Virus Throttling
General Operation of Connection-Rate Filtering
Sensitivity to Connection Rate Detection
The switch includes a global sensitivity setting that enables adjusting the
ability of connection-rate filtering to detect relatively high instances of con
nection-rate attempts from a given source.
Application Options
For the most part, normal network traffic is distinct from the traffic exhibited
by malicious agents. However, when a legitimate network host generates
multiple connections in a short period of time, connection-rate filtering may
generate a “false positive” and treat the host as an infected client. Lowering
the sensitivity or changing the filter mode may reduce the number of false
positives. Conversely, relaxing filtering and sensitivity provisions lowers the
switch’s ability to detect worm-generated traffic in the early stages of an
attack, and should be carefully investigated and planned to ensure that a risky
vulnerability is not created. As an alternative, you can use connection-rate
ACLs (
access control lists
) or selective enabling to allow legitimate traffic.
Selective Enable.
This option involves applying connection-rate filtering
only to ports posing a significant risk of attack. For ports that are reasonably
secure from attack, then there may be little benefit in configuring them with
connection-rate filtering.
Connection-Rate ACLs.
The basic connection-rate filtering policy is con-
figured per-port as
notify-only
,
throttle
, and
block
. A connection-rate ACL cre
ates exceptions to these per-port policies by creating special rules for
individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a
connection-rate filtering policy to create and apply an exception to configured
filters on the ports in a VLAN. Note that connection-rate ACLs are useful only
if you need to exclude inbound traffic from your connection-rate filtering
policy. For example, a server responding to network demand may send a
relatively high number of legitimate connection requests. This can generate a
false positive by exhibiting the same elevated connection-rate behavior as a
worm. Using a connection-rate ACL to apply an exception for this server
allows you to exclude the trusted server from connection-rate filtering and
thereby keep the server running without interruption.
N o t e
Use connection-rate ACLs only when you need to exclude a routed traffic
source (including traffic with specific UDP or TCP criteria) from a connection-
rate filtering policy. Otherwise, the ACL is not necessary.
3-6
Содержание J8697A
Страница 1: ...6200yl Access Security Guide 5400zl 3500yl ProCurve Switches K 11 XX www procurve com ...
Страница 2: ......
Страница 22: ...Product Documentation Feature Index xx ...
Страница 55: ...Configuring Username and Password Security Front Panel Security 2 21 ...
Страница 56: ...Configuring Username and Password Security Front Panel Security 2 22 ...
Страница 58: ...Virus Throttling Contents Operating Notes 3 30 Connection Rate Log and Trap Messages 3 31 3 2 ...
Страница 88: ...Virus Throttling Connection Rate Log and Trap Messages This page is intentionally unused 3 32 ...
Страница 118: ...Web and MAC Authentication Client Status This page intentionally unused 4 30 ...
Страница 230: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup This page is intentionally unused 8 22 ...
Страница 356: ...Configuring and Monitoring Port Security Operating Notes for Port Security 11 44 ...
Страница 370: ...Using Authorized IP Managers Operating Notes This page is intentionally unused 12 14 ...
Страница 388: ...10 Index ...
Страница 389: ......