log File. The device’s Log File can be obtained at any time, but is of limited size. This Log File can be downloaded to a file in Excel or HTML format. It can also be filtered for specific types of attacks before being downloaded. To save the log to a file: 1. From the main window, click Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select Attack Logs. The Attack Logs pane appears. 3. From the Attack Logs pane, click TFTP Log. The Download Log File window appears. 4. From the File Name text box, enter the name you want to assign to the file. Click Browse to select the directory where you require the file to be saved. 5. If you want to enable an External TFTP Server, select the External TFTP Server IP Address checkbox. This enables the field adjacent, in which you can enter the IP address of the machine running the server. If you use an external TFTP server, the configuration file is saved in the location configured in that server. To use the default TFTP server, clear the checkbox. 6. Click Clear Log File After Receive if you want to clear the device’s log file once the download is completed. Doc. No.: 8261 329 LinkProof User Guide 7. To select the format in which you want to export the Log File, select one of the option buttons, HTML, Excel, or Advanced. The Advanced setting allows you to create a custom filter for the downloaded log. 8. If you select the Advanced option button, click Advanced Settings. The Attacks Reports window appears. 9. From the Attacks Reports window select one or more categories used to filter the report from the “Filter by” Pane. Data can be filtered via the following categories: Attack: Select a specific type of attack from a drop-down list of all the attacks recognized by the device. If the Attack checkbox is not selected, the report includes all attacks. Source IP: You can choose to specify a specific range of Source IPs from which attacks arrived. Destination IP: You can specify a range of Destination IPs to which the attacks are targeted. Attack Date: Specify a range of attack dates. 10. From the Selected fields pane select the relevant fields that you want to include in the log file, either: — Attack Name — Source IP — Destination IP — Date and Time 11. To create a graph of the ten most frequently mentioned items in the report, select the Create Top 10 Graph by checkbox and select an item from the drop-down list, which includes: — Source — Destination — Attack 12. Click Ok. The Attacks Reports window closes. 13. Click Receive. The Log File is downloaded from the device and the status of the download is displayed. Executive Reports Executive Security reports can be generated and exported in HTML format. Executive Reports can allow the generation of reports that are composed of more than one report graph. The Executive Report can include one or more of the following reports: • • • • • 330 Top 10 Attacks - Displayed as PIE Chart and list of the top 10 attacks and packet count. Top 10 Attack Sources - Displayed as PIE Chart and list of the top 10 attack sources and packet count. Top 10 Attack Source and Destination - Displayed as a PIE Chart and a list of the top ten attack source and destination and packet count. Top Attack Destinations - Displayed as PIE Chart and list of the top 10 attacked destinations and packet count. Attacks by Category - Displayed as PIE Chart and list of the top 10 attacks including their Category (Intrusions, Anomalies, etc.) and packet count. Doc. No.: 8261 LinkProof User Guide • Attacks by Risk - Displayed as PIE Chart and list of the top 10 attacks including their Risk and packet count. To generate an Executive Report: 1. From the main window, click Security Reports. The Security Reports window appears. 2. From the Security Reports window, click Export and then from the drop-down list, click Executive Reports. The Executive Reports window appears. 3. From the Executive Reports window, choose the required report, by selecting the checkbox beside its name. 4. Set the time frame for the report, The time frame can be either the "last day", "last week" or "last month". Note that the time frame is relative to the current date of the station running APSolute Insite. 5. Click Generate Now. The report is saved in the APSolute Insite\Userfiles folder (relative to the installation path). Printing Executive Reports Internet Explorer typically is not set to print background color or images, including table cell colors. To enable background color and images when printing Executive Reports: 1. From your browser‘s tool bar select Tools > Internet Options. The Internet Options window appears. 2. From the Internet Options window click the Advanced tab. The Advanced pane appears. 3. From the Advanced pane, select the Print Background Colors and Images checkbox. This setting affects both page backgrounds and table cell backgrounds. Dashboard The Security Dashboard provides a real-time tool for examining the activity in your network system. This view is automatically refreshed at a selectable rate, to provide ongoing realtime analysis of the system. The Security Dashboard also provides a live moving radar, on which attacks can be viewed as they occur. The attacks are presented according to their severity and number of occurrences. To view the Dashboard: 1. From the main window, select Security Reports. The Security Reports main window appears. Doc. No.: 8261 331 LinkProof User Guide 2. From the Security Reports main window, click Dashboard. The Dashboard appears as shown below in Dashboard Desktop. Figure 52 - Dashboard Desktop Dashboard Layout The Dashboard has two panels. To the left is the Top Security Attacks Radar, which displays the most intensive attacks currently in the system. To the right are four graphs which graph the top attacks in the defined network, and their severity. These four graphs provide a more comprehensive picture of real-time attacks to the system by mapping the following: 1. Total Number of Attacks: Shows the current total number of attacks and the total for the display period. 2. Attacks By Severity: Breakdown of attacks in the display period by severity: High, Medium, Low. 3. Top Attack Targets: IP of top five attack targets for the display period (single set of bars). 4. Top Attack Sources: IP of top five attack sources for the display period (single set of bars). The Radar You select how many of the top attacks will be tracked in the Radar. The attacks are positioned in the Radar panel based on a metric which factors attack risk, the number of attacks and attack frequency. The highest relative severity is shown at the center, with medium severity in the middle circumference, and lower severity attacks at the outer circumference. To select the number of Top Attacks shown in the Radar 1. From the main window, select Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, click Dashboard. The Dashboard appears. 3. From the Display Top Attacks drop-down list, select the number of attacks to be displayed in the radar. The radar display changes to show the relevant top attacks in the network. 332 Doc. No.: 8261 LinkProof User Guide Real-time data refresh In order to achieve real-time analysis, the radar uses an automatic refresh rate to constantly update the data available. The radar cycles around its circumference in one minute, with attack data refreshed according to a configurable setting. To select the refresh period 1. From the main window, select Security Reports. The Security Reports main window appears. 2. From the Security Reports main window, select Dashboard. The Dashboard appears. 3. From the Auto Refresh combo-box, set the length of the refresh period. The view in the Top Security Attacks Radar is updated at the rate selected. Note: Doc. No.: 8261 To drill down to view the security events, double-click an attack in the Radar panel, or the attack data in one of the graphs. Detailed information is shown regarding related security events. 333 LinkProof User Guide 334 Doc. No.: 8261 LinkProof User Guide Chapter 8 - Bandwidth Management This chapter explains the capabilities of the Bandwidth Management module and includes the following sections: • • • • • • Bandwidth Management Overview, page 335 Bandwidth Management Policies, page 336 BWM Classes, page 340 BWM Example Configuration, page 344 Protocol Discovery, page 348 Interface Classification, page 349 Bandwidth Management Overview This section provides an explanation of the Bandwidth Management module and explains how administrators can gain full control over their available bandwidth. The Bandwidth Management module includes a feature set that allows administrators to have full control over their available bandwidth. Using these features, applications can be prioritized according to a wide array of criteria, while taking the bandwidth used by each application into account. For example, Bandwidth Management allows an administrator to give HTTP traffic a higher priority over SMTP traffic, which in turn may have higher priority over FTP traffic. At the same time, a Bandwidth Management solution can track the actual bandwidth used by each application and either ensure a guaranteed bandwidth for a certain application and/or set limits as to how much each classified traffic pattern can utilize. LinkProof‘s Bandwidth Management capability allows users to define policies, which restrict or maintain the bandwidth that can be sent or received by each application, user or segment. Controlling the maximal bandwidth that DoS attacks can consume of corporate resources, limits the attack spread, ensuring that other mission critical operations are not affected and continue to enjoy the bandwidth and service level required to guarantee smooth business operation. In a similar manner, carriers can ensure that a customer's Service License Agreement (SLA) is not compromised due to a DoS attack launched on another customer. Using the Bandwidth Management module Radware devices can classify traffic passing through it according to pre-defined criteria and can enforce a set of actions on traffic. A comprehensive set of user-configurable policies controls how the device identifies each packet and what it does with each packet. When a packet is matched, the device can do one of three things: • Discard the packet - This allows the Bandwidth Management module to provide a very robust and granular packet filtering mechanism. • Forward the packet in “real time” - This means that the packet bypasses the entire bandwidth management system and is immediately forwarded by the device. The endresult is effectively the same as if bandwidth management was not enabled at all. • Prioritize the packet - This allows the mechanism to prioritize services. If the packet is to be prioritized, it is placed into a queue, which then is assigned a priority from 0- 7, with 0 being the highest priority and 7 the lowest. Each policy gets its own queue. The number of queues is equal to the number of policies in the policy database, but each queue is labeled with one of the 8 priorities 0-7. This means that there could be 100 queues (if there are 100 policies), with each queue having a label from 0-7. Scheduler Algorithm Scheduler takes packets from the many queues and forwards them. The scheduler operates through one of two algorithms: Cyclic and CBQ (Class Based Queuing). Doc. No.: 8261 335 LinkProof User Guide With the Cyclic algorithm, the scheduler gives each priority a preference ratio of 2:1 over the immediately adjacent lower priority. In other words, a 0 queue has twice the priority of a 1 queue, which has twice the priority of a 2 queue, and so on. The scheduler systematically goes through queues of the same priority when it is time to forward a packet with this priority. The CBQ algorithm has the same packet-forwarding pattern as the WFQ algorithm, with one significant difference. The CBQ algorithm is aware of a predefined bandwidth configured per policy. As policies are configured, they can be given a minimum (guaranteed) allotted bandwidth number, in Kbps, see Guaranteed Bandwidth, page 339. Note: Unless CBQ is used, policies cannot be configured with an associated bandwidth. Application Classification If Application Classification is defined as Per Packet, the device classifies every packet that flows through it. In this mode, every single packet must be individually classified. If Application Classification is defined as Per Session, all packets are classified by session. An intricate algorithm is used to classify all packets in a session until a “best fit” policy is found, fully classifying the session. Once the session is fully classified, all packets belonging to the same session are classified accordingly. This not only allows for traffic classification according to application, but also saves some overhead for the classifier, as it only needs to classify sessions, and not every single packet. Classification Mode The following classification modes are available: • • • Policies: The device classifies each packet or session by matching it to policies configured by the user. Diffserv: The device classifies packets only by the DSCP (Differentiated Services Code Point) value. ToS: The device classifies packets only by the ToS (Type of Service) bit value. Random Early Detection The Random Early Detection (RED) algorithm can be used in order to protect queues from overflowing that may cause serious session disruption. The algorithm draws from the inherent retransmission and flow control characteristics of TCP. If the RED algorithm is deployed, the status of the queues is monitored. If the queues are approaching full capacity, random TCP packets are intercepted and dropped. Note, that only TCP packets are dropped, and the packet selection is entirely random. This protects the queues from becoming completely full, which will cause less disruption across all TCP sessions and will also protect UDP packets. Radware's bandwidth management mechanism can deploy RED in two forms: • • Global RED - Global RED monitors the capacity of all the queues (i.e. the global set of queues) and randomly discards TCP packets before the classifier sees them. Weighted RED (WRED) - The RED algorithm is deployed per queue (instead of for all the packets in all the queues) and the priority of the queue has an effect on whether a packet gets dropped or not. Bandwidth Management Policies This section explains what Bandwidth Management policies are and describes how to define them, and includes the following topics: 336 Doc. No.: 8261 LinkProof User Guide • • • • What is Bandwidth Management Policy?, page 337 Bandwidth Management Classification Criteria, page 337 Bandwidth Management Rules, page 338 Policy Index, page 340 What is Bandwidth Management Policy? The policy mechanism enables you to classify traffic passing through the Radware device and enforce on it bandwidth management. The policy database is made up of two sections. The first is the temporary or inactive portion. These policies can be altered and configured without affecting the current operation of the device. As these policies are adjusted, the changes are not in effect unless the inactive database is activated. The activation basically updates the active policy database, which is what the device uses to sort through the packets that flow through it. A policy consists of a set of conditions (classification criteria) and a set of actions that apply as a consequence of the conditions being satisfied. Bandwidth Management Classification Criteria A policy includes the following traffic classification criteria: • • Source: Defines the source of the traffic. Can be specific IPs, a range of IP addresses or IP Subnet address. You should first configure Networks. The default value is “any”, which covers traffic from any source. Destination: Defines the destination of the traffic. Can be specific IPs, a range of IP addresses or IP Subnet address. The default value is “any”, which covers traffic to any destination. Note: • • To limit or block an access to the device's interface, type the IP address of the interface in the Destination box. Direction: Setting the direction mode to "one way" enables asymmetric BWM. When a policy is set to "one way" the classifier searches for traffic in one direction only, while on "two ways" the device searches both directions. When a rule is set to "one way" the device classifies only one direction of the traffic and the return traffic is not classified. When a rule is set to "Two ways" on the way back, the device replaces the source and destination IP addresses and ports (in case the rule is a L4 or L7 rule). examples: If you have the following rule: — Source: IP_A — Destination: IP_B — Service: HTTP — Direction: One Way only traffic with a source IP, IP_A and a destination IP IP_B with source port X and destination port 80 would be classified. The return packet, with source IP_B and destination ip IP_A, with source port x and destination port 80 would not be classified. If you have the following rule: • • • • Source: NET_A Destination: Bet_B Service: HTTP Direction: Two ways Doc. No.: 8261 337 LinkProof User Guide A packet with source IP belongs to NET_A with a destination IP belongs to NET_B requesting a HTTP request will be matched, while a packet with source IP belongs to NET_B with a destination IP belongs to NET_A requesting a HTTP request will not be matched, even if the rule is set to "Two-Ways". • • • • • Service: Defines the traffic type. The Service configured per policy can allow the policy to consider other aspects of the packet, such as the protocol (IP/TCP/UDP), TCP/UDP port numbers, bit patterns at any offset in the packet, and actual content (such as URLs or cookies) deep in the upper layers of the packet. Available Services are very granular. The default value is “none” that covers all protocols. Inbound Physical Port Group: Classifies only traffic received on certain interfaces of the device. Enables you to set different policies to identical traffic classes that are received on different interfaces of the device. VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID (VLAN Identifier) tags. Traffic Flow Identification: Defines what type of traffic flow we are going to limit via this policy. The available options are: — Client (source IP). — Session (source IP and port). — Connection (source IP and destination IP). — FullL4Session (source and destination IP and port). — SessionCookie (must configure cookie identifier). Cookie Field Identifier: String that identifies the cookie field whose value must be used to determine the different traffic flows. Note: This is required only when Traffic Flow Identification is set to SessionCookie. When Traffic Flow Identification is set to SessionCookie, the BWM classifier searches for the Cookie Field Identifier followed by “=” and classifies flows according to the value. Bandwidth Management Rules Once the traffic is classified and matched to a policy, the Bandwidth Management rules can be applied to this policy. Action The action determines the access given to traffic. Possible values include: • • • • Forward: The connection is accepted and traffic is forwarded to its destination. This is the default value. Block: All packets are dropped. Block and Reset: All packets are dropped. In TCP traffic, an RST packet is sent to the client. Block and Bi-directional Reset: All packets are dropped. In TCP traffic, an RST packet is sent to both client and server. Priority If the action associated with the policy is “forward”, then the packet is classified according to the configured priority. There are 9 options available: Real time forwarding and priorities 0 through 7. 338 Doc. No.: 8261 LinkProof User Guide Guaranteed Bandwidth If the scheduler is configured to use the CBQ algorithm, the policy can be assigned a minimum (guaranteed) bandwidth. The scheduler will not allow packets that were classified through this policy to exceed this allotted bandwidth, unless borrowing is enabled. Note, that the maximum bandwidth configured for the entire device, as described above, overrides per-policy bandwidth configurations. In other words, the sum of the guaranteed bandwidth for all the policies cannot be higher than the total device bandwidth. Borrowing Limit Borrowing can be enabled when the scheduler operates through the CBQ algorithm. If enabled, the scheduler can borrow bandwidth from queues that can spare it, in order to forward packets from queues that have exceeded (or are about to exceed) their allotted amount of bandwidth. The combination of Guaranteed Bandwidth and Borrowing Limit fields value will cause the bandwidth allotted to a policy to behave as follows: Table 35: Guaranteed Bandwidth Borrowing Limit Policy Bandwidth 0 0 Burstable with no limit, no minimum guaranteed. X 0 Burstable with no limit, minimum of X guaranteed. 0 Y Burstable to Y, no minimum guaranteed. X Y (Y>X) Burstable to Y, minimum of X guaranteed. X X Non-burstable, X guaranteed. Policy Group You can define several bandwidth borrowing domains on a device by organizing policies in groups. Bandwidth that is not utilized by a specific policy in a group is allocated proportionally to the other policies, enabling them to borrow from other policies preventing starvation and utilizing the bandwidth more efficiently. Only policies that participate in a specific group can share bandwidth. The total bandwidth available for a policy group is the sum of Guaranteed Bandwidth values of all policies in the group. To configure a Policy Group: 1. Set the Global BWM parameter Dynamic Borrowing to Enable. 2. Define Policy Groups. 3. Define the device policies. Configure Guaranteed Bandwidth with the desired value and Borrowing Limit as 0 - bandwidth limitation is ignored as the policy is able to borrow unused bandwidth from other policies in the group. For each policy select the relevant policy group to which it belongs 4. Perform Update policies command. Doc. No.: 8261 339 LinkProof User Guide Notes: i Whenever bandwidth borrowing and/or prioritization is applied the maximum bandwidth available for allocation per each physical port must be configured (for example a device Fast Ethernet port is connected to a router that supports up to 2 Mbps, the bandwidth for this port must be set to 2Mbps default is according to physical size 100Mbps). ii The Borrowing Limit parameter must be set to 0 for all the policies in the group and the Dynamic Borrowing global parameter must be enabled. Traffic Flow Control The maximum bandwidth allowed per traffic flow. Max Concurrent Sessions String that identifies the cookie field whose value must be used to determine the different traffic flows. Note: This is required only when Traffic Flow Identification is set to SessionCookie. When Traffic Flow Identification is set to SessionCookie, the BWM classifier searches for the Cookie Field Identifier followed by “=” and classifies flows according to the value. Packet Marking Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. Enables the device to mark the packet with a range of bits. Policy Index The policy order or index is a number that determines the order of the policy in the entire policy database. When the classifier receives a packet, it tries to find a policy that matches the packet. The policy database is searched starting with policy #1, in descending order. Once a policy is matched the process is stopped. Using this logic, the very last policy configured should be the policy that is enforced on all packets that do not match any other policies. In other words, the last configured policy should be the “default” policy. BWM Classes This section explains how to define a service, which provides flexibility to the classifier and gives the system a large number of possibilities for packet identification and includes the following topics: • • • • • 340 Services, page 341 Basic Filters, page 341 Advanced Filters and Filter Groups, page 341 Pre-Defined Services for BWM, page 342 Pre-Defined Services for BWM, page 342 Doc. No.: 8261 LinkProof User Guide Services A very advanced and granular set of services can be configured within the bandwidth management system. Services are configured separately from policies. As each policy is configured, it can be associated with a configured Service. The service associated with a policy in the policy database can be a basic filter, an advanced filter, or a filter group. This represents tremendous flexibility for the classifier as it essentially gives the system a large number of possibilities for packet identification. Basic Filters The basic building block of a Service is a basic filter. A basic filter is made up of the following components: • Protocol: The specific protocol that the packet should carry. The possible choices are IP, TCP, UDP and ICMP. If the protocol is configured as “IP”, all IP packets (including TCP and UDP) will be considered. When configuring TCP or UDP protocol, some additional parameters are also available: — Destination Port (From-To) - Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured. — • Source Port (From-To) - Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured. Offset Mask Pattern Condition (OMPC): The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPC's can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) AND the OMPC. Content In case the protocol configured is TCP or UDP, it is possible to search for any text string in the packet. Like OMPC's, a text pattern can be searched for at any offset in the packet. HTTP URL's are perfect examples of how a text search can aid in classifying a session. The service editor allows you to choose between multiple types of configurable content: URL, hostname, HTTP header field, cookie, mail domain, mail to, mail from, mail subject, file type, regular expression and text. If the content type is “URL” for example, then the session is assumed to be HTTP with a GET, HEAD, or POST method. The classifier searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is “text”, then the entire packet is searched, starting at the configured offset, for the content text. By allowing a filter to take actual content of a packet/session into account, the classifier gains a powerful way to recognize and classify even a wider array of packets and sessions. Like OMPC's, content rules are not mandatory to configure. If a content rule exists in the filter, then the packet needs to match the configured protocol (and ports), the configured OMPC (if one exists), AND the configured content rule. Advanced Filters and Filter Groups An Advanced Filter is a combination of basic filters with a logical AND between them. Let's assume filters F1, F2, and F3 have been individually configured. Advanced filter AF1 can be defined as: AF1= {F1 AND F2 AND F3} In order for AF1 to be a match, all three filters of F1, F2, and F3 must match the packet being classified. Doc. No.: 8261 341 LinkProof User Guide A Filter Group is a combination of basic filters and advanced filters, with a logical OR between them. To continue the example above, filter group FG1 can be defined as: FG1 = {AF1 OR F4 OR F6} In order for filter group FG1 to be a match, either advanced filter AF1, basic filter F4, or basic filter F6 have to match the packet being classified. Radware devices are pre-configured with a set of basic filters and group filters that represent applications commonly found in most networks. Note: For a detailed description of the pre-configured filters, see Click Ok to record your preferences and exit from the window., page 348. Pre-Defined Services for BWM Provided below is a list of pre-defined filters for BWM: Table 36: Pre Defined Filters for BWM Service Name Description Filter Name ERP/CRM sap Basic Database mssql Microsoft SQL service group Group mssql-monitor SQL monitoring traffic Basic mssql-server SQL server traffic Basic oracle Oracle database application service group Group oracle-v1 Oracle sql* Net v1-based traffic (v6, Oracle7) Basic oracle-v2 Oracle SQL*Net v2/Net 8-based traffic (Oracle7,8,8i,9i) oracle-server 1 Oracle Server (e-business solutions) on port Basic 1525 oracle-server2 Oracle Server (e-business solutions) ON PORT 1527 oracle-server3 Oracle Server (e-business solutions) on port Basic 1529 Basic Basic Thin Client or Server Based Citrix connectivity application service group. citrix 342 Enables any type of client to access applications across any type of network connection. Group citrix-ica Citrix Independent Computer Architecture (ICA) Basic citrix-rtmp Citrix RTMP Basic citrix-rtmp Citrix RTMP Basic citrix-ima Citrix Intergrated Management Architecture Basic citrix-ma-client Citrix MA Client Basic citrix-admin Citrix Admin Basic Doc. No.: 8261 LinkProof User Guide Table 36: Pre Defined Filters for BWM Service Name Description Filter Name Peer-to-Peer p2p peer-2-peer applications Group edonkey File sharing application Basic gnutella File sharing and distribution network Basic fasttrack User-to-User Media Exchange Basic Kaaza Kaaza File Sharing Application (Note: Music City Morpheous and Grokster also classify Basic as Kazza) Internet dns Domain Name Server protocol ftp-session File Transfer Protocol service - both FTP commands and data Basic http Web traffic Basic http-alt Web traffic on port 8080 Basic https Secure web traffic Basic icmp Internet Control Message Protocol Basic ip IP traffic nntp Usenet NetNews Transfer Protocol Basic telnet tftp Basic udp Basic Instant Messaging aol-msg AOL Instant Messenger Basic icq ICQ Basic msn-msg MSN Messenger Chat Service Basic yahoo-msg Yahoo Messenger Group yahoo-msg1 Yahoo Messenger on port 5000 Basic yahoo-msg2 Yahoo Messenger on port 5050 Basic yahoo-msg3 Yahoo Messenger on port 5100 Basic Email mail Group smtp Basic imap Basic pop3 Basic Networks A Network a logical entity, which consist of a group of IP addresses linked together by a network IP and subnet or a range of IP addresses (from-to) and identified by name. A Network can be configured separately and individual elements of the Network list can then be used in the individual policy. An entry in the Network list is known as a configured Doc. No.: 8261 343 LinkProof User Guide “name” and can be either an IP/Mask combination or an IP range. For example, network “net1” can be 10.0.0.0/255.0.0.0 and network “net2” can be From: 10.1.1.1 to: 10.1.1.7. The Network list allows either configuration. The bandwidth management module allows multiple Networks to have the same configured “name”. This allows a Network with the name “net1” to actually encompass multiple disjointed IP address ranges. Essentially, this makes the Network “name” a logical pointer to all ranges configured with that name. This will further facilitate the configuration and management of the system. To configure a Network using WBM: From the main window select; BWM > Classes > Networks > Modify > Add. Port Groups Enables the user to set different policies to identical traffic classes that are received on different interfaces of the device. For example, the user can allow HTTP access to the main server only to traffic entering the device via physical interface 3. This provides greater flexibility in configuration. The user should first configure Port Groups. To configure Port Groups using WBM: From the main window select; BWM > Port Groups > Physical Port Groups. VLAN Tag Groups VLAN Tag Groups allow the user to set different policies to identical traffic classes that are received with different values of 802.1q VLAN Tags. For example, the user can allow SMTP access to the internet only to traffic tagged with a VLAN Tag with a specific value. This provides greater flexibility in configuration. The user should first configure VLAN Tag Groups. To configure VLAN Groups using WBM: From the main window select BWM > Port Groups > VLAN Tag Groups. BWM Example Configuration The following is a complete example configuration for bandwidth management, addressing the following: • • • • 344 Limit FTP traffic to servers (20.10.1.3, 20.10.1.7 and 20.10.3.17) incoming via physical port 5 or 7 to 300kbps. Guarantee 2Mbps to Citrix traffic running on VLAN 2 and VLAN 7. Limit HTTP traffic to and from internal network 10.x.x.x to 1Mbps. Prevent the infection of an e-mail virus on the network named “Love Letter”. Doc. No.: 8261 LinkProof User Guide To configure the BWM Example: 1. From the main window, click BWManagement. The Bandwidth Management window appears. 2. Click BWM Parameters. The BWM Global Parameters window appears. 3. From the BWM Global Parameters window, set the following parameters according to the explanations provided: Table 37: Classification Mode: Policies Application Classification: Per Session Scheduling Algorithm: CBQ Click Ok to record your preferences and exit from the window. 4. Configure the required Physical Port Group: a. b. 5. From the Bandwidth Management window, click Port Groups. The Ports Group window appears. From the Ports Group window, select the Physical Port Groups option button. Click the Modify Table tab and click Add. The Edit Physical Port Group window appears. c. From the Edit Physical Port Group window, in the Groups parameter enter a new group entitled FTP ports. Select the port 5 and port 7 checkboxes. d. Click Ok. Configure the required VLAN Tag Groups: a. Doc. No.: 8261 From the Port Groups window, select the VLAN Tag Groups option button and click Add from the Modify Table tab. The Edit VLAN Tag Groups window appears. 345 LinkProof User Guide b. From the Edit VLAN Tag Groups window, create 2 separate entries for the Citrix VLAN by setting the following parameters according to the explanations provided: Table 38: Group Name: Citrix VLAN Group Mode: Discrete VLAN Tag: • 2 (first) • 7 (second) c. Click Ok > Update Modifications. 6. Add 2 networks: a. b. c. From the Bandwidth Management window, click Classes. The LinkProof Classes window appears. From the LinkProof Classes window, click Networks. Select Modify and then click Add. The Edit Network window appears. From the Edit Network window, set the following parameters according to the explanations provided: Table 39: Network Name: FTP Servers Network Mode: IP Range Create 3 separate entries for the FTP Servers with the following IP Addresses: From Address: 20.10.1.3 20.10.1.7 20.10.3.17 To Address: The same as the From Address. 7. Add the second network as explained above by setting the parameters according to the explanations provided: Table 40: Network Name: Internal Network Mode: IP Mask From Address: 10.0.0.0 To Address: 255.0.0.0. 8. Click Ok to record your preferences and exit the window. 9. Configure the Basic Filter to identify the e-mail virus: a. b. 346 From the Bandwidth Management window, click Classes. The Classes window appears. From the Classes window, click Add Regular. The New Service pane appears. Doc. No.: 8261 LinkProof User Guide c. From the New Service pane, set the following parameters according to the explanations provided: Table 41: Service Name: Love Letter Protocol: TCP Content Type: Mail Subject Content: Love Letter d. Click Add Service and then click Update Active Classes. 10. Configure the policies: From the Bandwidth Management window, click Modify and then click Add. The Edit Policy window appears. 11. From the Edit Policy window, add the following 4 policies according to the explanations provided: Table 42: To limit FTP Traffic to FTP Servers via ports 5,7 to 300kbps: Policy Name: FTP Service Type: Regular Service: FTP Source: Any Destination: FTP Servers Direction: Oneway Action: Forward Priority 4 Inbound Physical Group: FTP Ports Borrowing Limit: 300 Table 43: To guarantee 2 Mbps to Citrix traffic running on VLAN 2,7: Policy Name: Citrix Service Type: Group Service: Citrix Source: Any Destination: FTP Servers Direction: Twoway Action: Forward Priority 2 Generated Bandwidth: 2000 Doc. No.: 8261 347 LinkProof User Guide Table 44: To limit HTTP Traffic to Local Network to 1 Mbps: Policy Name: HTTP Service Type: Regular Service: HTTP Source: Any Destination: Internal Direction: Twoway Action: Forward Priority: 3 Inbound Physical Group: FTP Ports Borrowing Limit: 1000 Table 45: To block “Love-Letter” e-mail virus: Policy Name: Virus Love Letter Service Type: Regular Service: Love Letter Source: Any Destination: Any Direction: Twoway Action: Block 12. Click Ok to record your preferences and exit from the window. Protocol Discovery This section describes the Protocol Discovery feature which allows you to recognize the different applications running on your network by creating Protocol Discovery Policies. This section includes the following topics: • • What is Protocol Discovery?, page 348 Protocol Discovery Policies, page 349 What is Protocol Discovery? To use the Bandwidth Management module in an optimal way, network administrator must be aware of the different applications running on their network and the amount of bandwidth they consume. To allow a full view of the different protocols running on the network a traffic discovery feature has been added known as Protocol Discovery. 348 Doc. No.: 8261 LinkProof User Guide The protocol discovery feature can be activated on the entire network or on separate subnetworks by defining Protocol Discovery policies. Protocol Discovery Policies A Protocol Discovery policy consists of a set of traffic classification criteria which includes: • • • • • • • Source: Defines the source of the traffic. Can be specific IPs, a range of IP addresses or IP Subnet address. The default value is “any” which covers traffic from any source. Destination: Defines the destination of the traffic. Can be specific IPs, a range of IP addresses or IP Subnet address. The default value is “any” which covers traffic to any destination. Source MAC Address Group: Enables to discover applications and protocols present in the traffic sent by a transparent network device (firewall, router). Destination MAC Group: Enables to discover applications and protocols present in the traffic sent to a transparent network device (firewall, router). Inbound Physical Port Group: Classifies only traffic received on certain interfaces of the device. Enables you to set different policies to identical traffic classes that are received on different interfaces of the device. VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID (VLAN Identifier) tags. Direction: Defines the direction of the traffic. Can be OneWay (from Source to Destination) or TwoWay. To configure the Protocol Discovery using APSolute Insite: 1. From the main window, click Bandwidth Management. The Bandwidth Management window appears. 2. From the Bandwidth Management window, click Protocol Policies. The Protocol Discovery Policies window appears. 3. From the Protocol Discovery Policies window, click Add. The Edit Protocol Discoveries window appears. 4. From the Edit Protocol Discoveries window, set the parameters according to the set of traffic classification criteria, as explained above. 5. Click Ok to accept your changes and exit from the window. To view the results: 1. Configure the Protocol Discovery as explained above in steps 1-2. 2. From the Protocol Discoveries window, click View Protocol Statistics. The Protocol Statistics appears. Interface Classification This section describes the process of interface classification which is designed to give you more Bandwidth performance. This section includes the following topics: • • Port Bandwidth, page 350 Interface Classification, page 350 Doc. No.: 8261 349 LinkProof User Guide Port Bandwidth In order to optimize the queuing algorithm, it is essential for the BWM module to be aware of the maximum available ports bandwidth. This can configured via the "BWM port Bandwidth table". by default, the maximum available throughput is determined by the port type - 100Mbps for the FE ports and 1Gbps for the Giga ports. The queuing mechanism will only begin to function upon link saturation. Configuring the maximum throughput is the only way of telling if the link is saturated. To define a ports maximum available bandwidth: 1. From the main window, right-click the LinkProof icon and select Zoom > Zoom In. Repeat this process until you can see the front view of the device. 2. Right-click the required port (f1, f2, etc.) and select Interface Parameters from dropdown list. The Interface Parameters window appears. 3. From the Interface Parameters window, set the Available Bandwidth parameter for that port in Kbps and click Ok. Interface Classification To increase performance, Bandwidth Management module can be configured to exclude traffic running through certain physical ports and/or VLANs from the classification effort. In this way valuable processing time can be saved while enabling a simpler method of configuring the device. You may cancel classification according to Port or according to VLAN. To cancel Interface Classification by port: 1. From the main window, click Bandwidth Management. The Bandwidth Management window appears. 2. From the Bandwidth Management window, click Interface Classification. The Interface Classification window appears. 3. From the Interface Classification window, select the Cancel Classification by Port option button and set the following parameters according to the explanations provided: Inbound Port: The number of the required port for inbound traffic. Outbound Port: The number of the required port for outbound traffic. Direction: The direction of the flow through each port. Values can be Oneway - the traffic flows in through the Inbound Port and out through the Outbound Port, or Twoway - the traffic flows both ways through both ports. 4. Click Add to add your parameter settings to the table. 5. Click Ok to record your changes and exit from the window. 350 Doc. No.: 8261 LinkProof User Guide To cancel Interface Classification by VLAN: 1. From the main window, click Bandwidth Management. The Bandwidth Management window appears. 2. From the Bandwidth Management window, click Interface Classification. The Interface Classification window appears. 3. From the Interface Classification window, select the Cancel Classification per VLAN option button. 4. Select the number of the required VLAN you wish to cancel. 5. Click Ok to record your changes and exit from the window. Doc. No.: 8261 351 LinkProof User Guide 352 Doc. No.: 8261 LinkProof User Guide Chapter 9 - Health Monitoring This chapter describes Health Monitoring, which incorporates Radware SynApps architecture and includes the following sections: • • • Health Monitoring - Introduction, page 353 Health Check Configuration, page 355 Health Check Methods, page 364 Health Monitoring - Introduction This section describes the general function of the module and the basic health monitoring concepts. This section includes the following topics: • • • • • Module, page 353 Checked Element, page 354 Health Check, page 354 Method, page 354 Binding and Groups, page 354 Module The Health Monitoring module, implemented on all Radware IAS (Intelligent Application Switching) products, is responsible for checking the health of the network elements such as servers, firewalls, and Next Hop Routers (NHRs) that are managed by the IAS device. The Health Monitoring module determines which network elements are available for service to enable the IAS device to load balance traffic among the available resources. Traffic management decisions are based mainly on the availability of the load balanced elements and on other resources on the data path. The module provides flexible configuration for health monitoring of the load balanced elements. The module supports various pre-defined and user defined checks, and enables you to create dependencies between health checks of different elements. Previous versions supported load balancing of traffic between servers only based upon health of the servers or SNMP variables polled from the servers. It is now possible to load balance the traffic between servers according to Response Level, this enables the user to always serve clients using the fastest server. The Health Monitoring Module now enables users to track the round trip time of health checks. The device keeps a Response Level indicator for each check. The response Level is the average ratio between the actual response time to the configured Timeout. The average is calculated over a number of samples as defined in the Response Level Samples parameter, available in the Global Parameters window via the Health Monitoring menu. A value of 0 in the Response Level Samples parameter disables the parameter, any other value between 1-9 defines the samples value. For example if the user configured 2 health checks - c1 which checks ping to server 1 and c2 which checks ping to server 2 and enabled the Track Load flag to both checks, 2 Load Factors will be generated. Response Time Load Balancing is achieved by choosing the Response Time dispatch method in the farm parameters. The device will then load balance the traffic to the “fastest” element until the Load Factors are equal. Doc. No.: 8261 353 LinkProof User Guide Checked Element A Checked Element is a network element that is managed and load balanced by the Radware device. For example, LinkProof-checked elements are the Farm Servers, NHRs and LRP, PRP reports, while for CSD the checked elements are Cache Servers, for CID – Content Servers, for LinkProof – Security Servers, and for LinkProof – the Next Hop Routers. The health of a checked element may depend on a network element that the IAS device does not load balance. For example, the health of a server managed by LinkProof may depend on the health of a database server or other application servers, which are not load balanced by the LinkProof, or the health of a Next Hop Router managed by LinkProof may depend on the availability of the service provider. Health Check A Health Check defines how to test the health of any network element (not necessarily a Checked Element). A check configuration includes such parameters as: the Check Method, the TCP/UDP port to which the test should be sent, time interval for the test, its timeout, the number of Retries, and more. These parameters are explained in detail in Regular Health Check, page 360. A network element can be tested using one or several Health Checks. Method Health check methods are applications or protocols that the IAS device uses to check the health of network elements. For example, a method can be Ping, HTTP or other. Although the Health Monitoring module provides a wide array of predefined methods, user defined methods are also supported. In addition, method-specific arguments can be configured for each method. For a complete list of supported health check methods, refer to Health Check Methods, page 364. Binding and Groups The Health Check defines only how to check elements, however you need to define which of the Checked Elements are affected by the results of these checks and how the results are to affect them. This is done by the means of the Health Check Binding function. Health Check Binding describes the relation between the Checked Elements (the load balanced elements) and Health Checks and defines how the Health Checks affect the health of the Checked Elements. For example, when a Health Check is bound to a Checked Element and the check fails, the status of the Checked Element is changed to Not in Service. A Checked Element may be bound with more than one Health Check. For example, a Web server can be bound to an HTTP check, which verifies that the Web server is functioning, and to another Health Check that makes sure that the database server used by this Web server is also functioning. In addition, a Health Check can be associated with more than one Checked Element, meaning that a single resource affects the status of multiple Checked Elements. For example, a single DB server may influence the health of multiple Web servers. The shared resource (DB server) is tested only once, and the test results affect multiple Checked Elements. When a Health Check fails, the Health Monitoring module reevaluates the status of all Checked Elements bound to the check. Health Check Binding can also be grouped for complex conditioning of tests, using logical AND/OR. This is discussed with more detail in the Configuration section. 354 Doc. No.: 8261 LinkProof User Guide Health Check Configuration This section describes how to configure health monitoring according to health check types and includes the following topics: • • • • • • • Global Configuration, page 355 Global Parameters Setup, page 355 Health Checks Database, page 356 Regular Health Check, page 360 Bindings and Groups, page 359 Group Health Check, page 362 Farm Health Check, page 363 Global Configuration The Health Monitoring module may be accessed using the Health Monitoring menu from APSolute Insite, Web Based Management or via CLI. Setting up the Health Monitoring module on an IAS device involves the following steps: 1. To enable the Health Monitoring Module; from the Health Monitoring Global Parameters window, set the Health Monitoring parameter to Monitoring Module. 2. Set the Connectivity Method of each farm to Disabled. This allows the device to use the results of the Health Monitoring Module to determine the status of the servers in this farm. To enable the Health Monitoring module on a device: • • WBM > Health Monitoring menu > Global Parameters Configure Insite > Health Monitoring Settings Global Parameters Setup From Configure Insite, Global parameters Setup is done through the Health Monitoring Settings window. To configure Global Health Monitoring: 1. From the main window, double-click the LinkProof icon. The LinkProof Setup window appears. 2. From the LinkProof Setup window, click the Global tab. The Global pane appears. 3. From the Global pane, select the Health Monitoring Settings option button and click Edit Settings. The Health Monitoring Settings window appears. 4. From the Health Monitoring Settings window, set the following parameters according to the explanations provided: Health Monitoring: Determines whether to use the Health Monitoring Module or the device's Connectivity Checks. Default: Health Monitoring Doc. No.: 8261 355 LinkProof User Guide Response Level Samples: The Health Monitoring Module enables users to track the round trip time of health checks. The device keeps a Response Level indicator for each check. The Response Level is the average ratio between the actual response time to the configured Timeout. The average is calculated over a number of samples as defined in the Response Level Samples parameter (Floating average). A value of 0 in the Response Level Samples parameter disables the parameter; any other value between 1-9 defines the samples value. Response Time Load Balancing is achieved by choosing the Response Time dispatch method in the farm parameters. The device will then load balance the traffic to the “fastest” element until the Load Factors are equal. SSL Certificate File: This file is used by the device when the Web server requires a Client Certificate during the SSL handshake. SSL Private Key File: This file is used by the device when the Web server requires a key during the SSL handshake. Default: Client Certificate generated by the device. Default: Private Key generated by the device. 5. Click Ok. Your preferences are recorded. Note: SSL Certificate file and SSL Private Keys are not exported as part of the device configuration export. Health Checks Database APSolute Insite enables you to configure and view the currently defined health checks in a database, prior to attaching them to a network element. To configure the Health Check database: 1. From main window, select a device and click Health Monitoring. The Health Checks window appears. 2. From the Health Checks window, click Health Checks DB. The device Health Check DB window appears. 3. From the Health Check DB window, click Add. The device Edit Health Check window appears. In this window you can create a new entry for the Health Check DB. 4. Set up the Regular check parameters for the device. 356 Health Check Name: Type the name of the new check. Method: From the drop-down list, select the check method. For the full description of methods, see Predefined Methods, page 364. Doc. No.: 8261 LinkProof User Guide Specify the IP address for the Health check. Destination IP Address: Note: You can specify any IP address, to enable the testing of any network elements (not only checked elements) When the best possible IP is not available locally for the device a default gateway must be configured. Type the IP address of the Next Hop Router that should be used for the Health Check, this means that the Health check is sent to the destination MAC address of the IP address configured in this field. This field can be used when for example you need to check the health of NHRs, or for a loopback server (Destination IP Address is the farm IP, Next Hop IP Address is the server’s address). Next Hop IP Router: The Next Hop IP Address should be on the same network segment as one of the device interfaces. When this field is left blank and the Destination IP Address does not reside on the same subnet, the Health Monitoring module uses the device’s Routing Table to forward the packet. Notes: • The Next Hop IP Address is not used for ARP checks since ARP checks are performed only on the same broadcast domain. • In case the destination port is not set, or the value is set to 0, the device use the applications' well known port as a destination IP. For example, if the method is set to HTTP and destination port is 0, the device uses port 80 when it performs the check. • When using TCP user define health check, the destination port must not be 0. Destination Port: The destination TCP/UDP port number to which the health check is sent. The destination port is method specific. Interval: Define the time interval between checks.This interval defines the health check’s execution interval in seconds. This field accepts only integers, and its value must be greater than the timeout value. Maximum value is 2^32-1 seconds. Values: Default: 10. Retries: Define the number of times that a health check must fail before the Health Monitoring module reevaluates the element’s availability status. Note: Timeout: Define the maximum number of seconds that the device waits for a response to the Health Check. Maximum value is 2^32-2 seconds. Note: Response Level: Doc. No.: 8261 This field accepts only integers. This field accepts only integers. Define the response level of the checked element. 357 LinkProof User Guide If applicable, check to enable this option. Measure Response Time: Using the Response Time Dispatch Method, this parameter indicates whether the response time of this check participates in measuring response time. Note that average response time is calculated over a number of checks as defined in the Response Level Parameter, see Global Parameters Setup, page 355. 5. Click Ok to apply the Setup. The Regular health checks you defined are listed in the Health Checks table. 6. For each selected method, you can edit the arguments. Click Method Arguments. The Edit Method Arguments window appears with additional configurable parameters for the selected method. Note: Arguments are method-specific. For a full list, see Additional Method Arguments, page 367. 7. Select or type the relevant values for the arguments and click Ok. The Edit Method Arguments window closes. The information you added appears in the Specific Check Parameters pane in the Edit Health Check window. 8. From the Edit Health Check window, click Ok. The health check is configured and the Edit Health Check window closes. The new health check now appears in the Health Check DB window table. 9. From the Health Check DB window, repeat steps 2. through 5. to configure each Health Check. Action Macro Radware devices support a wide range of health monitoring checks, allowing for highly granular checks and monitoring capabilities. The results of these checks is always a status, either “Active” or “Down”. The Action Macro feature complements this capability and allows performing an action based on the status of a health check. The action is performed by running a predefined macro file, which is bound to the health check. Configuration of the feature involves the following stages: 1. Define the relevant health checks in the Health Checks DB window. 2. Record the macro files you wish to execute upon receiving a trap from the device. Through the Health Check Actions window, available by clicking the Action button in the LinkProof Health Check DB window, bind the health checks and the macro files. To configure an Action macro: 1. From the main window, click Health Monitoring. The Health Checks window appears. 2. From the Health Checks window, click Health Check DB. The Health Checks DB window appears. 3. From the Health Checks DB window, click Action. The Health Checks Action window appears. 4. From the Health Checks Action window, click Add. The Edit Heath Check Action window appears. 358 Doc. No.: 8261 LinkProof User Guide 5. From the Edit Health Check Action window, set the following parameters according to the explanations provided: Check Name: Select from the checks you defined. Condition: Select the health check status to activate the Action macro. Value range: Success; Fail. Default: Success. Action: Select the type of action. Value: Macro. 6. To edit the arguments for the selected action, click Action Arguments. The Action window appears. 7. From the Action window, set the following parameters/conditions for action according to the explanations provided: Device: Select the relevant device. File Name: Select the relevant Macro File. 8. Click Ok and then Ok twice more to exit all the Action windows. The test you configured is updated in the Health Check DB window. 9. Click Ok to apply the Setup and exit. The Health Check DB window closes. Bindings and Groups You can associate a Health Check to a Checked Element. You can also define whether the check is Mandatory or not, and set the Group Number. Non-Mandatory checks in a group are evaluated with a logical OR between them so if there is more than a single Non-Mandatory check in a group, a failure of one check does not fail the server. When several groups are associated with a single Checked Element, they are evaluated with a logical AND between them. Note: When a Group consists of a single check which is defined as Non-Mandatory, then technically it is Mandatory. The Group Number is unique per Checked Element. This means that, for example, Group Number 2 for Server1 and Group Number 2 for Server2 are two separate groups. Using groups enables the creation of complex health conditions for the Checked Elements. For instance, consider a Web server that communicates with one of two database servers and must use one of two routers in order to provide service. This Web server will be bound using three different binding groups: one group contains Health Checks for the two routers (each check is Non-Mandatory), one group contains Health Checks to the database servers (each check is Non-Mandatory) and the third group contains the Health Checks on the Web server. As long as one of the database servers and one of the routers is active, and the Web server health check passes, the Web server is considered active. Otherwise, the Health Monitoring module determines that the Web server cannot provide the required service. Up to 20 binding groups can be defined per Checked Element. Using Configure Insite, binding is performed by setting regular checks and Group Checks. Doc. No.: 8261 359 LinkProof User Guide The Binding Table contains the following parameters: Check Name: Checked Element Name: Group: Mandatory: The Health Check to be bound to a Checked Element. Possible values: All checks as defined in the Check DB. The Checked Element to which the Health Check is bound. Possible values: All defined servers in the Application Server/Firewall/ NHR Table. The group number to which the check belongs. The group number is unique per server. Defines if the Health Check is mandatory for the Checked Element’s health. The Non-Mandatory status for checks within a group is equal to an OR relationship between the Health Checks, while the Mandatory status is equal to an AND condition. Possible values: Mandatory, Non-Mandatory. A Health Check is still performed even if it is not bound to any of the Checked Elements. If the check fails, the device sends notification messages (SNMP Traps, Syslog messages or mail messages, as configured) indicating the failure of the check. Regular Health Check A Regular type Health Check is a check of an individual network element. You can add or edit health check parameters through the Check Table. The Check Table lists the configured health checks. If a check is not bound to any of the Checked Elements, it is still performed. If it fails, the device sends notification messages, as configured (SNMP Traps, Syslog messages or mail messages), indicating the failure of the check. To Configure a Regular Health Check: 1. From the main window, click Health Monitoring. The Health Checks window appears. 2. From the Health Checks window, select Regular and click Add to define a single health check. The Device Edit Active Health Check window appears. 3. From the Device Edit Active Health Check window, click New Health Check. The Edit Health Check window appears. 4. Using this window, you can associate Health Checks to Checked Elements, and define the way the results of the Health Check affect the checked element 5. From the Edit Health Check window, set the following parameters according to the explanations provided:. Health Check Name: Method: 360 Type the name of the new check. From the drop-down list, select the check method. For the full description of methods, see Health Check Methods, page 364. Note: if you change the method, the Method Arguments button is enabled. You can edit the predefined method arguments. Doc. No.: 8261 LinkProof User Guide Destination IP Address: Type the address of the checked element. Next Hop Router: Type the router address. Destination Port: The destination port is method specific. Interval: Define the time interval between checks? Values:.Default: 10. Retries: Select the number of retries, that is repeated checks on a non responsive element? Default: 5 Timeout: Define the timeout value. Response Level: Define the response level of the checked element? Measure Response Time: If applicable, check to enable this option. Note: Arguments are method-specific. For full list, see Health Check Method Arguments, page 368 6. Click Ok to apply the Setup. 7. From the Edit Active Health Check window, click Apply. 8. To configure all the Regular type health checks, repeat steps 4. through 7. 9. Click Ok. The Edit Active Health Check window closes. 10. From the Edit Health Check window, set the following parameters according to the explanations provided: Check Element: Mandatory: Select the network element to be checked. This list displays all elements managed by LinkProof that a Health Check can be associated with. The IP address shows next to the selected element. Define if the health check must be mandatory to determine the checked element’s health. Definition of non-mandatory checks within a check group implies an OR relation between the health checks, while a mandatory status dictates an AND condition. Possible values: Mandatory; Non-Mandatory. Health Check Name: Check ID: Doc. No.: 8261 The name of the health check that you define. You can type a new name or select the name from the drop-down list which contains all the checks previously defined in the Health Checks Database. Note: To create a new Health Check, you can use the Health Checks DB configuration described in the Health Checks Database, page 356, or click the New Health Check button to open the Edit health Check window. The health check number as assigned by the device. 361 LinkProof User Guide Select the method from the drop-down list. Method: The health check method is an application or a protocol which the device uses in order to check the network elements. Destination IP Address: The destination IP address of the network element to be checked. If no IP address is entered the default IP address is the Checked Element. Next Hop Router: The IP address of the next hop on the network for this check. This is needed in order to direct the health check session to a network element's MAC address. Destination Port: The number of the destination TCP\UDP port. Interval: The time interval to elapse before performing the next check. Retries: The number of times that the device should attempt to check the element device, when the result is “inactive”, before updating the Availability Status to Not-Available. Timeout: The time period to elapse between the moment of initiation of the health check and the moment of its termination. No New Session Timeout: The user may define a timeout for each check whereby the status of the checked element can be set to No New Sessions, and is configured for each specific check and check type. If the check timeout is above the threshold, the device considers the element as heavily loaded and does not send new sessions. If the check timeout reaches the timeout threshold, the element is considered “Not In Service”. Note: Measure Response Time: Setting the timeout to 0 (zero), disables this feature. The Response Level Samples parameter can be used in the health checks in which the Measure Response Time parameter is enabled. 11. Click Ok to apply the Setup. The Regular health checks you defined are listed in the LinkProof Health Checks table. To define and edit Health Check Methods 1. To define the health check method parameters, click Method Arguments. The Edit Method Arguments window appears. 2. From the Edit Method Arguments window, set the parameters as required. 3. Click Ok. The Edit Method Arguments window closes. The Specific Check Parameters field in the Edit Health Check window shows the edited method arguments information. Group Health Check In addition to individual or regular checks, you can configure groups of regular checks. 362 Doc. No.: 8261 LinkProof User Guide To configure a Group health check: 1. From the LinkProof Health Checks window, click the Group option and click Add. The device Edit Health Check Group window appears. 2. From the Group Check Name drop-down list, select the name of the required Health Check Group. Note: You can set up to 20 groups for a Checked Element. 3. From the Element Name drop-down list, select the name of the network element to check and click Apply. The group check you defined appears in the Edit Health Check Group table. 4. From the Enable column, select the checks required for this group. 5. From the Mandatory column, select the mandatory or non-mandatory status for each health check. (Define if the health check must be mandatory to determine the checked element’s health). 6. Click Apply. The health check Group is configured. 7. Continue to configure new groups or click Ok to exit the window. In the Health Checks window, the group you configured is listed in the Groups column, while the checks for each group are listed in the Health Checks column. 8. Click Ok. The Health Checks window closes. Farm Health Check Used in large configurations with farms containing multiple servers, the Farm oriented Health Check automates and simplifies the Health Monitoring configuration process by replicating a defined check for all servers in a farm. To configure Farm Health Checks 1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection window appears. 2. From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane appears. 3. From the Farms pane, select the relevant farm that you want to check then click Health Monitoring Settings. The Health Checks Per Farm window appears. 4. From the Health Checks Per Farm window, click Add. The Edit Active Health Check window appears where you can set up the Farm health check. Select from the following options: • Duplicate this Health Check for all Farm’s servers: If you select this option, the health check you define will be replicated and associated to all the servers of the selected farm Set Health Check attribute for each Server in Farm: If you select this option, you can manually configure a custom health check for each server of the selected farm. From the Health check Name drop-down list, select the name of the check. For the remaining parameters and settings from the Edit Active Health Check window, see Regular Health Check, page 360. • 5. Doc. No.: 8261 363 LinkProof User Guide 6. Click Ok to apply the Setup. The new farm check appears in the Health Checks per Farm table. Health Check Methods This section describes the methods or protocols that are used in Health Check configuration and includes the following topics: • • Predefined Methods, page 364 User Defined Methods, page 372 Predefined Methods Table 46 on page 364 describes the predefined Health Check Methods and their configurable parameters. Table 46: Health Check Methods Parameter Description ARP The module sends an ARP request to the destination address, and waits for a reply. Parameters: N/A DNS The module submits a DNS query to the configured destination address and host. The module verifies that the reply is received with no errors, and that the reply matches a specific address (if specified). If the IP address parameter is not defined, only the return code of the reply is validated (not the IP address it contains).\ Parameters: Hostname to Query; Address to match FTP The module executes USER and PASS commands on the FTP server. When the login process is successfully completed, the module executes a SYST command. It can verify the existence of the file on the FTP server, but it does not download the file or check its size The module verifies that all the commands are executed successfully and then terminates the connection. Parameters: Username; Password; Filename. Note: HTTP The module uses a control session only, not a data session. The module submits an HTTP request to the destination IP address. In addition, it is possible to define a specific URL to test. The request may be a GET, POST, or HEAD request. Requests may be in a proxy format or a Web format, and may include a no-cache directive. The module verifies that the returned status is 200. if the checked server is password protected, the module may send an authorized name and user password. The module sends the HTTP request in HTTP 1.0 format. Parameters: Hostname, path, HTTP method, HTTP format (proxy/Web), use of no-cache, text for search within HTTP header and body, plus an indication whether the text should appear or not, Username and Password for basic authentication and up to four valid HTTP return codes in addition to the return code of 200 364 Doc. No.: 8261 LinkProof User Guide Table 46: Health Check Methods Parameter Description IMAP4 The module executes a LOGIN command to the IMAP server, and verifies that the returned code is Ok. Parameters: Username; Password. LDAP LDAPS The Health Monitoring module enhances the health checks for LDAP servers, by allowing performing search in the LDAP server. Before Health Monitoring performs the search, it first issues a Bind command to the LDAP server and after performing the search, it closes the connection with Unbind command. A successful search receives an answer from the server that includes a "searchResultEntry" message. An unsuccessful search receives only an answer of "searchResultDone" message. Arguments: • User Name: A user with privileges to search the LDAP server. • Password: The password of the user. • Base Object: The location in the directory from which the LDAP search begins. • Attribute Name: The attribute to look for. For example CN Common Name. • Search Value: The value to search. The Health Monitoring Module allows to perform LDAP health checks over the SSL transport layer. When using LDAP over SSL, the device uses the same SSL privet key as the HTTPS health check, take from Health Monitoring global parameters. When using the LDAPS checks, it is recommended to use values higher than 15 seconds for time interval and 10 seconds for timeout. NNTP The module executes a LIST command and verifies that the returned status is valid. Physical Port Module checks the status of the physical interface. When the link is up, the check passes. Arguments: Physical port number. Module sends an ICMP echo request to the destination address and waits for an echo reply. The module checks that the reply was received from the same destination address that the request was sent to, and that the sequence number is correct. Ping Arguments: Should Ping fail; Ping Data Size Should Ping Fail: whether the reply is received or not, the default is that the check fails when the server does not reply. Ping Data Size: the size of the ICMP echo request (1 byte to 1024 bytes). When not configured, the default is 64 bytes. POP3 The module executes USER and PASS commands on the POP3 server, and checks that the returned code is OK. Arguments: Username; Password. Doc. No.: 8261 365 LinkProof User Guide Table 46: Health Check Methods Parameter RADIUS Description The module sends an Access Request with a user, password and a secret string, and verifies that the request was accepted by the server which then expects an Access Accept reply. Arguments: Username; Password; Secret. Note: RTSP Ensure the radius server is configured to accept radius requests for the device. The module executes a DESCRIBE command and expects a return status of 200. Arguments: Path on the server (like http); Hostname. Health Monitoring Module allows now to perform Health Monitoring checks on SIP servers. The SIP health check is done using the OPTIONS method. This method is used to query SIP proxies and end-points as to their capabilities. The capabilities themselves are not relevant to the health check and what is relevant, is the "200 OK" response from the server. Arguments: • Request URL: The request‘s destination. SIP UDP/ SIP TCP SMTP • From: The “logical name” of the device. • Max Forwards: The default is 1 • Transport Protocol: The check can be performed on top of UDP (default) or TCP. • Destination Port: Default is 5060. • Acceptable Response Codes: 200 is the default. When an unacceptable response code is received - the check fails. • Content Match: a content that must be matched in the response for it to be considered successful. • Reverse Match Result: a content that must not be found in the response for it to be successful. The module executes a HELO command to the SMTP server and checks that the returned code is 250. Arguments: Server name for the command. Default: Radware. The module sends an SNMP GET request, and validates the value in the reply. When the returned value is lower than the Min. Value or higher than the Max. Value, the check fails. When the returned value is higher than the No New Sessions Value, the bound element is set to No New Sessions. The results of the SNMP Check can be used for a load balancing decision, similar to Private Parameters Load Balancing Algorithms. SNMP The SNMP check supports Integer, Counter and Gauge. While Interger can be a negative value, Counter and Gauge must be >0. Arguments: SNMP Object ID to be checked; Community; Min. Value; Max. Value; No New Sessions Value; Use Results For Load Balancing. Note: 366 For a device to consider the outcome of the check in the load balancing decisions, the farm’s Dispatch Method should be set to Response Time. Doc. No.: 8261 LinkProof User Guide Table 46: Health Check Methods Parameter Description The module sends an SSL Hello packet to the server (using SSL3), and waits for an SSL Hello reply. The session is then closed (using a RESET command). Note: SSL Hello Since generating SSL keys on the server is a time consuming process, it is recommended to use a timeout of 3 to 5 seconds. Arguments: SSL Version, can be either V23 or V30. SSL v30 means that pure SSLv3 is used, SSLv23 means that the client sends an SSLv2 request to open an SSLv3 session (this is how Internet Explorer works, for example). The module performs an SSL handshake towards the server and after the session starts, the device performs a GET request from the checked element. SSL Arguments: Similar to HTTP Check (Hostname, Path, HTTP Method, Authorized Username and Password, Match Search String, Match Mode, HTTP Return Codes). Also, the user can set: • SSL Certificate File – Used by the device when the Web server requires a Client Certificate during the SSL handshake. By default, Client Certificate generated by the device. • SSL Private Key File – Used by the device when the Web server requires a key during the SSL handshake. By default, Private Key generated by the device. The module checks the availability of the specified TCP port. TCP Port TCP User Defined UDP Port Arguments: Complete TCP Handshake, sets whether the sends an ACK packet before the RST packet or not. Setting this parameter to Yes results in the following TCP handshake flow: SYN, SYN_ACK, ACK, RST. Setting this parameter to No results in the following TCP handshake flow: SYN, SYN_ACK, RST. The module uses a User Defined TCP Health Check. Arguments: Packet Sequence ID (which user defined check to use). The module checks the availability of the specified UDP port. Note that this check does not test the server's availability, but the application's availability within the server. This is due to the nature of UDP: when the UDP application is operational no reply is received; when the UDP application is not operational, an ICMP message UDP Port Unreachable is sent, so that the absence of a reply indicates the application’s availability. This means that when the server is down, the application might still be considered as running. Therefore, the UDP Port check should always be used in combination with another server availability check, for example Ping or ARP. Additional Method Arguments You can configure additional arguments specific to each Health Check Method. When using APSolute Insite, the Health Check configuration window automatically shows argument values relevant to the configured Method, to fit the required additional arguments for that check. Doc. No.: 8261 367 LinkProof User Guide When using Web Based Management, CLI, Telnet or SSH, you can configure the additional arguments using a string with this format: ARG=VAL|ARG=VAL| Following each argument, the equation sign should appear, then the required value. A “|” sign is used as a delimiter between the arguments. No extra spaces are allowed. Table 47 on page 368 lists the additional configurable method arguments for each Check Method, and details mandatory arguments, default values, and more. Table 47: Health Check Method Arguments Method Argument Argument Additional Name Mandatory Name Description Info (and ID) ARP (11) No args HOST Hostname to query ADDR Address to be No received USER Username Yes PASS Password Yes PATH Path of file on Web server to No be requested HOST Hostname MTD HTTP method No to submit G=GET, P=POST, H=HEAD PRX Use proxy HTTP No Y=Use proxy HTTP, N=Use N Web server HTTP No Y= Use pragma: nocache, N=Do N not use pragma: nocache DNS (10) FTP (6) HTTP (2) 368 Default Yes Validate only the DNS return code Any configured / value must begin with a/. Server IP address No G NOCACHE Use pragma: no-cache MTCH Pattern for No content match Wildcards not supported MEXIST Content match pattern should No be present or absent Y=Fail check if pattern not found, N=Fail Y check if pattern is found USER Username for basic No authentication Doc. No.: 8261 LinkProof User Guide Table 47: Health Check Method Arguments Method Argument Argument Additional Name Mandatory Name Description Info (and ID) IMAP (7) PASS Password for basic No authentication C1 Valid http code No 1 C2 Valid http code No 2 C3 Valid http code No 3 C4 Valid http code No 4 USER Username Yes PASS password Yes FAIL Check fails when reply is No received or not received DSIZE Packet size No USER Username Yes PASS Password Yes USER Username Yes PASS Password Yes SECRET Radius secret Yes PATH Path of file on RTSP server Yes to be requested HOST Hostname to No use in request OID Object ID to be used by the Yes check. PING (0) POP(3) RADIUS (12) RTSP (13) SMNP Doc. No.: 8261 Default Y= Fail when server replies, N=Fail when server does not reply =1 - 1024 bytes N 64 IP address of server 369 LinkProof User Guide Table 47: Health Check Method Arguments Method Argument Argument Additional Name Mandatory Name Description Info (and ID) COMM The community Yes used by the device. MIN The minimum Yes value for the check to pass. If the minimum is lower than the value configured, then the check will fail. MAX The maximum Yes value for the check to pass. If the maximum is higher than the value configured, then the check will fail. NNS The value Yes between the NNS and the max. If the value falls between these two numbers then the checked element will be in No New Session. UR The measured Yes response time for the check. SSL Hello SSLV 370 Default can be either Yes v23 or v30. SSL v30 means pure SSLv3 is used, SSLv23 means that the client sends an SSLv2 request to open an SSLv3 session (this is how Internet Explorer works, for example). Doc. No.: 8261 LinkProof User Guide Table 47: Health Check Method Arguments Method Argument Argument Additional Name Mandatory Name Description Info (and ID) Default SMTP (4) HELO Argument for SMTP HELO No RADWARE SSL (14) SSLV SSL Version No TCP Port (1) no args TCP User SEQID Defined (8) V23 or V30 No Packet sequence to submit Yes UDP Port no args SIP UDP UR The URI for the Yes check. FROM The senders information FRWD The max # of No hops between Proxy Servers. MTCH Pattern for No content match Wildcards not supported MEXIST Content match No pattern should be present or absent Y=Fail check if pattern not found, N=Fail check if pattern is found. C1 Valid SIP code No 1 C2 Valid SIP code No 2 C3 Valid SIP code No 3 C4 Valid SIP code No 4 Doc. No.: 8261 V23 Yes 371 LinkProof User Guide Table 47: Health Check Method Arguments Method Argument Argument Additional Name Mandatory Name Description Info (and ID) LDAPS USER A user with privileges to search the LDAP server. No If you configure a user then password is mandatory. PASS The password No of the user If you configure a user then password is mandatory. BASEO The location in No the directory from which If you configure BASEO then ATTR is mandatory. ATTR The attribute to No search for, e.g CN: Common Name If you configure ATTR then BASEO is mandatory. SEARV The value to search. Default No User Defined Methods if you require a specific Health Check Method that is not provided by the module, you can configure the health check protocol manually. This is done by defining for every packet sequence a stream of send and receive packets, each with a string to send or receive. The module then sends the packets, and verifies that the received packets contain the matching predefined string. Packet sequences are defined in the Packet Sequence Table. Then the user-defined check can be used in Health Checks configuration. Note: User Defined Checks are available for TCP checks only. To configure a user defined method for health check: 1. From the Health Checks window, click User Defined Methods. The User Defined Methods window appears. 2. From the User Defined Methods window, click Add. The Edit User Defined Methods window appears. 372 Doc. No.: 8261 LinkProof User Guide 3. From the Edit User Defined Methods window, set the following parameters according to the explanations provided: Sequence ID: Packet ID: The ID number of the entire packet sequence. Each sequence defines a new user defined check. All packets with the same Sequence ID belong to the same check. The ID number to identify the packet within this packet sequence. While several informationcarrying packets can be defined to a user defined check of the same sequence ID, this identifier is unique within a packet sequence. Note: Sequence Type: The first Packet ID of each sequence must always be 0. Packet ID numbers of a sequence must be consecutive. Define whether this packet is a Send or Receive packet. Values: Send; Receive. Default: Send. Compare Method: Sequence String: Values: Regular Expression; Binary. Default value: Regular Expression. The content of the packet for the verification process. This string is either sent within the packet, or is matched when the packet is received. For Receive type packets, the string can include a regular expression. Note: Sequence Description: Doc. No.: 8261 The Health Monitoring module supports Posix 1002.3 regular expressions. The string can be up to 80 characters long. The description of the specific packet in the sequence. 373 LinkProof User Guide 374 Doc. No.: 8261 LinkProof User Guide Chapter 10 - Application Switching Platforms This chapter explains Radware’s Application Swithching Platforms and Device Interfaces and also provides a list of specifications, which include Serial Cable Pin Assignment and a trouble shooting section. • • • • • • • • This chapter includes the following sections: Introduction to Intelligent Application Switches, page 375. Getting Started, page 377 Device Interfaces, page 387 CLI Installation Wizard, page 392 Specifications, page 397 Serial Cable Pin Assignment, page 400 Trouble Shooting for AS1 & AS2., page 400 Introduction to Intelligent Application Switches Each Radware device is built on top of Radware’s Intelligent Application Switching Architecture combining high speed hardware processing power with SynApps Application Aware Services for total IP Application performance across layers 4-7. Radware’s Application Switching Platforms consist of the following Application Switches: • • • • • Application Switch 1, page 375 Application Switch 2, page 376 Application Switch 3, page 376 Application Switch 4, page 377 Compact Application Switch, page 377 Application Switch 1 Figure 53 - Application Switch 1 Application Switch 1 combines ASIC-based switching, CPU processing power and SynApps 'Application Aware' Services to deliver performance and service to address all IP application requirements across network layers 4-7. Designed to guarantee application availability, security and performance, Application Switch 1 is the first platform to bridge the gap between your IT infrastructure and IP Applications for comprehensive control of all critical operations across the enterprise. Doc. No.: 8261 375 LinkProof User Guide Wire Speed Forwarding and Central Processing Power With switching ASICs on the port levels, Application Switch 1, ensures wire speed forwarding speeds across the 2 Gigabit and/or 8 Fast Ethernet ports available in the 1U device. Layer 3 -7 operations are powered by the Motorola PowerPC 755 central processing unit, powering SynApps application services for optimized resource utilization and maximum application performance. Application Switch 2 Figure 54 - Application Switch 2 Application Switch 2 enables wire speed forwarding across 5 GBIC ports and 16 Fast Ethernet Ports or 7 GBIC ports, non-blocking traffic throughputs across a 19.2 GB backplane and strong central processing, based on a Motorola PowerPC 7410 CPU. Fusing accelerated processing speeds with the ability to optimize routing decisions based on specific applications, web requests and content, Application Switch 2 guarantees complete reliability, performance and security across all IP applications, for complete control over enterprise operations. Application Switch 2 is powered by a multi-layered switching architecture combined with comprehensive SynApps 'Application Aware' services, to address the widest set of protocols and service requirements across network layers 4-7, boosting IP application performance to Gigabit Speeds. Application Switch 3 Figure 55 - Application Switch 3 Application Switch 3 provides an innovative three-tiered architecture that couples enhanced performance and power with 10Gb connectivity, providing for the first time businesses with a comprehensive solution for ensuring the integrity of applications carried over highbandwidth networks. Application Switch 3 delivers SynApps security, availability and reliability of services at multi-gigabit speeds, bullet-proofing any IP or Web Service application running on the network. 376 Doc. No.: 8261 LinkProof User Guide Multi-Gigabit Switching Architecture Driving Intelligent Application Switching performance to up to 3-Gigabit speeds, AS3 affords complete control over mission critical applications and explosive transactions across the most demanding networking environments. Application Switch 3 features 44Gb connectivity and multi-Gigabit network processors. Application Switch 4 Application Switch 4 is the next generation of Radware's hardware platform. The new platform is a 2U device. This platform uses a stronger CPU, the Motorola PPC 7457, and also supports 802.1q VLAN Tagging. The new platform has 12 10/100/1000 RJ-45 copper interfaces and 8 Gigabit Gbics Ports for copper and fiber infrastructure. Compact Application Switch Figure 56 - Compact Application Switch Compact Application Switch, page 377 is Radware’s new desktop platform, featuring an integrated eight-port Fast Ethernet Switch. This platform is designed to meet the requirements of Remote offices and Branch offices. Getting Started This section is designed to familiarize the user with the devices, and provides instructions on the installation procedure as well as offering an explanation of how to configure the device IP Host Parameters. This section includes the following topics: • • • • Application Switches Physical Description, page 378 Compact Application Switch, page 384 Device Installation, page 385 Device Interfaces, page 387 Doc. No.: 8261 377 LinkProof User Guide Application Switches Physical Description This section includes a diagram of each device including a description of the devices features. Application Switch 1 Figure 57 - Application Switch 1 - Front Panel View Table 48: AS 1 Front Panel Description Feature Description Reset: Allows you to reset the device Mode: Allows you to change the display mode of the Port LEDs. Upper LED: The upper LED indicates that the device is powered. Lower LED: The lower LED indicates that the application is currently running. This LED is off when the application is still loading or has failed. This display indicates the display mode of the Port LEDs as follows: From top line, left to right: 378 Mode Indication LNK: LNK - Link Status FE: Ethernet Mode (for fast ethernet ports only) COL: Collisions ERR: Errors ACT: ACTIVITY FD: Duplex Mode TX: Transmission Activity RX: Receiving Activity Doc. No.: 8261 LinkProof User Guide Table 48: AS 1 Front Panel Description Feature Description RS-232C Console Port Gigabit Ethernet Port and LED. The LED indicates the following information according to display mode. Mode LNK Indication On - Physical connection detected Off - No physical connection detected. ACT Flashing indicates that data is being transferred via the port. Mode Indication FD: On - Indicates Full Duplex mode. Off - Indicates half Duplex mode. COL: On - Indicates collisions are occurring ERR On - indicates errors are occurring. TX Flashing indicates that the port is transmitting data RX Flashing indicates that the port is receiving data. The status LEDs for the 8 fast Ethernet Ports Table 49: AS 1 - Back Panel Description Feature Power Socket Power Switch Description The socket to which the power cable is connected On / Off power DipSwitch 1 (First left) this switch determines the active boot on the device. Act Boot Switch “Down” Boot 1 is active. Switch “Up” means Boot 2 is active Doc. No.: 8261 379 LinkProof User Guide Application Switch 2 Figure 58 - Application Switch 2 - Front Panel Table 50: AS 2 Front Panel Description Feature Description These LEDs indicate the status of the following: PWR: The device is powered. SYS: The application is currently running. This LED is off when the application is still loading or has failed. FAN: Green when all fans are operational. Red indicates that the fans are not operational. RST: Reset button. Gigabit Ethernet Port and LED. The LED indicates the following information: Upper LED: • On - Physical connection detected. • Off - No physical connection detected. Middle LED: • Lit Green - Port is receiving data. • Lit Red - Receive loss or no physical connection • Lower LED: • Lit Green - Port is transmitting data • Lit Red - Transmission faults Mode: Allows you to change the display mode of the Fast Ethernet Port LEDs. The LEDs indicate the display mode of the Fast Ethernet Ports. • LNK - Link Status 380 • ACT - Activity • FE - Ethernet Mode • FD - Duplex Mode Doc. No.: 8261 LinkProof User Guide Table 50: AS 2 Front Panel Description Feature Description The Status LEDs for the Fast Ethernet Ports. Each Port LED indicates the following information according to display mode. Mode Indication LNK On - Physical connection detected. Off - No physical connection detected. ACT Flashing indicates that data is being transferred via the port. FE On - Indicates 100BaseT mode. FD On - Indicates Full Duplex mode. Off - Indicates 10BaseT mode. Off - Indicates half Duplex mode. Fast Ethernet Ports F1-F16 Table 51: AS 2 Back Panel Description Feature Description Power Socket The socket to which the power cable is connected Power Switch On / Off power DipSwitch 1 (First left) this switch determines the active boot on the device. Act Boot Switch “Down” Boot 1 is active. Switch “Up” Boot 2 is active RS-232C RS-232C Console Port for out-of-band management Compact Flash Insertion point for Compact Flash Card Ethernet Port Ethernet Port (for debugging purposes only - Radware R&D only) Application Switch 3 Doc. No.: 8261 381 LinkProof User Guide Figure 59 - Application Switch 3 - Front Panel View Table 52: AS 3 Front Panel Description Feature Description These LEDs indicate the status of the following: PWR: The device is powered. SYS: The application is currently running. This LED is off when the application is still loading or has failed. FAN: When lit, indicates that the fans are not operational. RST: Reset button The 10 Gigabit Ethernet Port and LEDs. The LED indicates the following information: Upper LED: • On - Physical connection detected. • Off - No physical connection detected. Middle LED: • Lit Green - Port is receiving data. • Lit Red - Receive loss or no physical connection • Lower LED: • Lit Green - Port is transmitting data • Lit Red - Transmission faults Gigabit Ethernet Ports (G1-G8) and LEDs. The LED indicates the following information: Upper LED: • On - Physical connection detected • Off - No physical connection detected Middle LED: • Lit Green - Port is receiving data • Lit Red - Receive loss or no physical connection • Lower LED: • Lit Green - Port is transmitting data • Lit Red - Transmission faults Fast Ethernet Ports (F1-F16) and LEDs Left LED: Lit green - Indicates 100BaseT mode. Flashing green - Indicates that data is being transferred via the port in 100BaseT mode Lit Yellow - Indicates 10BaseT mode Flashing yellow - Indicates that data is being transferred via the port in 10BaseT mode Off indicates no link 382 Doc. No.: 8261 LinkProof User Guide Table 53: AS 3 Back Panel Description Feature Description Power Socket The socket to which the power cable is connected Power Switch On / Off power DipSwitch 1 (First left) this switch forces the device to use the internal flash application version after a reboot has occurred. Act Boot Switch “Down” device reboots from compact flash (default). Switch “Up” device reboots from internal flash. RS-232C RS-232C Console Port for out-of-band management. Compact Flash Insertion point for Compact Flash Card. Ethernet Port Ethernet Port (for debugging purposes only - Radware R&D only). Application Switch 4 Table 54: AS 4 Front Panel Description Feature Description These LEDs indicate the status of the following: PWR: The device is powered. SYS: The application is currently running. This LED is off when the application is still loading or has failed. FAN: When lit, indicates that the fans are not operational. RST: Reset button. Gigabit Ethernet Ports (G9-G20) and LEDs. The LED indicates the following information: Upper LED: • On: Physical connection detected. • Off: No physical connection detected. Middle LED: • Lit Green: Port is receiving data. • Lit Red: Receive loss or no physical connection. Lower LED: • Lit Green: Port is transmitting data. • Doc. No.: 8261 Lit Red: Transmission faults. 383 LinkProof User Guide Table 54: AS 4 Front Panel Description Feature Description 10/100/1000 Copper Ethernet Ports (G1-F12) and LEDs. Left LED: • Lit green: Indicates 1000BaseT mode. • Flashing green: Indicates that data is being transferred via the port. Right LED: • Lit green: Indicates that the link is active and the port is synchronized to 1000 Mbps. • Lit Yellow: Indicates that the port is synchronized to 100 Mbps. • No LED: Indicates that the port is synchronized to 10 Mbps. Table 55: AS 4 Back Panel Description Feature Description Power Socket The socket to which the power cable is connected. Power Switch On / Off power. Act Boot DipSwitch 1 (First left) forces the device to use the internal flash application version after a reboot has occurred. • Switch “Down”: Device reboots from compact flash (default). • Switch “Up”: Device reboots from internal flash. RS-232C RS-232C Console Port for out-of-band management. Compact Flash Insertion point for Compact Flash Card. Compact Application Switch Figure 60 - Compact Application Switch - Back Panel Description Table 56: Compact Application Switch - Back Panel Description Feature Description Power supply connection point 384 Doc. No.: 8261 LinkProof User Guide Table 56: Compact Application Switch - Back Panel Description Feature Description RS-232C Console Port LNK/ACT LED: • Off - No physical connection detected • On - Physical connection detected • Flashing - Data transferred via port 10/100 LED: • Off: Port working in 10BaseT mode • On: Port working in 100BaseT mode Device Installation This section explains the process of installation including checking the contents, mounting the device and connecting the device to your network. Checking the Contents Before beginning the hardware installation, open the box and check that the following components are included: • • • • • • Radware device. APSolute Insite Software CD ROM. One power cable (only for countries using 110v power supply). One serial cable. Two cross cables (Application Switching I and Application Switch 2 platforms only). A set of monitoring brackets. Notes: i If any of the above items are missing please consult your Radware agent. ii Power cables with PSE mark must not be used by any other products. Mounting the Device Radware’s devices can be either rack-mounted or mounted on a tabletop. The package includes brackets to enable rack-mounting of the device. Rubber feet are attached to the bottom of the device to enable tabletop mounting. Note: After mounting the device, ensure that there is sufficient airflow surrounding the device To rack mount the device: 1. Attach one bracket to each side of the device, using the screws provided. Doc. No.: 8261 385 LinkProof User Guide 2. Attach the device to the rack with the mounting screws. Note: For Compact Application Switch a separate rack mountable tray must be ordered from Radware, Connecting the Device to Your Network After you have mounted the device, connect the cables. To connect the device the following connections must be completed in the following order: 1. AC Power Connection 2. ASCII Terminal (Serial) Connection 3. LAN Connections To connect the AC power connection: 1. Connect the power cable to the main socket, located on the rear panel of the device. 2. Connect the power cable to the grounded AC outlet. To make the ASCII terminal connection: 1. Connect the serial port connector the front panel. 2. Connect the other end of the serial port connector cable to your computer. 3. Access Hyper Terminal. 4. From the Hyper Terminal opening window, select the File menu, then Properties Or Click the Properties icon from the toolbar. The New Connection Properties dialog box is displayed. 5. Click Configure. The Properties dialog box containing the Port Settings tab is displayed. 6. Verify that the parameters are set as follows: Bits per second: 19200 Data bits: 8 Parity: None Stop bits: 1 Flow Control: None 7. Turn on the power to the unit. When the device is connected and operating properly, the PWR and System Ok indicators on the front panel are lit continuously. 386 Doc. No.: 8261 LinkProof User Guide LAN Connections The cables used for LAN Connections differ as follows: Fast Ethernet Port: Standard UTP or STP Ethernet cable, RJ45 connector. Gigabit Ethernet Port: 1000BaseSX fiber optic cable - SC connector. 10 Gigabit Ethernet Port: 10 GBaseLR fiber optic cable. Note: ASl version 2 and ASll can use both cross and straight cables when Auto Negotiation is enabled. To connect a device port to a LAN: 1. Connect the cable to the port interface, located on the front panel. 2. Connect the other end of the cable to the LAN switch. Device Interfaces This section explains device interfaces and how to configure them. and includes the following topic: Radware Application Switch platforms may have as few as 8 network interfaces and as many as 24. It is helpful to understand interface-indexing conventions before you perform configuration tasks such as displaying interface status and setting physical parameters (such as speed, duplex mode or auto-negotiation) via the command line interface (in webbased management and Insite interface description makes it easier to understand interfaceindex convention). Note: On the back of the device there is an ethernet port. This port is for R&D debugging purposes only. It has no other use. Interface Numbering Conventions By convention, the numbering of the Ethernet interfaces on each platform starts with the copper ports. Within the different port types, numbering is from up to down. Table 57: Physical Interface Numbering AS 1 AS2 AS3 AS4 Fast Eternet 1-8 Ports 1-16 1-16 N/A Giga N/A Ethernet RJ45 Ports N/A N/A 1-2 Doc. No.: 8261 AS5 N/A 1-8 387 LinkProof User Guide Table 57: Physical Interface Numbering Giga Ethernet Ports (Gbic and SFP) 10G Ports AS 1 AS2 AS3 AS4 9-10 17-21 17-23 13-20 AS5 9-17 N/A N/A 24 N/A 18-19 Logical Interface Numbering There are two types of logical interfaces - Trunks (for Link Aggregation) and VLANs.Trunks are the last 7 ports of the device: Table 58: Logical Interface Numbering Trunk AS1 AS2 AS3 AS4 AS5 11-17 22-28 25-31 21-27 20-26 VLAN Interface Numbering Radware devices support up to 64 VLANs. Two VLANs are pre-defined: 100000 and 100001. VLANS are numbers from 100000 - 1000063. Displaying Interface Status and Properties The status and settings for interfaces can be viewed via all management tools: To display the interfaces: • • • • From the CLI use the command: net l2-interface From Web-Based Management click on Device menu and choose L2 Interface option. From APSolute Insite right-click on device and select the Zoom In option. A graphic representation of the device front panel will be displayed. Operational status of the interfaces is displayed graphically (green for up and red for down). To view more information about each interface right-click on desired interface and choose Interface Parameters. To display current settings for the interfaces: • • • • From the CLI use the following command net physical-interface From Web-Based Management click on the Device menu and choose the Physical Interface option. From APSolute Insite right-click on Device and select the Zoom In option. A graphic representation of the device front panel will be displayed. To view the settings of each interface right-click on desired interface and choose Physical Settings. Setting Interface Properties Properties that are configurable on the interfaces include: • • 388 Auto-negotiation mode. Port Speed (available only when Auto negotiation mode is off). Doc. No.: 8261 LinkProof User Guide • Duplex mode (available only when Auto negotiation mode is off). To set interface properties: • From the Command Line Interface use the following command: net physical-interface set <port index> <-switch value> where switch can have the following values: • • — -a for auto negotiation (1=On, 2=Off) — -s for speed (1=10Mbps, 2=100Mbps, 3=1000Gbps) - — (this parameter cannot be changed for Gigabit Ethernet ports). — -d for duplex mode (1=Half, 2=Full) From Web-Based Management click on Device menu and select the Physical Interface option. Click on the interface whose properties you wish to change. Perform changes and click Set. From APSolute Insite right-click on the device and select the Zoom In option. A graphic representation of the device front panel will be displayed. To change the settings of an interface right-click on desired interface and choose Physical Settings. Change parameters and click Ok. Boot Version Update As Radware's product line develops, it may become necessary to upgrade a device's Boot Code to support new firmware. Check Boot Prom matrix: http://www.radware.com/content/ support/software/bootprom/default.asp for more information regarding boot code compatibility with older firmware versions and configurations. Radware application switch units are supplied with two boot PROMs, only one of which is used for the active boot process. The second PROM can be flash upgraded through the CLI only to a newer version. Once the process is completed, you can configure the device to boot from the secondary PROM (the one with the new boot code) using a DIP switch. The information below provides the steps for upgrading and switching a device's boot code. On Application Switch 1, whenever a new boot version is required you must update it manually prior to downloading the new software version. On Application Switch 2 and Application Switch 3 new boot version are updated automatically during the software download process - if the new software version includes new boot version. For Application Switch 2 you will be prompted to change the position of the dip-switch that defines which boot is used. To upgrade the Boot version manually: 1. Obtain the file with the new boot version from Radware Technical Support. 2. Reboot the device, press any key to stop the auto boot. Type "u" to download new boot version. The following message appears: >u port ("com1", "com2" or Enter to choose the default ("com1")): com1 baud rate (valid baudrate) or Enter to choose the current: 19200 Please download program using XMODEM. For port use: "com1". 3. Send the new boot file to the device using the Xmodem protocol. The new boot version is written into the non-active boot. Doc. No.: 8261 389 LinkProof User Guide 4. In order to boot the device with the existing boot, type "@" when prompted with "Download completed boot flash address 0x1c000000 boot flash number 0 update done. >" 5. In order to start using the non-active boot, the position of the Dip- switch needs to be changed (Application Switches I and II only). Before changing the position of the dipswitch turn the power off. Locating the active boot selection switch: — Devices with an external Dip-switch at the rear of the device: Looking at the rear panel of the device, the boot selection switch is the first switch from the left and is labeled "Act. Boot" and with the number "1." — Devices with internal DIP switch: The device has to be powered off and opened up to access the Dip-switch. Looking at the rear of the open device, the switch for the boot selection is located above the right corner of the power supply. The active boot selection switch is the first switch from the left of the eight switches, labeled with the number "1." The Application Switch platform has two boot EPROMs, labeled "Boot1" and "Boot2". With the switch in the down position, which is the default position, the device uses Boot1. Changing the switch to the up position, sets the device to use Boot2. 6. After the dip-switch position is changed, turn the power on. Note: On Compact Application Switch, whenever a new boot version is required you must replace the boot EPROM prior to downloading the new software version see CAS Boot EPROM Replacement document (http://www.radware.com/ content/document.asp?_v=about&document=3961). Boot Level Commands Radware application switches include a BSP (Board Support Package), which is the low level operating system of the application switch. The following Boot Level Commands are included: Table 59: Boot Level Commands Command Description a Prints installed application list - using the 'a' command, the device prints all the available applications and their indexes. Application with index 0 represents the recovery application on the internal flash. i Sets active application - using the 'i' command, the user can set the active application (the application which will be used after the next reboot). Usage: press 'i' and hit enter. The device will prompt to enter the index of the required application. 390 Doc. No.: 8261 LinkProof User Guide Table 59: Boot Level Commands Command Description W Downloads via Xmodem - using the 'w' command the user can download the software image and config.ini (from the PC to the device) using the Xmodem protocol. If there is a backup application on the device's internal flash it is recommended to download the new software via the web based management, which is much faster than the Xmodem Protocol. X Extracts the downloaded TAR file image from the specified destination: cm:/ or fl:/ q0 Erases the configuration file (including the networking parameters in config.ini) from the internal flash. Using this command will erase the configuration of the recovery application and the device will not be accessible remotely, unless BOOTP server is configured to supply an IP address to the device. q1 Erases the configuration file from the compact flash. After rebooting the device the initial startup configuration window will appear. q Erases the configuration file. After rebooting the device the initial startup configuration window will appear. This is only available on Application Switch 1 and Compact Application Switch. y0 Formats the internal flash. It is recommended to obtain Radware's technical support before executing this command. The device MUST be rebooted after executing the 'y0' command. Executing the 'y0' command erases the recovery application. If this command is being used, it is a MUST to perform "system file-system files copy-to-flash <index of active application>" y1 Formats the compact flash. Using this command is required when one of the following error messages appears in the console: "malformed boot sector" or "invalid partition entry encountered". The device MUST be rebooted after executing the 'y' command. y Formats the internal flash. It is recommended to obtain Radware's technical support before executing this command. Available only on Application Switch 1 and Compact Application Switch. The device MUST be rebooted after executing the 'y' command. z Performs low level format for the internal flash. DO NOT execute this command without explicit instructions from Radware Technical Support. 'z' Command must be followed with y0 and y1 commands. u Downloads to secondary boot via Xmodem - using the 'u' command allows the user to burn the inactive boot of the device. v Clears NVRAM, including license and real time clock. This is useful when NVRAM corruption is suspected, e.g. in case of repeating a request to enter a new license. It is recommended to obtain Radware technical support approval before executing this command. Doc. No.: 8261 391 LinkProof User Guide Table 59: Boot Level Commands Command Description @ Loads the active application. log Reboots the device CLI Installation Wizard The CLI Installation Wizard is a for first time installation and enables you to easily install and configure LinkProof without any specific networking knowledge. Note: This wizard is designed for 1 IP users. To install and configure Linkproof using the CLI Installation Wizard: 1. Connect your device to the network using Hyper Terminal. See Connecting the Device to Your Network, page 386. 2. A the prompt you are asked whether you want to use the CLI Installation Wizard. Note: If the user selects no, the CLI wizard returns to the original LP configuration wizard where the device can be configured for an IP Address and initial access only. 3. Click Enter. Default: Yes. 4. Enter the IP Address for the device on the Internal LAN and the Subnet mask, and press Enter. 5. Select the Port Number, and press Enter. Default: 1 Port Number ranges for the following platforms are: AS 1 1 - 16 AS 2: 1 - 16 AS 3: 1 - 16 AS 4: 1 - 20 CAS: 1-8 6. Enter the User name and Password, and press Enter. Default: Radware / Radware. 7. You are prompted whether you want to enable SSH access and/or Web SSL access for device management. Press Enter. Options - y/n. Default: Yes. 8. Use the Ping option to enable a ping response on all router ports of the device. 392 Doc. No.: 8261 LinkProof User Guide 9. Configure the Client Table Size with values between 1000 and the maximum recommended value per memory (per platform). Default: Average between 1000 and the maximum allowed value, depending on the memory of the device as described in Table 60 on page 393 Table 60: Memory Value Options Accelerated Platform: AS3 - 512Mb - 333,000 (recommended) 500,000 (Maximum) AS4 - 512Mb - 350,000 (recommended) 524,000 (Maximum) CAS - 64Mb - 20,000 (recommended) 28,000 (Maximum) Non Accelerated Platforms: AS1 - 128Mb - 80,000 (recommended) 118,000 (Maximum) AS2 - 256 Mb - 200,000 (recommended) 300,000 (Maximum) Notes: i It is not recommended to set the Client Table Size to maximum as it might render the device without operational memory. It is important that the user configuring higher values perform a manual check using the WBM or CLI 'system tune check-memory-capacity. ii The memory recommendations are the minimum default memory per platform. For a non-default memory configuration refer to SYN Table Tuning, page 309. You are now required to perform a Routers and NAT Configuration by defining the IP address of the Routers as well as the IP addresses of the Linkproof interfaces. Note: Steps 9 - 13 need to be repeated for 2nd and 3rd Routers. You can bypass 2nd & 3rd Router configuration by selecting no instead of an IP. 10. Define the IP Address of the 1st Router and press Enter. 11. Define the Subnet Mask of the 1st Router and press Enter. 12. Define the Linkproof IP Interface of the1st Router and press Enter. 13. Define the Linkproof physical Port Number of the 1st Router and press Enter. 14. Set the Router Operation Mode. Either Regular - LB or Backup - HA. Default is LB. 15. You are prompted whether Dynamic NAT is used. If it is, then define the IP Interface of that specific Interface the NAT Address. Default: Yes. 16. Select the relevant Dispatch Method from the following options: — Least Amount of Traffic (The Default). — Cyclic. — Least Number of bytes. — Least Amount of Users. — Hashing. — Response time. Doc. No.: 8261 393 LinkProof User Guide For more information on Dispatch Methods see Dispatch Methods, page 89. 17. Press Enter. You are prompted if there is to be a change in the topology of the Linkproof installation. Default: no. If you select yes, the following occurs: — All Router ports become members of the 1 VLAN Bridge group. — Radware ensures that all IP addresses belong to the same subnet mask. 18. Press Enter. Static Port Address Translation (Static PAT) is an option, and offers the following Inbound Services: : Web (HTTP): TCP port 80 Web SSL (HTTPs): TCP 443 FTP: TCP port 21 & 20. Mail (SMTP): TCP port 25 VPN (IPsec): UDP & TCP port 500 plus AH / ESP L3. Static PAT allows you to configure up to 3 servers, each with up to 5 services with the following limitation: — Starting from 1 Server with all the 5 services or 5 servers (with different IPs) with 1 service each, or a combination of the above. 19. Press Enter. When using inbound services with Static PAT, Management ports have to be disabled in order to prevent a conflict with inbound services. The following ports have been chosen by Radware using RFC 4340. You can alternatively use an optional port recommended by IANA (Internet Assigned Numbers Authority). (http://www.iana.org/assignments/port-numbers) Web SSL (HTTPs): TCP 9062 FTP: TCP port 9061 Notes: i A message is sent to the user, both via Terminal and the Web to inform the user that the configuration was successful. ii An error message appears if the ports used were in conflict and the configuration was unsuccessful. Examples: CLI Installation Wizard Configuration Examples The following examples are possible configurations using the CLI Installation Wizard. 394 Doc. No.: 8261 LinkProof User Guide Figure 61 - 3 ISP Connected A – 3 ISP Connected CLI Wizard Supported Network Configuration: — 3 X ISP configured per Router — Different Interface per each ISP — 4 X Different Subnets (1 per Interface) Figure 62 - Regular VLAN (Bridge) B – Regular VLAN (Bridge) CLI Wizard Supported Network Configuration: — Doc. No.: 8261 2 X ISP configured per Router 395 LinkProof User Guide — Both ISP 1 (LP Interface 2, 192.168.10.0/24) and internal LAN (Interface 1) Subnet 192.168.10.0/24 are on the same subnet. — ISP on LP Interface 3 – Subnet 192.168.30.0/24 Application Recovery Procedure Application Switch 2 and above are equipped with Internal Flash and Compact Flash. When the devices are shipped from Radware, there are two applications on the device: • Active Application - stored on the Compact Flash. • Recovery Application - Stored on the Internal Flash. During the normal operation of the device, the device loads the application from the compact flash. However, in some cases, when the compact flash is corrupted or the image file was damaged or config.ini was erased or any other cause that prevents the device loading from the compact flash, the device will then load from the recovery application and the user will be able to perform regular software upgrade in order to recover the device. The user can manually load the device from the internal flash in order to recover the defective application. Recovering the Application Remotely To recover the application remotely: 1. Telnet or SSH to the device. 2. From the CLI type the following command: "system file-system config act-appl set 0". The device will reboot. 3. Wait until the device reboots and connect to the device using Web Based Management or APSolute Insite. 4. Perform the software upgrade to the desired software. 5. Reboot the device. Note: After reboot, the device will load the new application. Recovering the Application Locally To recover the application locally: Option A: 1. Toggle DIP Switch 1 and change it to the upper position. Note: On Application Switch 2, this option is supported for hardware revision 4.45 and higher with Boot 6.041 and 6.06 and higher 2. Reboot the device. The device will load from the recovery application. 3. Toggle DIP Switch 1 and change it back to the lower position. 396 Doc. No.: 8261 LinkProof User Guide Note: 4. If there is a need to configure recovery application or enter its license, it is useful to keep dip-switch 1 in the upper position and set it down prior to the upgrade. Connect to the device and perform the software upgrade. Option B: 1. Connect to the device using the serial console. 2. Reboot the device and stop it during the boot process. 3. From the CLI type 'i' followed by '0' and hit enter. 4. After the device reboots do the following: a. b. Connect to the device using Web Based Management or APSolute Insite and perform the software upgrade to the desired software and reboot. Sending the files using Xmodem: — From the CLI prompt type y1 in order to format the compact flash. — Send the new software via Xmodem using the 'w' command. Ensure that the destination is the compact flash (cm:/<name of the tar file>). The file should be sent using Binary mode). — Send the config.ini via Xmodem using the 'w' command. Make sure that the destination is the compact flash (cm:/config.ini). The file should be sent using ASCII mode) — Extract the uploaded tar file using the 'x' command. Make sure that the destination is the compact flash (cm:/<name of the tar file>) — Type 'a' to print the list of installed applications — Type 'i' followed by the index of the newly installed application. Notes: i After reboot the recovery application burns the new boots and only then the device will load the new application. ii During the process of software upgrade, only the application on the Compact Flash is being upgraded iii OneIP: A single IP is used as IP interface towards the load balanced router as well as for NATting traffic through that router. Specifications This section includes a specifications table for Application Switching Platforms, and includes the following topics: • • Specification Table, page 398 Serial Cable Pin Assignment, page 400 Doc. No.: 8261 397 LinkProof User Guide Specification Table Feature AS1 AS2 AS3 AS4 CAS Architecture Two - Tier Two - Tier Three - Tier Three - Tier Two - Tier Backplane 9.6Gbps 19.2Gbps 44Gbps 44Gbps 2.4Gbps 16MB Internal 8MB internal + 16MB compact flash 8MB internal + 32MB compact flash 8MB internal + 32MB compact flash 16MB internal 256-512MB + 5121024MB 256-512MB + 5121024MB 1024 mb 1024 mb 2048 mb for network processors 2048 mb for network processors System Memory Flash RAM 128-256MB 128-256MB 64MB Network Interfaces Fast Ethernet (10/100BaseT) 8 or none 16 or none 16 16 8 Gigabit Ethernet 2 or none (SFP - fiber optic or copper) 5 or 7 (GBIC - fiber optic or copper) 7 (SFP fiber optic or copper) 7 (SFP fiber optic or copper) None 10 Gigabit Ethernet none none 1 (optical module) 1 (optical module) None 9-pin female RS-232 connector 9-pin female RS-232 connector 9-pin female RS-232 connector 9-pin female RS-232 connector 9-pin female RS-232 connector DCE Setup: 19200 bps, 8 bits, one stop bit, no parity. DCE Setup: 19200 bps, 8 bits, one stop bit, no parity. DCE Setup: 19200 bps, 8 bits, one stop bit, no parity. DCE Setup: 19200 bps, 8 bits, one stop bit, no parity. DCE Setup: 19200 bps, 8 bits, one stop bit, no parity. Out of Band Management Power 398 Doc. No.: 8261 LinkProof User Guide Feature AS1 AS2 AS3 AS4 CAS Auto-range Auto-range External power supply 90v - 264v 90v - 264v 50-60Hz single or dual power supply 50-60Hz single or dual power supply Auto-range 90v - 264v Auto-range Power Supply 50-60Hz 50-60Hz single or dual power supply Or Or 38-72VDC 38-72VDC 90v - 264v single / double Input: Autorange supply 100-120/ 220-240VAC 50-60Hz Output: 3.3V/4A Power consumption 35Watt 44Watt 60Watt Heat dissipation 157.08 BTU/ h 150.27 BTU/ h 204.86 BTU/ h 60Watt 204.86 BTU/ h 78 Watt With SME: 266.33 Dimensions Width 432 mm Depth 475 mm 240 mm 432 mm 432 mm 432 mm 455 mm 485 mm 485 mm 44 mm (1U) 44 mm (1U) 44 mm (1U) 44 mm (1U) 88 mm (2U) for dual power supply 88 mm (2U) for dual power supply 88 mm (2U) for dual power supply 3.85 kg 5.3 kg 7 kg Operating Temperature 0-40C 0-40C 0-40C 0-40C 0-40C Humidity (noncondensing) 20% to 80% 20% to 80% 20% to 80% 20% to 80% 20% to 80% EN 60950 EN 60950 EN 60950 EN 60950 EN 60950 UL 1950 UL 1950 UL 1950 UL 1950 UL 1950 CSA 22.2 No. 950 CSA 22.2 No. 950 CSA 22.2 No. 950 CSA 22.2 No. 950 CSA 22.2 No. 950 Height Weigh 7 kg 170 mm 47 mm (1U) 0.5 kg Environmental Certifications Safety Doc. No.: 8261 399 LinkProof User Guide Feature Electromagneti c Emission AS1 AS2 AS3 EN 55022, class A EN 55022, class B EN 55024 EN 55024 FCC, part 15B, class A FCC, part 15B, class B EN 55022, class A EN 55024 FCC, part 15B, class A AS4 CAS EN 55022, class A EN 55022, class A EN 55024 EN 55024 FCC, part 15B, class A FCC, part 15B, class A Serial Cable Pin Assignment Table 61: PC Serial Port to Radware Device Pinout Standard PC DB9 Serial Port (DTE) DB9F to DB9M Straight Cable Radware Device ASCII Port (DCE) DB9F Pin Signal DB9M Pin DB9F Pin Directi on DB9M Pin CD 1 1 - 1 RxD 2 2 2 2 RxD TxD 3 3 3 3 TxD DTR 4 4 - 4 - - GND 5 5 - 5 5 GND DSR 6 6 - 6 - - RTS 7 7 - 7 - - CTS 8 8 - 8 - - RI 9 9 - 9 - - - Signal - Trouble Shooting for AS1 & AS2. This section provides Hardware Troubleshooting for AS1 and AS2. Note: 400 Most cases of suspected hardware problems are usually incorrectly identified and may be software related. Doc. No.: 8261 LinkProof User Guide Table 62: Trouble Shooting for AS1 and AS2 Problem Possible Solution Outcome Check the following:· • After powering up the device the power LED remains unlit. • • The device Power LED is lit, however the there is no • console response. The Device LEDs are lit however the device does not communicate via the LAN ports. Verify that the power lead is correctly connected to the mains supply and to the device.· Ensure that the On/ Off switch located on the back panel of the device is in the On position. If all the previously described requirements are met and the device power LED remains unlit, please contact Radware Technical Support. Check that the serial cable is properly connected to the If the problem persists, device. please contact Radware Check that the serial Technical Support. port parameters, including speed, are correctly configured. Connect to device serial port and open terminal connection. If fatal error messages appear on the terminal and no product prompt appears this indicates an incomplete boot process.The following process should be implemented to If the problem persists, eliminate possible causes: please contact Radware Technical Support. 1. Stop during boot 2. countdown and erase configuration (q1 command) Reboot ("@") and fill in connectivity data (IP address) in Startup Configuration window.Should the problem persist, check in the release notes if the product matches the running boot version. If not, update boot. Doc. No.: 8261 401 LinkProof User Guide Table 62: Trouble Shooting for AS1 and AS2 Problem Possible Solution AS2 Flash Management.If during the boot process the following message This indicates a possible appears in the console problem with Flash window: FATAL ERROR: Management (AS2 only) tRootTask: RSFLEG_write: is failed Outcome Contact Radware Technical Support. Boot upgrade failure· • • If after the boot upload is complete (via XModem) a write protection error message appears on the ASCII terminal. In this event implement the following steps: 1. Change the position of dip-switch #1) 2. Upload the boot image again. If after a successful boot image upload and change of the Verify that dip-switch # 1 dip-switch # 1 was moved (not # 8 by position, followed by mistake) reboot, the device still boots up with the older version In the event a “Write Protection Error” appears again, contact Radware Technical Support. If the correct dip-switch was moved, this indicates dip-switch failure. Please contact Radware Technical Support. In this event check the following: 1. 2. Device Port Communication failure.If the device fails to communicate through one or more of its LAN ports. 402 Check that correct cable was used. Verify that the correct speed and duplex mode is configured on both Radware If the problem still occurs device and the device please contact Radware connected to its Technical support. ports. 3. Change the configuration of the ports on Radware device or connected device, or both.To change port settings. Doc. No.: 8261 LinkProof User Guide Appendix A – Glossary The glossary provides terms that are frequently used in this guide and a list of common abbreviations and includes the following sections: • • Commonly Used Terms, page 403 List of Abbreviations, page 404 Commonly Used Terms Multiplexing To combine multiple signals (analog or digital) for transmission over a single line or media. To combine data from several sources into a stream in such a way that it can be separated again later. Protocol Port The abstraction that TCP/IP transport protocols use to distinguish among multiple destinations within a given host computer. TCP/IP protocols identify ports using small positive integers. Usually, the operating system allows an application program to specify which port it wants to use. Some ports are reserved for standard services (for example electronic mail). Advanced Monitoring and Statistics LinkProof provides various statistics, such as Current Server Load, Current Attached Clients per Server, and numerous URL based statistics, which enables unique monitoring and utilization of the network. The Client Table and URL Table are dynamically learned, containing information regarding clients and URLs. Traps are initiated in case of special events. Content Inspection Server Farm Refers to a set of content inspection servers, which have a single IP address (Farm Address) defined on the LinkProof. IP Interface An IP interface on the LinkProof is comprised of two components: an IP address and an associated interface. The associated interface can be a physical interface or a virtual interface (VLAN). IP routing is performed between LinkProof IP interfaces, while bridging is performed within an IP interface that contains an IP address associated with a VLAN. The LinkProof was designed to intercept HTTP requests and to redirect them to a content inspection server farm. The first assumption in designing a LinkProof network is that the LinkProof resides on the path between the clients and both the Internet and the content inspection servers. This is required since the LinkProof needs to intercept the clients' requests going to the Internet and to manipulate the packets returning from the content inspection servers to the clients. Except when using local triangulation or transparent proxy, all traffic must travel physically through the LinkProof. This includes traffic from the users to the Internet and from the content inspection server farm back to the users. If there are users that are statically configured to use a content inspection server, they should be configured to the LinkProof virtual address. This address is the access IP address for the content inspection servers. Doc. No.: 8261 403 LinkProof User Guide Note: This address is used only for statically configured users. Physical Interface One of the actual Fast Ethernet or Application Switch ports of the LinkProof. In the Fast Ethernet platform, a LinkProof can have either 2 or 4 physical interfaces, depending on the hardware configuration. In the Application Switch platform, the LinkProof can have up to 10 physical interfaces. Physical IP Address An IP address assigned to a LinkProof interface. This address belongs to the LinkProof and is used for SNMP management and/or routing purposes. RTSP, MMS (Streaming) Request Interception In addition to HTTP ports, the LinkProof intercepts and redirects common streaming protocol ports transparently and redirects them to the cache farm. Virtual Interface (VLAN) A collection of physical interfaces. A VLAN is defined according to protocol. Bridging for the defined protocol is performed between the ports that belong to a VLAN. In the case of IP, bridging is performed within a VLAN depending on the IP address assigned to that VLAN. For example, if an IP VLAN contains physical interfaces 1, 2, and 4 and is given an IP address of 192.1.1.1 (with subnet mask 255.255.255.0). Bridging is performed for IP network 192.1.1.0 between LinkProof ports 1, 2, and 4. Virtual IP Address (Farm address) An IP address assigned to the LinkProof that represents a content inspection server farm. Packets destined to this address are load balanced between the servers of the farm. The LinkProof can hold a single farm. VLAN types Two types of IP VLANs are commonly encountered when configuring a LinkProof. Either VLAN can be used depending on the LinkProof configuration requirements. Regular: A Regular VLAN provides transparent bridging within the VLAN. This means that when two stations communicate within the VLAN, they are aware of each other's MAC addresses. For example, if stations A and B are on two different LinkProof ports that belong to the same VLAN, during communication A knows B's MAC address and B knows A's address. In addition, Regular VLAN also supports redundancy and transparent proxy features. Broadcast And Unicast: This is a special VLAN which allows bridging using standard proxy ARP techniques. For example, stations on one VLAN port of the LinkProof believe that all stations on other LinkProof ports belonging to this VLAN have the same MAC address. This one MAC address is actually the MAC of the LinkProof. It may be necessary to use this VLAN type in LinkProof configurations to ensure that packets are destined to the MAC address of the LinkProof during end station to server communications.1 List of Abbreviations 404 Acronym Meaning ARP Address Resolution Protocol Doc. No.: 8261 LinkProof User Guide AS Autonomous System AS Application Switch BGP Border Gateway Protocol CID Content Inspection Director CIDR Classless Interdomain Routing CSD Cache Server Director CW ConfigWare DGW Default Gateway DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone DNS Domain Name System DSL Digital Subscriber Loop EGP Exterior Gateway Protocol EIGRP Enhanced Interior Gateway Protocol FDDI Fiber Distributed Digital Interface FE Fast Ethernet LinkProof Fire Proof FTP File Transfer Protocol FW Firewall GARP Gracious Address Resolution Protocol GTLD GenericTop level Domain GUI Graphic User Interface HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocols Secure HW Hardware ICMP Internet Control Message Protocol IDS Intrusion Detection System IGP Interior Gateway Protocol IGRP Interior Gateway Routing Protocol IP Internet Protocol ISDN Intergrated Services Digital Network ISO International Standards Organization ISP Internet Services Provider ITM Internet or Intelligent Traffic Management LAN Local Area Network LB Load Balancer/Balancing LLC Logical Link Control LP LinkProof LRP Load Reporting Protocol MAC Media Access Control MAN Metropolitan Area Network Doc. No.: 8261 405 LinkProof User Guide 406 MED Multi-Exit Discriminator MIME Multi-Purpose Internet Mail Extension NAP Network Access Point NAT Network Address Translation NetBEUI NetBIOS Extended User Interface NetBIOS Network Basic Input/Output System NHR Next Hop Router NIC Network Interface Card NP Network Proximity NTP Network Time Protocol OSI Open Systems Interconnect OSPF Open Shortest Path First OUI Organizational Unique Identifier PD Peer Director POP3 Post Office Protocol 3 PRP Proximity Reporting Protocol QoS Quality of Service RFC Request for Comment RIP Route Information Protocol RND Rad Network Devices SmartNat Smart Network Address Translation SMTP Simple Message Transfer Protocol SNMP Simple Network Management Protocol SONET Synchronous Optical Network SSH Secure Shell SSL Secure Sockets Layer SW Software TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol TLD Top Level Domain UDP User Datagram Protocol URL Uniform Resource Locator VACM View-based Access Control Model VLAN Virtual Local Area Network VLSM Variable Length Subnet Masking VRRP Virtual Router Redundancy Protocol WAN Wide Area Network WBM Web Based Management WINS Windows Internet Naming Service LinkProof Web Server Director WWW World Wide Web Doc. No.: 8261 LinkProof User Guide Appendix B – Loopback Interfaces This appendix describes the Setup of loopback interfaces on the most commonly used operating systems and instructs how to configure the alias IP addresses for each loopback interface. Loopback addresses are required on servers when using LinkProof network configuration with local triangulation. Definitions are provided for loopback configuration on these operating systems: • • • • • AIX, page 408 HP-UX, page 408 Linux, page 409 Solaris, page 410 Windows NT, page 410 Example: Loopback Interface LinkProof Farm IP: 10.1.1.100 IP: 10.1.1.10 Server 1 IP: 10.1.1.1 Loopback: 10.1.1.100 Def Router IP: 10.1.1.20 Server 2 IP: 10.1.1.2 Loopback: 10.1.1.100 Def Server 3 IP: 10.1.1.3 Loopback: 10.1.1.100 Def Figure 63 - Loopback Interface Example In this example, the LinkProof load balances among the servers: • Server 1: 10.1.1.1 • Server 2: 10.1.1.2 • Server 3: 10.1.1.3 Each server has a loopback alias of 10.1.1.100, which is the same as the LinkProof Farm IP address (virtual IP address). Each server has the network router (10.1.1.20) configured as the default router, so traffic from the server to the client can go directly back to the client through the router, without passing through the LinkProof. Doc. No.: 8261 407 Servers are defined in the LinkProof, along with their IP addresses, and are configured as Local Triangulation participants. When Internet traffic from clients arrives at a LinkProof farm, LinkProof selects the least busy server as its destination and forwards the request to it, using the predefined loopback IP (farm IP). The server then sends the reply directly to the default gateway, saving the need to go through LinkProof. AIX For loopback on the AIX operating system, the command syntax is: ifconfig lo0 alias <LinkProof virtual IP> netmask <netmask> This command sets the first alias of the loopback interface “lo0” to have the same IP address as the IP address of the LinkProof Virtual IP (VIP). For the example network as shown in Loopback Interface Example, page 407, the command is: Ifconfig lo0 alias 10.1.1.100 netmask 255.0.0.0 This command should be executed on all servers. Note: Resetting the server erases the configuration. Therefore, the command should be inserted in a boot-up script, so that each time the server is reset, the loopback alias will be automatically configured. HP-UX For loopback on the HP-UX operating system, the command syntax is: Ifconfig lo0 <LinkProof virtual IP> This command sets the alias of the loopback interface “lo0” to have the same IP address as the IP address of the LinkProof Virtual IP (VIP). For the example network as shown in Loopback Interface Example, page 407, the command is: Ifconfig lo0 10.1.1.100 408 LinkProof User Guide LinkProof User Guide This command should be executed on all servers. Note: Resetting the server erases the configuration. Therefore, the command should be inserted in a boot-up script, so that each time the server is reset, the loopback alias will be automatically configured. Linux For loopback on the Linux operating system, the command syntax is: Ifconfig lo:1 <LinkProof virtual IP> netmask <netmask> up This command sets the first alias of the loopback interface "lo" to have the same IP address as the IP address of the LinkProof Virtual IP (VIP). Also included in the command is the proper network mask. See Figure: Loopback Interface Example, page 407, for an example network. Assuming standard class A masks, the command is: Ifconfig lo:1 10.1.1.100 netmask 255.0.0.0 up Various Linux operating systems, for example RedHat Linux Enterprise 3.0, may require that the netmask be 255.255.255.255. This command should be executed on all servers.The loopback configuration is activated by the server reset. Note: Resetting the server erases the configuration. Therefore, the command should be inserted in a boot-up script, so that each time the server is reset, the loopback alias will be automatically configured. To configure loopback in RedHat Linux Enterprise 3.0 (kernel 2.1 and above): 1. To gain administrative access, the command is: su to root 2. Edit /etc/rc.d/rc.local and add the following lines to the end of the file: /sbin/sysctl -w net.ipv4.conf.all.hidden=1 This runs the kernel commands across reboots and enables the kernel configuration of all hidden network devices needed to configure the loopback interface properties. /sbin/sysctl -w net.ipv4.conf.lo.hidden=1 This hides the loopback device, to stop the loopback from answering to ARP queries. 3. To access startup scripts, the command is: cd /etc/sysconfig/network-scripts This is where the network startup scripts are stored. 4. To copy the generic loopback interface configuration template to a loopback interface instance lo:1, the command is: cp ifcfg-lo ifcfg-lo:1 Doc. No.: 8261 409 LinkProof User Guide 5. Edit the file: ifcfg-lo:1 and make necessary changes to the IP address, netmask, network and broadcast addresses. Note: Netmask must be set to: /32 (255.255.255.255). The device must be set to lo:1 (lo:1 is used as an example, it could lo:x, x=1...n) 6. To activate the changes to the kernel without rebooting, the command is: sysctl -p A patch has to be installed on the Linux server to disable the loopback interface from replying to ARP requests. For more information, see http://www.ssi.bg/~ja/#hidden. Solaris For loopback on the Sun’s Solaris operating system, the command syntax is: Ifconfig lo0:1 <LinkProof virtual IP> 127.0.0.1 up This command sets the alias of the loopback interface “lo0” to have the same IP address as the IP address of the LinkProof Virtual IP (VIP). For the example network as shown in Loopback Interface Example, page 407, the command is: Ifconfig lo0:1 10.1.1.100 127.0.0.1 up This command should be executed on all servers. Note: Resetting the server erases the configuration. Therefore, the command should be inserted in a boot-up script, so that each time the server is reset, the loopback alias will be automatically configured. Windows NT Setting up the loopback interface in Windows NT is not straightforward and can sometimes create unpredictable behavior. 1. Add a new a loopback adapter. 2. Configure the loopback adapter with the appropriate IP address. 3. Reset the server. 4. Check the server’s routing table and make adjustments if necessary. 5. Create a batch file or service to ensure that the necessary adjustments are made after every server reset. These steps are detailed in the procedure below: 410 Doc. No.: 8261 LinkProof User Guide To add and configure a loopback adapter in Windows NT: 1. Right click Network Neighborhood and select Properties. Alternatively, you can get to network properties by choosing Network from the Control Panel. 2. From the Network window, click the Adapters tab. 3. From the Adapters tab, click Add. The list of available adapters appears. 4. From the Adapters list, select MS Loopback Adapter. 5. Click Ok. The MS Loopback Adapter Setup dialog box appears. 6. In the Frame Type field, select 802.3. You are prompted to provide the NT disk or the NT source files. 7. Choose the location and continue. Note: Your NT server may automatically know where the source files are and skip this section. 8. After the loopback adapter has been properly installed, click Close. The Network Properties window closes. NT will prompt you to configure the loopback adapter with an IP address by displaying the Microsoft TCP/IP Properties dialog box. 9. In the Microsoft TCP/IP Properties dialog box, choose the loopback adapter. 10. Configure the Loopback IP. This should be the same as the LinkProof Farm IP. Configure an appropriate mask, but do NOT configure a default gateway. 11. Click Ok. NT completes the configuration, then prompts to be reset. Note: The loopback configuration is activated by the server reset. 12. Reset the server. Once it has rebooted, login and go to a command prompt (DOS prompt). 13. Adjust the IP Routing Table, as described in the procedure to adjust the Routing Table following loopback configuration:, page 411. Deleting Unnecessary Routes After you add and configure the loopback adapter, it is likely that the server’s IP Routing Table contains one or more unnecessary routes which you must delete. These are the nonmulticast/broadcast routes which have the same gateway address as the IP address of the loopback interface. You can identify extraneous routes in the server’s IP Routing Table which you can access using the route print command. These routes usually appear in pairs (for the same destination network, usually the server’s local network). One route points to the server’s physical IP address, while the other route points to the loopback IP address. These duplicate entries pointing to the loopback IP address as the gateway must be removed, otherwise the Local Triangulation mode may not function properly. To adjust the Routing Table following loopback configuration: To remove the table entry for extraneous route, use this command: route delete <network address> mask <net mask> <gateway address> Doc. No.: 8261 411 LinkProof User Guide where <gateway address> is the same as the loopback interface. If the above command is unsuccessful, use this command: Route delete <network address> This will remove both table entries. The appropriate entry must be re-added using the following command: route add <network address> mask <net mask> <gateway address> Note: Resetting the server erases the Routing Table changes. Therefore, a batch file or service should be installed to ensure these changes are re-applied after a reset. To operate the batch file as a service, use the NT resource kit. For further assistance, please contact the Radware Technical Support. 412 Doc. No.: 8261 Appendix C – Regular Expressions This appendix provides an overview of the basic syntax of regular expressions used in LinkProof modules, for example in the DNS Regexp Hostame table, in the Health Monitoring Module. '^' and '$'. These symbols indicate the beginning and end of a string, respectively, as follows: • • • "^The": Matches any string that starts with "The" "of despair$": Matches a string that ends in the substring "of despair" "^abc$": A string that starts and ends with "abc" – this can only be "abc" "notice": A string that has the text "notice" within it. • If neither of the two characters is used (as in the last example), this means that the pattern may occur anywhere within the string – and is not "hooked" to any of the edges. Symbols '*', '+', and '?' indicate the number of times a character or a sequence of characters may occur. These symbols mean "zero or more", "one or more", and "zero or one" respectively. For example: • "ab*": Matches a string that has an a followed by zero or more b's ("a", "ab", "abbb", • "ab+": Same, but there is at least one”b” ("ab", "abbb", etc.) "ab?": There might be one or no ”b” "a?b+$": A possible ”a” followed by one or more ”b”'s ending a string etc.) • • Bounds can also be used. Bounds are defined inside the brace brackets and indicate ranges in the number of occurrences: • • • "ab{2}": Matches a string that has an ”a” followed by exactly two ”b”'s ("abb"); "ab{2,}": Matches a string that has at least two ”b”'s ("abb", "abbbb", etc.); "ab{3,5}": Matches a string that has from three to five ”b”'s ("abbb", "abbbb", or "abbbbb"). The first number of a range must always be specified, for example: "{0,2}", not "{,2}"). Symbols '*', '+', and '?' denote the same as bounds "{0,}", "{1,}" and "{0,1}", respectively. To quantify a sequence of characters, they must be defined within parentheses: • "a(bc)*": Matches a string that has an ”a” followed by zero or more copies of the sequence "bc"; • "a(bc){1,5}": Matches a string that has one to five copies of ”bc”. The '|' symbol is an OR operator: • "hi|hello": Matches a string that includes either "hi" or "hello". "(b|cd)ef" is a string that includes either "bef" or "cdef". • "(a|b)*c" is a string that has a sequence of alternating ”a”’s and ”b”'s ending with ”c”. A period ('.') stands for any single character: • • "a.[0-9]": Matches a string that has an a followed by a single character and a digit. "^.{3}$": A string with exactly 3 characters • Bracket expressions specify which characters are allowed in a single position of a string: • • "[ab]": Matches a string that has either an ”a” or a ”b” (identical to "a|b") "[a-d]": A string that has lowercase letters 'a' through 'd' (identical to "a|b|c|d" and "[abcd]"); • Doc. No.: 8261 "^[a-zA-Z]": A string that starts with a letter 413 • • "[0-9]%": A string that has a single digit before a percent sign ",[a-zA-Z0-9]$": A string that ends in a comma, followed by an alphanumeric character You can also list the characters which you do not want to appear in the string. Use a '^' as the first symbol in a bracket expression. For example: "%[^a-zA-Z]%" matches a string with a character that is not a letter, between two percent signs. To take the characters "^.[$()|*+?{\" literally, they must follow a backslash ('\'), to denote they have a special meaning. This includes the back slash character itself. Remember that bracket expressions are an exception to the above rule. Within brackets, all special characters, including the back slash ('\'), lose their special meanings. For example, "[*\+?{}.]" matches precisely any of the characters within the brackets. 414 Doc. No.: 8261 Appendix D – Index A Action 8-338 Active 7-259 Advanced Filters 7-253, 7-262, 7-272, 8-341 Application Classification 8-336 Application Security 7-231 B Backup Device in VLAN 6-208 Backup Fake ARP 6-208 Backup Interface Grouping 2-43, 6-206 Bandwidth Management 1-23, 8-335 Basic Filters 7-271, 8-341 C Classification 8-336, 8-349 Content 1-21, 8-341 Content Parameters 7-250, 7-272, 7-287, 7-296 D Destination 8-337 Detecting 7-232 Device Management CLI 2-43 Device Notifications 2-65– 2-66 Device Security 2-45– 2-48 Device Tuning 2-56– 2-65 Device Upgrading 2-48 Direct Connection 6-221 Direction 8-337 Dormant 7-259 DoS Shield 7-259, 7-260 E E-mail Traps 7-312 Doc. No.: 8261 415 F Farm 1-20 Farm Health Check 9-363 Filter Groups 8-341 G Groups 7-254, 7-288, 7-298 H Hardware Licenses, Upgrading 2-54 Health Monitoring 1-23 I Important Notice 1-3 Inbound Physical Port Group 8-338 Interface Loopback A-407– A-412 Interface Grouping 6-205 IP Addressing 3-79 IP fragmentation 7-284 L Loopback Configuration A-407 Loopback Configuration AIX A-408 HP-UX A-408 Linux A-409 Solaris A-410 Windows NT A-410 Loopback Interfaces 10-400 M Management 1-24 Management Interfaces 2-29 Mirroring 6-206 N NAT 1-21 416 Doc. No.: 8261 O OMPC 7-248, 7-287, 7-296 Open Shortest Path First (OSPF) 3-82 P Panic Mode 7-260 Ping Physical Port 2-43 Policies 8-336, 8-340, 8-349 Port Management 3-69– 3-71 Port Mirroring 3-69 Port Trunking 3-70 Preventing 7-232 Proprietary ARP 6-207 Protocol Discovery 8-348 R RADIUS Authentication 2-47 Redundancy 1-21, 6-203 Regular Expressions in WSD A-413– A-414 Reporting 7-232 Resetting Devices 2-56 Restoring Configuration Files 2-52 Routing 3-79 Routing Information Protocol (RIP) 3-80 Routing, Routing Table 3-79 S Safety Instructions 1-5 Sampling 7-260 Scheduler Algorithm 8-335 Security 1-23 Server 1-21 Service 8-338 Signature File Update 7-299 Signatures Database 7-299 SNMP Configuration 2-29– 2-41 Source 8-337 Doc. No.: 8261 417 SuperFarm 1-21 Switched VLAN 3-73 SynApps Models 8-335 T Tagging, VLAN 3-73 Telnet and SSH Configuration 2-41 Tracking 7-251, 7-272, 7-287, 7-296 Traffic Redirection 1-23 Tuning 7-305 Types of Attacks 7-232 U Upgrading Boot Versions 2-55 Upgrading devices in WBM 2-54 V Virtual LAN, general 3-72 VLAN Bridging 3-73 Configuration 3-74 Tagging Support 3-76 VLAN Tag Group 8-338 VLAN Tagging 3-78 VLAN Types Regular 3-73 Switched 3-73 VRRP 6-213 VRRP nxn Redundancy 6-219 W Warm-up Time 4-105 418 Doc. No.: 8261