WANGUARD 5.2 User Manual & Administrator's Guide
○
Limit the atack paterns and accept local valid trafc
– The Filter detects, reports and rate-limits
the atack paterns to the threshold values. The Filter only accepts atack paterns trafc that does
not exceed the anomaly's trafc type packets/second threshold value for the atacked IP address
○
Apply default INPUT policy
– The Filter detects and reports the atack paterns, and the default
Netilter INPUT policy is applied. Netilter is stll being used, but all the rules have the “RETURN”
target. This is used only mainly when debugging Netilter rules
●
HW Filtering Policy
The Hardware Filtering Policy lets you select which hardware flters will be applied when the Filter
detects an atack patern.
○
No hardware fltering
– The Filter detects and reports atack paterns but no hardware-based flters
are applied.
○
Intel X520 10 Gbps NIC - block only IPv4 sources
– The Filter blocks the sources of the atacks but
only if the sources are non-spoofed IPv4 addresses. For protectng against atacks with random IP
sources, also defne a SW Filtering Policy.
○
Intel X520 10 Gbps NIC - block only IPv4 destnatons
– The Filter blocks the IPv4 destnatons of the
atacks, for any atack paterns it fnds. Also known as black-holing.
Intel X520 10 Gbps NIC - PF_RING
– The Filter uses the PF_RING framework to apply the following
hardware-base fltering rules: Source IP, Destnaton IP, TCP/UDP Source Port, TCP/UDP
Destnaton Port, IP Protocol. Other atack paterns cannot be fltered by the X520 NIC.
●
Use PF_RING
Enable if you have PF_RING installed on the server. PF_RING provides high-speed packet analysis.
●
Trafc Diversion
The Trafc Diversion feld provides a selecton of currently defned BGP Connectons that may be used
for trafc diversion. When a BGP Connecton is selected, the Filter sends a BGP announcement through
it, so that the Filter system becomes the next-hop for the atacked IP address. When the atack ends,
the Filter automatcally withdraws the BGP announcement and the trafc towards the IP address will be
routed normally.
For more informaton about defning BGP Connectons, please consult the BGP Connecton Setup
chapter on page 51. If the Filter system is deployed in-line, or you don't plan to use trafc diversion, you
can leave the BGP Connecton feld set to “None”.
●
Filters Timeout
This feld contains the number of seconds of inactvity required for the deleton of an atack patern. If
set to 0 then every atack patern detected will not be deleted untl the atack stops and the Filter
becomes inactve. Usually, an atack patern is associated with a flter (see Filtering Policy below).
●
Whitelists
A Filter Whitelist is a collecton of user-created rules that prevents the fltering of critcal trafc types. If
the fltering policy permits, the Filter could flter atack paterns that you really don't want to be fltered.
The Filter flters destnaton ports and destnaton IP addresses only in worst-case scenarios when no
other atack patern is detected. In some cases, it's best to let the malicious trafc enter the network
than to flter some critcal destnaton IPs and destnaton ports. For example, if your DNS server is being
atacked by spoofed addresses on port 53 UDP, then the Filter might flter port 53 UDP trafc towards
- 55 -
Содержание Wanguard 5.2
Страница 1: ......