0% found this document useful (0 votes)

1K views

300-101 DP Training 6-00 Level1 Manual v4

Uploaded by

Thomas Mpourtzalas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views

300-101 DP Training 6-00 Level1 Manual v4

Uploaded by

Thomas Mpourtzalas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 135

Course Code: 300-101 D e f e ns e P r o L e v e l 1 T r a i ni n g M a n ua l

February, 2012

This document is protected by United States and International copyright laws. Neither this document nor any material contained within it may be duplicated, copied or reproduced, in whole or part, without the expressed written consent of Radware, Inc. The features and functions of Radware devices discussed in this document are based on the following firmware version. Product DefensePro APSolute Vision Version 6.00.x 1.12

If your Radware device is running an older version of firmware or if you are using an older version of APSolute Vision, some of the features and implementations discussed in this manual may not be available. To upgrade your existing Radware device, please contact your Radware sales person. Conventions The following font conventions are used in this manual: Bold indicates the series of menu items in APSolute Vision used to reach a particular screen or window Underline indicates an option or entry within a APSolute Vision screen or window Italics indicates the value or setting supplied in a window or screen Courier indicates CLI or telnet commands

300-101: DefensePro Level 1 Lab Manual

| Page 2

Table of Contents
Lab Configuration Information .......................................................................................... 5 Lab 1a Initial DefensePro Setup .................................................................................... 6 Lab 1b - Connecting to your DefensePro using APSolute Vision .................................... 12 Lab 2 Administering DefensePro ................................................................................. 19 Lab 3 Behavioral DoS Protection ................................................................................. 24 Lab 4 Worm Propagation Prevention & Anti-Scanning................................................. 36 Lab 5 SYN Flood Protection ........................................................................................ 40 Lab 6 Connection Limits .............................................................................................. 42 Lab 7 Server Cracking Protection ................................................................................ 45 Lab 8 HTTP Mitigator Protection.................................................................................. 49 Lab 9 Signature Protection .......................................................................................... 53 Lab 10 - Building a Custom Signature ............................................................................ 59 Lab 11 Policy Exceptions (Black & White lists) ............................................................ 63 Lab 12 Stateful Access List (ACL) ............................................................................... 67 Lab 13 Bandwidth Management .................................................................................. 71 Lab 14 APSolute Vision Reporter ................................................................................ 75 Lab 1b CLI Configuring the DefensePro using APSolute Vision for attack reporting .... 79 Lab 2 CLI Administering DefensePro in CLI ................................................................ 84 Lab 3 CLI Behavioral DoS Protection .......................................................................... 87 Lab 4 CLI Worm Propagation Prevention & Anti-Scanning ........................................ 100 Lab 5 CLI SYN Flood Protection ................................................................................ 104 Lab 6 CLI Connection Limits...................................................................................... 107 Lab 7 CLI Server Cracking Protection........................................................................ 110 Lab 8 CLI HTTP Mitigator Protection ......................................................................... 113 Lab 9 CLI Signature Protection .................................................................................. 117 Lab 10 CLI - Building a Custom Signature .................................................................... 123 Lab 11 CLI Policy Exceptions (Black & White lists) .................................................... 128 Lab 12 CLI Stateful Access List (ACL) ....................................................................... 132 Appendix-A Install APSolute Vision Client ................................................................. 135

300-101: DefensePro Level 1 Lab Manual

| Page 3

300-101: DefensePro Level 1 Lab Manual

| Page 4

Lab Configuration Information

During the training, students are divided into teams (Team 1, Team 2, etc) and each team will configure and manage a single Radware device. The steps and diagrams within the training material are based on this type of lab setup. In some situations, your instructor may have to deviate from the standard configuration to accommodate more students or to account for less available time. The labs in this manual are designed to demonstrate the more commonly used features and functions on Radwares DefensePro. There are a great number of features on all Radware devices, and it would be impossible to provide labs for all of them without increasing the training period to several weeks. Each lab contains step-by-step instructions on how to configure the device correctly using APSolute Vision. These steps are illustrative only and are usually based only on the configuration of one device in the training lab. Pay close attention to the tables and charts within the lab instructions. You will be expected to apply the appropriate settings for your device only. It will make for a particularly long day for you (and your instructor) if several students mistakenly use addresses and settings that belong to other students. If you have any questions about how to configure your Radware device during a particular lab, please ask your instructor for assistance.

Figure 1 Team # Lab Configuration

300-101: DefensePro Level 1 Lab Manual

| Page 5

Lab 1a Initial DefensePro Setup

Go back to Table of Content Lab Goals: Establish a serial connection to the device (In this lab the connection is already configured to the terminal server, you will telnet to the port given in class) Apply the required minimum settings through the Startup Menu to allow APSolute Vision connectivity Configure and test SSH access Configure and test Secured Web Based Management Review the various options and settings available through the initial command line menu

300-101: DefensePro Level 1 Lab Manual

| Page 6

Step-by-step: 1. Review your topology on page 4 (Note # = Team number) if you have any questions please ask your instructor 2. Connect to your device with the information your instructor provided at the start of the lab exercises. 3. Follow the steps below to reset the device to factor defaults:
a. b. c. d. e. f. g. h. Press the enter key a few times and make sure you get an DefensePro> prompt. Login in with default user name and password (radware). From the DefensePro# prompt type reboot and hit enter. When the device begins to boot up, you will see a message that says Press any key to pause autoboot Press any key on the keyboard (you have 3 seconds to do this) From the > prompt type q1 and press enter This action removes configuration file. Do you want to continue (y/n) ? press y When the erase configuration completes and the > comes back, type @ and press enter.

The device will be reset to factory defaults and the Startup Configuration screen will come up.
Startup Configuration 0. IP address 1. IP subnet mask 2. Default router IP address 3. User Name 4. User Password 5. Enable Web Access 7. Enable Telnet Access 8. Enable SSH Access 9. SNMP Configuration (y/n) [n] (y/n) [n] (y/n) [n] 6. Enable Secure Web Access (y/n) [n]

4. Assign the following values for management of the DefensePro: 0. IP address 1. IP subnet mask 2. Port number = 10.10.244.# = 255.255.248.0 = MNG-1

3. Default router IP address = 10.10.240.1 For ALL other values press <Enter> to use the default settings! Note: # = team number

300-101: DefensePro Level 1 Lab Manual

| Page 7

5. You cannot go back to a previous menu item if you made a mistake. You must enter all items and then at the end select Y then N to go back to the start 6. When you hit <Enter> at the SNMP Configuration option, a new window will appear with additional settings for SNMP:

SNMP Startup Configuration 0. 1. 2. 3. 4. 5. 6. 7. 8. Supported SNMP versions Community SNMP root user Privacy Protocol Privacy Password [1 2 3] [public] (NONE/DES) [DES]

Authentication Protocol (NONE/SHA/MD5) [MD5] Authentication Password NMS IP address Configuration file name

7. Please leave everything to default by hitting <Enter> for the each item to apply default settings, so that your instructor can access the device during training. Continue with the current configuration (y/n): y 8. If your configuration is correct, select y and hit enter. The device will reboot and you should be able to connect to it with APSolute Vision in the next lab. 9. If you have made a mistake, select n and then hit <Enter> to reach the desired line and make whatever changes are necessary. 10. When the device has finished restarting, you will have to log in to the unit by typing: login. Unless you changed the username and password during the initial configuration, you should be able to use radware for both the username and password. 11. When you have logged in, use the question mark (?) to display the commands.

300-101: DefensePro Level 1 Lab Manual

| Page 8

12. You should see a list of commands similar to the one below:

acl bwm classes device dp help login logout manage net ping reboot security services shutdown ssh statistics system telnet trace-route DefensePro#

Access control list Policy management and classification Configures traffic attributes used for classification Device Settings DefencePro Security settings Displays help for the specified command Login into the device Logout of the device Device management configuration Network configuration Pings a remote host. Reboot the device Device Security General networking services Shutdown Connect via SSH to a remote host. Device statistics configuration. Sets system parameters. Connects to a remote host via telnet. Measures hops and latency to a given destination.

13. Use the command net ip-interface to make sure the unit shows the appropriate interface address. 14. From the command line, ping the default gateway address 10.10.240.1. Then ping the IP address of the APSolute Vision server 10.10.240.10 to make sure you have basic network connectivity. Let your instructor know if you are unable to reach either of these hosts. 15. Take a look at some of the CLI commands available. Feel free to ask your instructor questions about these functions, but bear in mind that almost all of the commands available here will be accessible through APSolute Vision.

Note: As a general rule, you will find it helpful to leave your workstations connected to the Defense Pro through the CLI for the duration of the labs. There are a number of traps and error messages that the device will generate through the CLI and these can useful for trouble-shooting.

300-101: DefensePro Level 1 Lab Manual

| Page 9

16. Enable SSH from the Command Line Interface: manage ssh status set 1 (1=enable, 2=disable) 17. Create a username and password so that you can access the device through Telnet or you can use the default username and password of radware: manage user table create team# -pw team# Use your teams number (#) for the username and password. 18. Change the prompt of the CLI to show your Team# manage terminal prompt set DP-Team# 19. Open a SSH session to your device from the VNC station using putty and the management IP and supply the appropriate username and password. Type ? and then hit the <Enter> key. You should see a list of commands identical to those displayed through the CLI. 20. Enable Web Based Management. From the CLI or from your Telnet connection, enter the following command (Secure Web is also supported): manage web status set enable 21. You can now open a browser from your workstation (Not the VNC Station) http://<URL of LAB>:<Port> (9201 9212) For example, students of Team 1 using the NJ LAB use: http://njlab1.radware.net:9201 22. You should be prompted for a username and password. Use the username and password that you created. 23. Enable NTP time synchronization for accurate reporting services ntp server-name set 10.10.240.1 services ntp status set enable

300-101: DefensePro Level 1 Lab Manual

| Page 10

Enabled Features
By default all the needed features are enabled. To verify you type the commands below and the status for each feature should show as enable Application Security: dp signatures-protection application-security global status Packet Reporting: dp reporting packet-report status DOS Shield: dp signatures-protection dos-shield global status Session Table: device session-table status SYN Protection: dp syn-protection status Behavioral DoS: dp behavioral-DoS global status Anti Scanning: dp anti-scanning global status HTTP Mitigator: dp http-mitigator global status

300-101: DefensePro Level 1 Lab Manual

| Page 11

Lab 1b - Connecting to your DefensePro using APSolute Vision

Go back to Table of Content To manage a Radware device using APSolute Vision, please follow the steps below: 1. For your convenience, the classroom central APSolute Vision device is already setup. 2. You need to install APSolute Vision please refer to Appendix-A Installing the APSolute Vision Client.

3. Start APSolute Vision using the Icon (Desktop or Start-Menu) 4. login screen type in the following information: User Name DP-Team# (where # is your team number) Password radware Vision Server vision.radware.muc (in Munich) or 10.10.240.10 (in the USA) Authentication Local and click on Login to login.

300-101: DefensePro Level 1 Lab Manual

| Page 12

5. After few seconds, the main APSolute Vision window appears:

6. If you device is not visible (please do not delete your device if it IS visable) do a right click on Default in the System window and select New > DefensePro

7. In the Edit Device Connection Information window you only need to fill the Name of the device and the Management IP, the rest we use the defaults in our training. Name Management IP DefensePro Team # 10.10.244.# (where # is your team number)

Note: If youre facing problems connecting to your device, contact your instructor. 8. Click OK, APSolute Vision will now connect to the device.

300-101: DefensePro Level 1 Lab Manual

| Page 13

9. Right click on the DP and select Lock;

The DP logo should show a lock now:

NOTE: This feature will prevent anyone else from making configuration changes during your session.

300-101: DefensePro Level 1 Lab Manual

| Page 14

Enabling Security Reporting

1. You find the Security Reporting settings at the Configuration perspective > Advanced Parameters > Security Reporting Settings.

2. Click the Security Reporting Settings in the tab navigation pane. The setting appears on the right part of the content area. 3. In order to receive security traps in CLI place a check-mark in the box beside Enable Sending Terminal Echo (enable it). 4. In order to send security traps to a Syslog server place a check-mark in the box beside Enable Sending Syslog (enable it). 5. Make sure the Enable Sending Traps is checked. 6. Make sure at the Data Reporting Destination the IP of the Vision appliance is added (10.10.240.10). Use right mouse click or the 7. Make sure the following are sets: a. Minimal Risk for Sending Traps: b. Minimal Risk for Sending Syslog: c. Minimal Risk for Sending Terminal Echo: d. Minimal Risk for Sending Email: 300-101: DefensePro Level 1 Lab Manual Info Info Info Info | Page 15 button.

8. Make sure that in the Data Reporting Destinations section the Vision appliance is listed as the target:

9. Click the submit button to apply your changes. 10. Go to Configuration > Device Security > SNMP >Target Address and add an entry to send SNMP traps to the Vision server Press the a. Name: b. IP Address and L4 Port: c. Mask: d. Tag list: e. Target Parameters Name: button and make sure the following are sets: Vision 10.10.240.10-162 0.0.0.0 v3Traps public-v1

Modifying Classes
Port Groups: 1. Go to Configuration perspective > Classes > Modify Configuration > Physical Ports and click the button. 2. For the Physical Ports Group Name use G1-Inbound and select in the drop-down menu Inbound Port G-1. 3. Click OK to add the port group. 4. Click Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 16

Networks: 5. Select the Networks folder under Modify Configuration 6. Do a right click in the Network Name Table and select Add New Network

7. In the Edit Network Entry window enter the Network Name protected and do a right click in the table below to create a new Network Group. Fill in the following information: Entry Type IP Mask Network Type Network Address Mask IPv4 27.1.0.0 255.255.0.0

Click OK to add the new entry and click Close to close the Edit Network Entry window. 8. Click Activate Latest Changes in the Network window.

Creating a Network Protection Rule

9. Go to Configuration perspective > Network Protection and click the button. 10. The Add New Network Protection Rule window appears. 11. Name the policy in the Basic Parameters section. Rule Name: NWRule_Team#. 12. In the Classification section select for SRC Network the predefined network any from the dropdown list. 13. For the DST Network select protected from the dropdown list. 14. In the drop-down-button next to Port Group and select the port group we just created in the beginning of the lab and click OK. 15. In the New Network Protection Rule window change the Direction to Two Way and click OK to close this window.

300-101: DefensePro Level 1 Lab Manual

| Page 17

16. Click Activate Latest Changes below the Network Protection Rule 17. Your Network Protection Rule table should look like this:

300-101: DefensePro Level 1 Lab Manual

| Page 18

Lab 2 Administering DefensePro

Go back to Table of Content Lab Goals: Enable and configure various options related to managing the DefensePro itself: 1. Upgrade the devices software 2. Security Update Service Updating the Attack Database 3. Downloading device configuration file 4. Updating the Devices License 5. Enabling Syslog Reporting In Most classes no new Software or Attack Database are available, the next two sections are more for information reference. Most of this will be done in the Monitoring perspective if you do a right click on the device:

300-101: DefensePro Level 1 Lab Manual

| Page 19

Upgrade the devices software 1. Obtain the new firmware file from your instructor along with a password for your device.1 2. Right-click the device and select Manage Software Versions and the Software Upgrade window will open. 3. Click the Browse button, and locate the new firmware file. 4. In the Software Version section enter the new version number: for example 5.01.04 5. In the Password section, enter the password for your specific unit and verify it in the Verify Password section. 6. Click the Send button, this will perform the software update including a reboot.

7. You will get the following message:

8. If you want to see what happens during the upgrade open a connection to the serial console of your device.

This may not be possible to perform in all lab environments since your instructor will need access to the internet in order to generate a password for the unit.

300-101: DefensePro Level 1 Lab Manual

| Page 20

Security Update Service Updating the Attack Database 1. Right-click the device and select Update Security Signature and the Update Attack Signature File window will open.

2. Select the source of the update: - Radware.com will download the latest Vision version from the internet - Client: if you have downloaded the latest version already to your client 3. Click the Send button to start the update process via the internet. 4. You will get the following message:

5. Review the Alert pane to see if the update has successfully finished.

300-101: DefensePro Level 1 Lab Manual

| Page 21

Download Device Configuration File 1. Right-click the device and select Export Configuration File from Device and the Export Configuration File from Device window will open.

2. Here you can select if you want to save the configuration file at the APSolute Vision appliance or local at your client machine and the transport protocol. 3. Click Save to save the configuration file with the suggested name at the appliance. 4. The status of the process you can review again in the Alert pane

300-101: DefensePro Level 1 Lab Manual

| Page 22

Updating the Devices License 1. Select the Configuration perspective and select in the Setup tab the License Upgrade menu point. 2. Enter the new license in the New License Key or Throughput License Key field and Click the Submit button to apply your changes:

Note: If you add a new feature license you need to reboot the device to activate. Throughput licenses will be applied on the fly without reboot. 3. If you needed a reboot and after reboot is completed, close all opened window and repeat steps 1-2 to see the new license active.

Enabling Syslog Reporting 1. Select the Configuration perspective and select in the Setup tab the Syslog menu point. 2. Enable Syslog and use as the Server Address 192.168.150.253 (ask your instructor if you need to use a different syslog server and how to view the messages). 3. Click the Submit button to apply your changes

300-101: DefensePro Level 1 Lab Manual

| Page 23

Lab 3 Behavioral DoS Protection

Go back to Table of Content Lab Goals: Configure and monitor Behavioral DoS Protections

Step By Step: 1. The Behavioral DoS Module should already have been enabled on your teams device. However, you should verify this before proceeding. 2. Select the Configuration perspective and select in the Security Settings tab the BDos Protection menu point. 3. Make sure Enable BDos Protection and Enable Traffic Statistics Sampling are checked. 4. Set the Learning Response Period to Day. 5. Make sure the Footprint Strictness is set to Low. 6. Click the Submit button to apply your changes

7. Go to the Network Protection tab and select BDoS Profiles. 8. To create a new BDOS profile, click the Add Profile window appears. 9. For the Profile Name, enter BDoS. 10. Under Flood Protection Settings select all attacks to the profile by marking the check box in front of the attack name. 11. Under the section for Bandwidth Settings, change the values for Inbound and Outbound to 5000 300-101: DefensePro Level 1 Lab Manual | Page 24 button. The Add New BDoS

12. For testing purposes, we are going to modify the default Quota settings since the device hasnt had time to learn any network traffic patterns. 13. Make sure the Incoming and Outgoing TCP are set to 90. 14. Make sure the Incoming and Outgoing UDP are set to 70. 15. Change the Incoming and Outgoing ICMP values to 30. 16. Change the Incoming and Outgoing IGMP to 38. 17. Leave the Transparent Footprint Optimization unchecked. 18. Click OK to close this window.

19. In the menu tree of the Network Protection tab click on Network Protection Rules and double-click on the Rule we defined in Lab1 20. In the Action Section select the BDoS Profile we have just created and press OK Note: You can also add here a new BDoS Profile while pressing the button. 21. Press the button before you continue.

300-101: DefensePro Level 1 Lab Manual

| Page 25

Testing 1. Connect to a prepared Attacker PC via VNC <remote lab>:790# password = team# Note: please verify the URL of the Remote Lab you are using 2. In the New VNC session you might need to hit any key (for example the down arrow) to see the screen, since the PC will disable the display after some time. 3. Select Configure from the application main menu. 4. Select Manual (select it by hitting the space key) and then hit OK. 5. Enter IP address for the attacking PC: 27.1.#.10 ( # = Team-Number) 6. Enter Subnet mask for the attacking PC: 255.255.255.0 7. Enter Default Gateway: 27.1.#.100 8. Select Back. TCP Flood Scenario 1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source TCP SYN Attack. 2. Make sure the destination address is set to 27.1.#.100 (# = Team-Number) and click OK. 3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
20-08-2010 14:45:12 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 14:45:27 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" sampled 1 0 0 0 N/A high drop 20-08-2010 14:45:42 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 14:45:52 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" term 0 0 0 0 N/A high drop

4. In APSolute Vision, select the Security Monitoring perspective and select your device in the Security Dashboard tab.

300-101: DefensePro Level 1 Lab Manual

| Page 26

5. You will see the Security Dashboard. If you move the mouse over the attack you will see more informations.

Select Current Attacks in the content area to see the actual attacks. button

7. Keep the filter on default and click the

8. To see more details on the attack double-click on it. Explanation From the Current Attacks table it can be seen that this is a TCP-SYN attack. The source address indicates a single source attack. The attack footprint can be seen in the attack details. It reveals the ingredients of the footprint: source-port, source IP and packet size. The general attack characteristics can be viewed in the lower table. The attack statistics will show the attack statistics table. The Attack Statistics Graph will show the graphical representation of the attack over time.

300-101: DefensePro Level 1 Lab Manual

| Page 27

300-101: DefensePro Level 1 Lab Manual

| Page 28

If you like you can also view during the attack the Real-Time Behavioral-DOS statistics if you select the Protection Monitoring tab. Select Attack Traffic TCP(IPv4) in the tree menu and select the Protection Type TCP SYN. 1. No Attack

300-101: DefensePro Level 1 Lab Manual

| Page 29

2. Attack is starting Footprint lookup phase

3. Attack is ongoing Blocking phase

300-101: DefensePro Level 1 Lab Manual

| Page 30

4. Attack has finished

300-101: DefensePro Level 1 Lab Manual

| Page 31

UDP Flood Scenario 1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source UDP Data Flood. 2. Make sure the destination address is set to 27.1.#.100 (#=Team-Number) and click OK. 3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
20-08-2010 15:13:17 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" sampled 1 4 0 0 N/A high drop 20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 15:11:02 WARNING 71 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" term 0 0 0 0 N/A high drop

4. In APSolute Vision, select the Security Monitoring and Current Attacks tab. 5. Double click on the attack event.

300-101: DefensePro Level 1 Lab Manual

| Page 32

Explanation The attack type is UDP flood distributed source (you can notice the 0.0.0.0 IP in the source address column). Note: If you monitor the target computer with a sniffer software (like Ethereal), you could see some UDP packets reaching the target computer but then it stops as the DP is blocking the attack.

300-101: DefensePro Level 1 Lab Manual

| Page 33

ICMP Flood
1. On the Attacking PC, from the main Welcome Screen, select Network

AttacksFloods Single Source ICMP Echo Request Flood.

2. Make sure the destination address is set to 27.1.#.100 ( # = Team-Number) and

click OK. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
20-08-2010 16:57:07 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 16:57:22 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 27.1.1.10 0 27.1.#.100 0 2 N/A "lab" sampled 1 4 0 0 N/A high drop 20-08-2010 16:57:37 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 16:57:47 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" term 0 0 0 0 N/A high drop

3. In APSolute Vision, select the Current Attacks tab.

300-101: DefensePro Level 1 Lab Manual

| Page 34

4. Double click on the attack event to see Attack Information.

Explanation The attack type is ICMP flood from multiple sources. The attack footprint (the blocking rule created by the BDoS engine) is composed from Source IP.

300-101: DefensePro Level 1 Lab Manual

| Page 35

Lab 4 Worm Propagation Prevention & Anti-Scanning

Go back to Table of Content Lab Goals: Configure a worm propagation and Anti-Scanning Policy Monitor Anti Scanning using the Attack Tool.

Step By Step: 1. Select Configuration (perspective) > Security Settings (tab) > Anti-Scanning 2. In the Anti Scanning Parameters (right pane), mark the Enable Protection for Very Slow Scans. 3. Click the Submit button to apply the setting. 4. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1 5. In the Action section click on the button next to Anti Scanning Profile and the Anti-Scanning Profiles window will open. 6. Right click inside the table and add a new entry. 7. For the new entry use the following entries: a. Rule Name b. Type c. Detection Sensitivity Level AntiScanning GW High

d. Accuracy Medium 8. Click OK to add the Profile and click OK to add the profile to rule. 9. Click OK to close the Edit Network Protection Rule window. 10. Click the Activate Latest Changes button to apply the changes.

300-101: DefensePro Level 1 Lab Manual

| Page 36

Testing Anti-Scanning Worm Propagation This attack demonstrates a worm propagation attack. 1. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 2. Select Worm Propagation. 3. Select Slammer (UDP). 4. Enter the Destination Network Address: 27.1.20.x (really type x since the tool needs it!). 5. Review the CLI traps and monitor the security reports in Vision:
24-08-2010 11:23:17 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" start 0 0 0 0 N/A medium drop 24-08-2010 11:23:27 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" ongoing 46 0 0 0 N/A medium drop 24-08-2010 11:23:52 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" term 0 0 0 0 N/A medium drop

6. Try to send legitimate traffic to the attacked host from the legitimate user station. 7. The DP will detect and block the attack while letting legitimate traffic to go through.

300-101: DefensePro Level 1 Lab Manual

| Page 37

Scanning This attack demonstrates a scan attempt: 1. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 2. Select Scans. 3. Select TCP (L4). 4. Select Horizontal. 5. Select High (using space key). 6. Enter the Destination network address: 27.1.20.x (really type x since the tool needs it!): 7. Soon after the attack is initiated, the following traps are printed on the CLI:
24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" start 0 0 0 0 N/A medium drop 24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" ongoing 271064 127061 0 0 N/A medium drop 24-08-2010 11:26:32 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" term 0 0 0 0 N/A medium drop

8. Select Security Monitoring (perspective) > Current Attacks (tab) and doubleclick on the attack

9. If there are no monitoring data visible, mark the DP and press GO button.

300-101: DefensePro Level 1 Lab Manual

| Page 38

10.

300-101: DefensePro Level 1 Lab Manual

| Page 39

Lab 5 SYN Flood Protection

Go back to Table of Content Lab Goals: Configure a profile and policy to protect against SYN Floods Monitor the attack logs via Vision

Step By Step: 1. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1 2. In the Action section click on the button next to SYN Flood Profile and the SYN Profiles window will open. 3. Right click inside the table and add a New SYN Profile. 4. For the Profile Name select SYNFlood 5. Right click inside the table and add a new SYN Flood Protection. 6. Select HTTP as the Protection Name 7. Click OK to add the protection to the profile 8. Click OK to close the Edit SYN Profiles window 9. Click OK to add the profile to rule. 10. Unselect the BDoS Profile from your Network Protection Rule. 11. Click OK to close the Edit Network Protection Rule window. 12. Click the Activate Latest Changes button to apply the changes.

300-101: DefensePro Level 1 Lab Manual

| Page 40

Testing SYN Protection 1. On the attacking computers, select Network Attacks Floods Single Source TCP SYN Attack. 2. Enter the destination address: 27.1.#.100 (# = Team-Number) and click OK. 3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" start 0 0 0 0 N/A medium proxy DefensePro#09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" ongoing 60364 28295 0 0 N/A medium proxy DefensePro#09-07-2008 15:24:09 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" term 0 0 0 0 N/A medium proxy

4. In APSolute Vision, select the Security Monitoring perspective and select the Current Attack tab. Click the Go button:

5. Double-Click on the SYN Flood HTTP attack to see more details:

300-101: DefensePro Level 1 Lab Manual

| Page 41

Lab 6 Connection Limits

Go back to Table of Content Lab Goals: Create and test a Connection Limit policy.

Step By Step: 1. Go to Configuration > Network Protection > Connection Limit Profiles > Connection Limit Protections and add a new Protection. Click the Go To Protection Table button to add new parameters. 2. Use the following information: a. Protection Name b. Application Port Group Name c. Protection Name d. Number of Connections e. Tracking Type f. Action Mode g. Risk h. Suspend Action 3. Click OK to add the new protection. HTTPLimit http TCP 2 Source Count Drop Medium Source IP

4. Go to Configuration > Network Protection > Connection Limit Profiles and add a new Profile. 5. For the Profile Name use MyConLimit and click OK 6. Right click in the table to add a Connection Limit Protection to the Profile. 7. Select in the Protection Name the protection we just created and click OK 8. Click OK to add the profile 9. Go to Configuration > Network Protection Network > Protection Rules and double-click on your Network Protection Rule. 10. In the action section select the Connection Limit Profile we just created and click OK 11. Click on Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 42

Testing this lab 1. At the attacker go to Services Attacks > HTTP > Scanning and launch the attack against your target server 27.1.#.100. 2. You should see the following message at the DP serial console:
20-08-2010 12:33:36 WARNING 450001 DoS "HTTPLimit" TCP 27.1.1.10 36369 27.1.1.100 80 1 Regular "NWRule_Team1" start 1 0 0 0 N/A medium drop

3. Review the attack details in APSolute Vision > Security Monitoring > Security Dashboard.

300-101: DefensePro Level 1 Lab Manual

| Page 43

Review the attack details in APSolute Vision > Security Monitoring > Current Attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 44

Lab 7 Server Cracking Protection

Go back to Table of Content Lab Goals: Configure a policy to protect against server cracking attacks. Monitor server cracking logs via Vision

Step By Step: 1. Make sure you removed the Connection Limit from Lab6 before you start. 2. Select Configuration (perspective) > Server Protection (tab) > Server Protection Policy 3. Press the button to add a New Server Protection WebserverTeam# 4. For the new entry use the following entries: a. Server Name b. IP Range just type: 27.1.#.100 5. On Server Cracking Profile, click on the button to create a new Server Cracking Profile. 6. Right click inside the table and add a New Server Cracking Profile. 7. For the Profile Name use ServerCracking and click OK 8. Select in the Edit Server Cracking Protection window the Action Block and Report 9. Right click inside the table and add a New Server Cracking Protection 10. For the new entry select the following entries: a. Server Cracking Protection Name b. Sensitivity c. Risk Brute Force Web Medium Medium

11. Click OK to add the new protection to the profile 12. Right click inside the table and add a New Server Cracking Protection 13. For the new entry select the following entries: a. Server Cracking Protection Name b. Sensitivity Web Scan Medium

c. Risk Medium 14. Click OK to add the new protection to the profile

300-101: DefensePro Level 1 Lab Manual

| Page 45

15. Your Server Cracking Profile should look like this:

16. Click OK close the new create Server Cracking Profile. 17. Click OK to select the new Server Cracking Profile in the Server ProtectionName the profile. 18. Your New Server Protection should look like this:

19. Click OK to add the New Server Protection. 20. Click the Activate Latest Changes button to activate the new settings.

300-101: DefensePro Level 1 Lab Manual

| Page 46

Testing Server Cracking Protection Brute Force: 1. On the attacking PC, select Services Attacks HTTP Cracking. 2. Enter IP address for the attacked PC: 27.1.#.100 (# = Team-Number) and click OK. 3. Enter destination URL /account.aspx
4.

Soon after the attack is initiated, the following CLI traps are printed:
DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" start 0 0 N/A 0 N/A medium drop

5. DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 2 1 N/A 0 N/A medium drop

6. DP-Team1#01-12-2011 21:04:07 WARNING 401 Cracking-Protection "Web Scan"

TCP 27.1. 1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" term 0 0 N/A 0 N/A medium drop

7. In Vision, select the Security Monitoring > Current Attacks tab. 8. Double-Click on the Brute Force Web attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 47

Testing Server Cracking Protection Web Scan: 1. On the attacking PC, select Services Attacks HTTP Scanning. 2. Enter IP address for the attacked PC: 27.1.#.100 and click OK. 3. Enter destination URL (i.e. /accounts.aspx). 4. Soon after the attack is initiated, the following CLI traps are printed:
DP-Team1#01-12-2011 21:11:57 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" start 0 0 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:11:57 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 82 47 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:12:02 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 84 48 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:12:07 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 90 52 N/A 0 N/A medium drop

9. In Vision, select the Security Monitoring > Current Attacks tab. 5. Double-Click on the Web Scan attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 48

Lab 8 HTTP Mitigator Protection

Go back to Table of Content Lab Goals: Configure a security policy to protect against HTTP Mitigation attacks. Monitor HTTP Mitigator logs and web server behavioral parameters in Vision

Step By Step: 1. Select Configuration (perspective) > Security Settings (tab) > HTTP Flood Protections 2. Change the Learning Period Before Activation to 0 Days. Note: This is needed since we want the system to block immediate. 3. Click the (Submit) button to apply the setting. 4. Select Configuration (perspective) > Server Protection (tab) > Server Protection Policy 5. Double-Click on the Server Protection we created in the last lab. 6. Remove the Server Cracking Profile 7. Click on the button to create a new HTTP Flood Protection Profile. 8. Right click inside the table and add a HTTP Flood Protection Profile. 9. For the new entry use the following entries: a. Profile Name HTTPFlood b. Sensitivity c. Action Medium Block and Report

10. Since we dont have time to learn we will configure the thresholds manually. For this we need to check the Use the following thresholds to identify HTTP Flood attacks checkbox in the User-Defined Attack Triggers section. 11. In the Manual Configuration section add the following: a. Get and POST Request-Rate Trigger b. Other Request-Type-Request-Rate Trigger c. Outbound HTTP BW Trigger d. Request-per-Source Trigger e. Request-per-Connection Trigger 5 HTTP req./sec. 2 HTTP req./sec. 1 Kbps 5 HTTP req./sec. 5 HTTP req./sec.

300-101: DefensePro Level 1 Lab Manual

| Page 49

12. Your HTTP Flood Protection Profile should look like this:

13. Click OK and OK again to add the Profile. 14. Click OK to close the Server Protection window. 15. Click the Activate Latest Changes button to activate the new settings.

300-101: DefensePro Level 1 Lab Manual

| Page 50

Testing HTTP Mitigator: 1. On the attacking computer select Service Attacks HTTP Flooding. 2. Enter IP address for the attacked PC: 27.1.#.100. 3. Make sure the destination URL is set to /index.html. 4. Soon after the attack is initiated, the following traps will be initiated:
24-08-2010 10:13:58 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" start 0 0 0 0 N/A medium drop 24-08-2010 10:14:13 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" term 0 0 0 0 N/A medium drop

5. In Vision, select the Security Monitoring > Current Attacks tab. 6. Double-Click on the Web Scan attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 51

300-101: DefensePro Level 1 Lab Manual

| Page 52

Lab 9 Signature Protection

Go back to Table of Content Lab Goals: Configure Intrusion Prevention policy. View Dashboard display of simulated attack traffic View and Sort Attack Logs by risk level Create a user-defined view and user-defined report

Step-by-Step: 1. Select Configuration (perspective) > Security Settings (tab) > Signature Protection 2. Uncheck the checkbox for the Enable Session Drop Mechanism Note: We do this to be able to see the same attack generated by the attack tool again if we launch it a second time. For more details ask you instructor. 3. Click the (Submit) button to apply the setting. 4. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1 5. In the Action section click on the button next to Signature Protection Profile and the Signature Profiles window will open. 6. Right click inside the table and add a New Signature Profile. 7. Set the Profile Name to All 8. Right click inside the table and add a New Signature Rule. 9. For the new entry use the following entries: a. Rule Name b. Attribute Type All_Info Risk

c. Attribute Value Info Note: This is not a recommended setting for production. We use it only in our training lab! 10. Click OK to add the Rule to the Profile 11. Click OK to create the Profile. 12. Select the new created Profile and click OK. 13. Click OK to close the Network Protection Rule 14. Click the Activate Latest Changes button to activate the new settings.

300-101: DefensePro Level 1 Lab Manual

| Page 53

Testing the Signature Protection 1. On the attacking computer select: Intrusion Attacks Batch Edit. 2. Select a couple of the attacks, but at least two of each of these attack groups: Apache Backdoors_Inbound FTP_AS IIS Worms Note: Based on signature updates its possible that not all of the attack captures used by the attack tool will be detected. 3. After you saved the attacks select Back run Launch the attacks 4. Enter the IP address of the attacked server: 27.1.#.100. 5. The attacking computer initiates attacks towards the DefensePro and you should receive CLI traps as the DefensePro detects and blocks each attack. For example:
17-08-2010 16:28:08 WARNING 5672 Intrusions "Apache-CMD-Command-Exec" TCP 27.1.1.10 2057 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A medium dest-reset

6. In Vision, select the Security Monitoring > Security Dashboard. 7. You can move the mouse over the attack displayed and see more information.

300-101: DefensePro Level 1 Lab Manual

| Page 54

8. In Vision, select the Security Monitoring > Current Attacks

9. Double-Click one of the attacks to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 55

10. If you like you can go to Security Monitoring > GeoMap and press Go see where the attacks are coming from. If you click on the country in the map you see the list of attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 56

Packet Reporting 1. Select Configuration (perspective) > Advanced Parameters (tab) > Security Reporting Settings and expand the Packet Reporting and Packet Trace section. 2. Check the Enable Packet Reporting box and enter the Vision IP address (10.10.240.10) in the Destination IP Address field.

3. Click the Commit Changes button. If prompted to do so, reboot the device. 4. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1 5. In the Packet Reporting and Trace section check the first two checkboxes and press OK.

6. Click the Activate Latest Changes button to activate the new settings. 7. Use the Attack Tool and run the saved attacks again. 8. Go to Security Monitoring > Current Attacks and do a right-click on one of the attacks and select Export Packets To Ethereal Format.

9. Select the path and filename of the file and click OK.

300-101: DefensePro Level 1 Lab Manual

| Page 57

10. Open the file you saved for example with Wireshark and you can see the packet which triggered the alert:

300-101: DefensePro Level 1 Lab Manual

| Page 58

Lab 10 - Building a Custom Signature

Go back to Table of Content Lab Goals: Create a new user-defined attack signature using the Signature Protections feature to block a new workstation vulnerability 1. Create OMPC signature 2. Create Content Signature blocking a URL Test the new attack signature

Building the filter: 1. Select Configuration (perspective) > Network Protection (tab) > Signature Protection > Signatures 2. In the right window (content area) at the Signatures section press the 3. Set the Signature Name to UD_Port 4. Right-click in the Filter Table and add a new filter. 5. For the new entry use the following entries (keep the rest default): a. Signature Name b. Protocol c. Destination Application Port UD_Port1234 TCP 1234 button

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 11. Select Configuration > Network Protection > Network Protection Rules and Click the Activate Latest Changes button to activate the new settings.

300-101: DefensePro Level 1 Lab Manual

| Page 59

Testing the custom Filter 1. On the attacking computer press ALT-F3 to switch to a second shell. From here you will try to start TCP session to the blocked port: /usr/sbin/hping3 c 5 p 1234 S 27.1.#.100 (where # is your team number) To return to the attack tool press ALT-F2. 2. The following traps are printed in the DefensePros CLI:
17-08-2010 18:06:08 WARNING 300000 Intrusions "UD_Port" TCP 27.1.1.10 2400 27.1.1.100 1234 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A low drop

3. In Vision, select the Security Monitoring > Security Dashboard and if you move the mouse over the attacks you can see the user defined attack with details (also visible in the Current Attacks tab).

300-101: DefensePro Level 1 Lab Manual

| Page 60

Creating a custom signature to block URL Step By Step: 1. Select Configuration (perspective) > Network Protection (tab) > Signature Protection > Signatures 2. In the right window (content area) at the Signatures section press the 3. Set the Signature Name to UD_URL 4. Right-click in the Filter Table and add a new filter. 5. For the new entry use the following entries (keep the rest default): a. Signature Name b. c. d. e. f. Protocol Destination Application Port Content Type Content Content Encoding UD_URL TCP http URL /testurl Case Insensitive button

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 12. Select Configuration > Network Protection > Network Protection Rules and Click the Activate Latest Changes button to activate the new settings.

300-101: DefensePro Level 1 Lab Manual

| Page 61

Testing the custom filter 1. On the attacking computer select Service Attacks HTTP Cracking and press <Enter> 2. Enter the server address and use 27.1.#.100 (# = your team number) and press <Enter> 3. As the destination URL you use /testurl (the url we used to filter) and press <Enter> to start the attack 4. Soon after, the following trap will be printed on the CLI:
17-08-2010 19:49:23 WARNING 300001 Intrusions "UD_URL" TCP 27.1.1.10 35208 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 1 0 0 N/A low drop

5. Review the SecurityReporting > Current Attacks tab in Vision.

300-101: DefensePro Level 1 Lab Manual

| Page 62

Lab 11 Policy Exceptions (Black & White lists)

Go back to Table of Content Lab Goals: Configure Exceptions in the test the Black & White Lists mechanism.

Configuring Black List: 1. Go to Configuration > Classes > Modify Configuration > Networks 2. Right-Click in the Network Name table to add a new Network 3. For the Network Name use BLHost. 4. Right-click in the table to add a new network group. 5. Use the following information: a. Entry Type IP Range b. Network Type c. From IP IPv4 27.1.#.10

d. To IP 27.1.#.10 6. Click OK to add this entry to the Network Group 7. Click Close to close the Network Entry window. 8. Click Activate Latest Changes button 9. Go to Configuration > ACL > Black List. 10. Right-click in the Black List Policy Table and add a new Black List Rule

300-101: DefensePro Level 1 Lab Manual

| Page 63

11. Select as Source Address the network we just created and as Destination Network Any and click OK

12. Click Activate Latest Changes button 13. Click the Submit button. Testing Black Lists: 1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks). 2. The DP will print the following trap in CLI:
17-08-2010 20:21:33 WARNING 8 Access "Black List IP" TCP 27.1.1.10 6666 27.1.1.100 179 1 Regular "Black List" occur 1 0 0 0 N/A low drop

3. Click the Security Monitoring > Current Attacks tab in Vision. 4. You will see all the attacks that were blocked by the Black List module.

300-101: DefensePro Level 1 Lab Manual

| Page 64

Configuring White List 1. Remove the BLHost from the Black List before you continue. (Dont forget to activate latest changes) 2. Go to Configuration > ACL > White List. 3. Right-click in the White List Policy Table and add a new White List Rule 4. The New White List Rule window appears:

5. The white list contains IP addresses and network ranges and traffic from these addresses will be bypassing the different security modules in the device.

300-101: DefensePro Level 1 Lab Manual

| Page 65

6. The attacker PC address is already configured (previous step) so in the Source Network use BLHost. In the Destination Network use any. 7. You can define which security modules will be skipped while traffic from the attacker PC arrives to the DP. 8. In the Module Bypass select Bypass All Modules. This means that all the security modules will be skipped for traffic originating in the specified source network. 9. If you unselect the Bypass All Modules then you have to specify which security module will be scanning the traffic and which one will skip it. 10. Click OK to save changes. 11. Click the Activate Latest Changes button.

Testing White Lists: 1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks). 2. The DP will not scan the traffic and therefore none of the initiated attacks will be detected by the DP. 3. On the CLI nothing will be printed. 4. This means that all the traffic is directly delivered to the target computer. 5. On Vision no attack will be detected. 6. Try removing the White List rule to see that the DP now detects the attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 66

Lab 12 Stateful Access List (ACL)

Go back to Table of Content Lab Goals: Create an ACL policy to block Ping (ICMP Echo) traffic to the target server. Test the policy.

Step By Step: 1. Go to Configuration > ACL > ACL Policy > Global Settings and enable ACL 2. Click the Submit button to apply the settings. 3. The following window will appear:

4. Click Commit Changes and Reboot 5. The device will now reboot (see serial connection). Vision will notify you after the reboot has finished. 6. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on the default rule.

300-101: DefensePro Level 1 Lab Manual

| Page 67

7. Check Report and click OK

8. Click on Activate Latest Changes

Check on the Serial-Console until you see this messages:

ACL learning period is over All ACL policies have Drop actions. All IP traffic will be dropped.

10. Now try to open the web site of your target PC (27.1.#.100) from the good client or launch any attack from the attacker the target. You will see that by default everything is blocked by the ACL!

11. Check as well the Security Monitoring.

12. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on the Default policy. 13. Change the Action to Accept and click OK 14. Do a right-click in the Modify ACL Policy table to add a new policy. 14. Use the following information: a. Rule Name BlockICMP b. Rule Index c. Report d. Protocol e. Action 1 check this value ICMP Drop | Page 68

300-101: DefensePro Level 1 Lab Manual

ICMP-Flags

Echo (check this value)

15. Click OK to add this rule 16. Click Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 69

Testing ACL 1. From the attacking PC, send a flood attack to the target computer (Network Attacks Floods Single Source ICMP Echo Request Flood 27.1.#.100) or simply set up a continuous ping (-t) to the target server. You should not get a response from the target PC. 2. From the CLI, you should see traps indicating that the packet has been blocked:
17-08-2010 21:04:24 WARNING 744 Stateful ACL "ICMP session dropped" ICMP 27.1.1.10 0 27.1.1.100 0 1 Regular "Default" occur 1 0 0 0 N/A high drop

3. You can review this messages also in Security Monitoring > Current Attacks or Security Dashboard 4. Stop the ping from the attacking host. 5. Before you continue with the next lab disable ACL again (including reboot) and enable BWM Choosing Policies(including reboot)

300-101: DefensePro Level 1 Lab Manual

| Page 70

Lab 13 Bandwidth Management

Go back to Table of Content Lab Goals: Create and test a Bandwidth Management policy to guarantee minimum and maximum application service levels.

Note: It is difficult to generate enough traffic in a lab environment to saturate the bandwidth available. In order to illustrate the features detailed in this lab, the guaranteed minimum and borrowing bandwidth limits have been set artificially low

Step By Step: 1. Before beginning this lab, lets make a test: 2. On the legitimate user station, close all browser windows. If you use the virtual Lab this station can be reached via VNC to lab-ip:7910 (password: client). From the Firefox browser started automatic you can select your team attacked host (picture shows target for team1) from the link folder:

3. Now open a new browser and point it to: ftp://27.1.#.100/ [Maybe different name will be provided by your instructor]. 4. Your browser will begin the download of the file. Note the copy speed rate. 5. Now lets configure a bandwidth management rule which will limit the traffic. 300-101: DefensePro Level 1 Lab Manual | Page 71

6. Go to Configuration > BWM > Global Parameters and change the Classification Mode to Policies. 7. Click the Submit button to apply the settings. 8. If BWM was not activated before you need to reboot the DefensePro. 9. Go to Configuration > Classes > Modify Configuration > Networks and click Create to add a new network. 10. Use the following information: a. Name b. From IP c. To IP d. Entry Type DMZ 27.1.#.100 27.1.#.100 IP Range

11. Click OK to add the network 12. Click Activate Latest Changes 13. Go to Configuration > BWM > Modify Policies and press the 14. Use the following information: Policy Name Index Policy Description Source Network Destination Network Service Type Service Name Direction Priority Guaranteed Bandwidth Maximum Bandwidth 15. Click OK to add the Policy 16. Click Activate Latest Changes FTP 1 FTP-Traffic any DMZ Basic Service ftp-session Two Way 0 20 30 button

300-101: DefensePro Level 1 Lab Manual

| Page 72

17. Go to Configuration > BWM > Active Policies and you should see this new policy in the list.

18. To be able to see statistics make sure you activate the Policy statistics Monitoring at Configuration > BWM > Global Settings:

19. To see the statistics go to Monitoring select you DP and go to BWM Statistics > Policy Statistics (Last Period or Last Seconds)

300-101: DefensePro Level 1 Lab Manual

| Page 73

Testing this lab 1. On the legitimate user station, close all browser windows. 2. Now open a new browser and point it to: ftp://27.1.#.100/file [Maybe different name will be provided by your instructor]. 3. Your browser will begin the download of the file. Note the copy speed rate. 4. Go to Monitoring&Control select you DP and go to BWM Statistics > Policy Statistics (Last Seconds)

5. Stop the FTP session. 6. If time permits, repeat this lab using other guaranteed and maximal values to see the different behavior.

300-101: DefensePro Level 1 Lab Manual

| Page 74

Lab 14 APSolute Vision Reporter

Go back to Table of Content Lab Goals: Use the APSolute Vision Reporter to review the log we created during the labs. Your instructor will give you a short introduction demo before you start this lab.

Step By Step: 1. In APSolute Vision select the button to launch the Vision Reporter in a browser window.

2. The APSolute Vision Reporter will start with the default Dashboard

3. You can customize this dashboard or create your own.

4. Play with this to get familiar

300-101: DefensePro Level 1 Lab Manual

| Page 75

5. Click in the Menu on Reports to see the predefined reports.

6. Browse through the reports which are available

7. You can also export this reports

300-101: DefensePro Level 1 Lab Manual

| Page 76

300-101: DefensePro Level 1 Lab Manual

| Page 77

8. Try to export to PDF and review the report.

300-101: DefensePro Level 1 Lab Manual

| Page 78

Lab 1b CLI Configuring the DefensePro using APSolute Vision for attack reporting
Go back to Table of Content To manage a Radware device using APSolute Vision, please follow the steps below: 1. For your convenience, the classroom central APSolute Vision device is already setup. 2. If you need to install APSolute Vision client please refer to Appendix-A Installing the APSolute Vision Client.

3. Start APSolute Vision using the Icon (Desktop or Start-Menu) 4. login screen type in the following information: User Name DP-Team# (where # is your team number) Password radware Vision Server 10.10.240.10 (or the name according to your location) Authentication Local and click on Login to login.

300-101: DefensePro Level 1 Lab Manual

| Page 79

5. After few seconds, the main APSolute Vision window appears:

6. If you device is not visible let your instructor know he will then add a new device for you 7. Right click on the DP and select Lock;

The DP logo should show a lock now:

NOTE: This feature will prevent anyone else from making configuration changes during your session.

300-101: DefensePro Level 1 Lab Manual

| Page 80

Enabling Security Reporting

1. There are two different settings to send data to the Vision server a. Attack Traffic information (traffic statistics of B-Dos): dp reporting data-report address create 10.10.240.10 b. Packet capture reporting: dp reporting packet-report address set 10.10.240.10 2. In order to receive security traps in CLI dp reporting global send-terminal set 1 3. In order to send security traps to a Syslog: dp reporting global send-syslog set 1 4. Make sure all traps are set to info (1) a. dp reporting global terminal-risk set 1 b. dp reporting global traps-risk set 1 c. dp reporting global syslog-risk set 1 d. dp reporting global email-risk set 1 5. Enable the DefensePro to send SNMP traps to a device (Vision) Syntax: manage snmp target-address create <Name> -a <Server>-<Port> -tl <SNMP Tag> -p <Parameter> For this lab use the following: manage snmp target-address create Vision -a 10.10.240.10-162 -tl v3Traps -p public-v1

300-101: DefensePro Level 1 Lab Manual

| Page 81

Modifying and creating Classes

Creating Port Groups: 1. Create a physical port group: Syntax: classes modify physical-port-groups create <Name> <Physical Port> For Our Lab classes modify physical-port-groups create G1-Inbound 1 2. Activate Latest Changes classes update-policies set 1 Creating Networks: 3. Select the Networks folder under Modify Configuration Syntax classes modify network create <Name> <Index> <Falgs> -a <Network ID> -s <Subnet> -f <From IP> -t <To IP> -m <Mode = IP Mask or IP Range> For Our Lab Create the following 3 networks classes modify network create protected 0 -a 27.1.0.0 -s 255.255.0.0 m "IP Mask" classes modify network create protected 1 -a 28.1.0.0 -s 255.255.0.0 m "IP Mask" classes modify network create special 0 -f 27.1.250.10 -t 27.1.250.20 m "IP Range" 4. Activate Latest Changes classes update-policies set 1

300-101: DefensePro Level 1 Lab Manual

| Page 82

Network Protection Policy

1. Create a Network Policy that will be used in later labs for the different protections Syntax: dp policies create <Name> -<Flag1> <Value> -<Flag 2> <Value> Classification Flags:
-di : Direction <oneway> <twoway> -sn : Source Address Name as defined in classes, or specific IP -dn : Destination Name as defined in classes, or specific IP -pm : Inbound Physical Port Group Name as defined in classes -vln : Vlan Tag Group Name as defined in classes -st : State <1 = Active, 2 = Disable> -a : Action <0 = Report Only, 1 = Block and Report>

Attack Profiles Flags: (Will be added in later labs)

-sig : Signatures Profile -con : Connection Limit Profile -sca : Anti Scanning Profile -dos : Behavioral Dos Profile -syn : SYN Protection Profile -pps : PPS Profile -dns : DNS protection Profile

Advanced Options <1 = Enable, 2 = Disable Default>:

-pt : Packet Trace -pte : Packet Trace configuration on policy takes precedence -pr : Packet Report -pre : Packet Report configuration on policy takes precedence

For our Lab create the following Rules: (For # use your team number)
dp policies create NWRule_Team# -dn protected -di twoway -pm G1-Inbound dp policies create NWRule2-Team# -sn special

2. To View your rule table: dp policies

300-101: DefensePro Level 1 Lab Manual

| Page 83

Lab 2 CLI Administering DefensePro in CLI

Go back to Table of Content Lab Goals: Enable and configure various options related to managing the DefensePro itself: 1. Upgrade the devices software (Web) 2. Security Update Service Updating the Attack Database (Web) 3. Downloading device configuration file 4. Updating the Devices License 5. Enabling Syslog Reporting Note: Upgrading the software and Updating the signature file can only reliably be done via the Web based Management or Vision. Included below are the steps for Web Based Management In Most classes no new Software or Attack Database are available, the next two sections are more for information reference. Upgrade the devices software 1. Have the software and version password ready. 2. Open a browser to the device and select File Software Update 3. Fill in the field: a. Password = Password Provided b. Software Version = Version of Software c. File = Browse to the file and select it for upload d. Click Set to upload and enable the new version (Device will reboot)

4. If you want to see what happens during the upgrade open a connection to the serial console of your device.

300-101: DefensePro Level 1 Lab Manual

| Page 84

Security Update Service Updating the Attack Database 6. Click on DefensePro Attack Database Send to Device 7. Select the source of the update by clicking on browse: 8. Click the Set button to start the update process. Viewing Device Configuration File 9. From the CLI type: system config immediate

Hitting the space will display more of the configuration:

300-101: DefensePro Level 1 Lab Manual

| Page 85

Updating the Devices Throughput License 4. You can upgrade the throughput of the device:
system license throughput set <New Value>

Enabling Syslog Reporting 5. First enable syslog reporting feature: manage syslog global-status set 1 6. Next configure the IP of the syslog server (Up to 5 servers) manage syslog destinations create 192.168.150.253

End of Lab 2

300-101: DefensePro Level 1 Lab Manual

| Page 86

Lab 3 CLI Behavioral DoS Protection

Go back to Table of Content Lab Goals: Configure and monitor Behavioral DoS Protections

Step By Step: 1. Make sure BDos Protection and Traffic Statistics Sampling are enabled: dp behavioral-DoS global status dp behavioral-DoS global advanced sampling-status 2. Set the Learning Response Period to Day.
dp behavioral-DoS global advanced learning response_period set 1

<1 = Day, 2 = Week, 3 = Month> 3. Make sure the Footprint Strictness is set to Low.
dp behavioral-DoS global advanced footprint-strictness

To change the Strictness

dp behavioral-DoS global advanced footprint-strictness set <value> <0 = low, 1 = medium, 2 = high>

4. Create a new Behavioral DOS Profile to add to your protection policy: Syntax:
dp behavioral-DoS profile create <Name> -<Flags> <Value>

Flood Protection Flags: <1 = Enable, 2 = Disable Default> -tcpf : TCP FIN+ACK Flood -tcpr : TCP Reset Flood -tcps : TCP SYN+ACK Flood -tcpfrg : TCP Fragmented Flood -tcpsyn : SYN Flood -udp : UDP Flood -igmp : IGMP Flood -icmp : ICMP Flood

300-101: DefensePro Level 1 Lab Manual

| Page 87

Additional Settings Flags: -band_in : Quota setting of the inbound traffic in [Kbit/Sec] (Required) -band_out : Configuration of the outbound traffic in [Kbit/Sec] (Required) -pr : Packet Report <1 = Enabled Default, 2 = Disable> -pt : Packet Trace <1 = Enabled, 2 = Disable Default> For our lab create a Profile called BDOS with in and out Quota 5000 and all protections enabled:
dp behavioral-DoS profiles create BDOS -tcpf 1 -tcpr 1 -tcps 1 -tcpfrg 1 -tcpsyn 1 -udp 1 -igmp 1 -icmp 1 -band_in 5000 -band_out 5000

5. If you created the profile first before enabling anything you can change it use the set command: dp behavioral-DOS profile set BDOS tcpf 2 Now Re enabled dp behavioral-DOS profile set BDOS tcpf 1

300-101: DefensePro Level 1 Lab Manual

| Page 88

6. For testing purposes, we are going to modify the default Quota settings since the device hasnt had time to learn any network traffic patterns this is under the advanced configuration and can only be done after the profile is created. Syntax:

dp behavioral-DoS global advanced profile-configuration set <Name> -<Flag> <Value>

Flags: (Value = % of Traffic) -in_tcp_quota : TCP In quota -in_udp_quota : UDP In quota -in_icmp_quota : ICMP In quota -in_igmp_quota : IGMP In quota -out_tcp_quota : TCP Out quota -out_udp_quota : UDP Out quota -out_icmp_quota : ICMP Out quota -out_igmp_quota : IGMP Out quota Advanced Features: -transparent : Transparent Optimization process block will only take place after optimization is done (1 = Enable Option, 2 = Disable Default) -level : UDP packet rate detection sensitivity for UDP Floods (1 = Disabled, 2 = Low Default, 3 = Medium, 4 = High) For our lab set the following values: Incoming -in_tcp_quota 85 -in_udp_quota 70 -in_icmp_quota 20 -in_igmp_quota 38 Outgoing -out_tcp_quota 90 -out_udp_quota 70 -out_icmp_quota 15 -out_igmp_quota 38

This is the complete command: dp behavioral-DoS global advanced profile-configuration set BDOS -in_tcp_quota 85 -in_udp_quota 70 -in_icmp_quota 20 in_igmp_quota 38 -out_tcp_quota 90 -out_udp_quota 70 out_icmp_quota 15 -out_igmp_quota 38 7. Now add the new Profile to your protection policy: dp policies set NWRule_Team# -dos BDOS

300-101: DefensePro Level 1 Lab Manual

| Page 89

8. Activate the new policy: dp update-policies set 1

Testing
9. Connect to a prepared Attacker PC via VNC <remote lab>:790# password = team# Note: please verify the URL of the Remote Lab you are using 10. In the New VNC session you might need to hit any key (for example the down arrow) to see the screen, since the PC will disable the display after some time. 11. Select Configure from the application main menu. 12. Select Manual (select it by hitting the space key) and then hit OK. 13. Enter IP address for the attacking PC: 27.1.#.10 ( # = Team-Number) 14. Enter Subnet mask for the attacking PC: 255.255.255.0 15. Enter Default Gateway: 27.1.#.100 16. Select Back. TCP Flood Scenario 9. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source TCP SYN Attack. 10. Make sure the destination address is set to 27.1.#.100 (# = Team-Number) and click OK. 11. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
20-08-2010 14:45:12 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 14:45:27 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" sampled 1 0 0 0 N/A high drop 20-08-2010 14:45:42 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 14:45:52 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" term 0 0 0 0 N/A high drop

12. In APSolute Vision, select the Security Monitoring perspective and select your device in the Security Dashboard tab. 300-101: DefensePro Level 1 Lab Manual | Page 90

13. You will see the Security Dashboard. If you move the mouse over the attack you will see more informations.

14. Select Current Attacks in the content area to see the actual attacks. 15. Keep the filter on default and click the button

16. To see more details on the attack double-click on it. Explanation From the Current Attacks table it can be seen that this is a TCP-SYN attack. The source address indicates a single source attack. The attack footprint can be seen in the attack details. It reveals the ingredients of the footprint: source-port, source IP and packet size. 300-101: DefensePro Level 1 Lab Manual | Page 91

The general attack characteristics can be viewed in the lower table. The attack statistics will show the attack statistics table. The Attack Statistics Graph will show the graphical representation of the attack over time.

300-101: DefensePro Level 1 Lab Manual

| Page 92

300-101: DefensePro Level 1 Lab Manual

| Page 93

2. Attack is starting Footprint lookup phase

300-101: DefensePro Level 1 Lab Manual

| Page 94

3. Attack is ongoing Blocking phase

4. Attack has finished

300-101: DefensePro Level 1 Lab Manual

| Page 95

UDP Flood Scenario 6. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source UDP Data Flood. 7. Make sure the destination address is set to 27.1.#.100 (#=Team-Number) and click OK. 8. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
20-08-2010 15:13:17 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" sampled 1 4 0 0 N/A high drop 20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 15:11:02 WARNING 71 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" term 0 0 0 0 N/A high drop

9. In APSolute Vision, select the Security Monitoring and Current Attacks tab. 10. Double click on the attack event.

300-101: DefensePro Level 1 Lab Manual

| Page 96

300-101: DefensePro Level 1 Lab Manual

| Page 97

ICMP Flood
5. On the Attacking PC, from the main Welcome Screen, select Network

AttacksFloods Single Source ICMP Echo Request Flood.

6. Make sure the destination address is set to 27.1.#.100 ( # = Team-Number) and

7. In APSolute Vision, select the Current Attacks tab.

300-101: DefensePro Level 1 Lab Manual

| Page 98

8. Double click on the attack event to see Attack Information.

Explanation The attack type is ICMP flood from multiple sources. The attack footprint (the blocking rule created by the BDoS engine) is composed from Source IP.

300-101: DefensePro Level 1 Lab Manual

| Page 99

Lab 4 CLI Worm Propagation Prevention & Anti-Scanning

Go back to Table of Content Lab Goals: Configure a worm propagation and Anti-Scanning Policy Monitor Anti Scanning using Vision.

Step By Step: 1. Verify that Anti-Scanning is enabled: dp anti-scanning global status 2. Enable Protection for Very Slow Scans: dp anti-scanning global very-slow-scans set 1 3. Create a new Anti-Scanning Profile: Syntax dp anti-scanning profiles create <Name> -<Flag> <Value> Protocol Flag Enabled or Disable the protocol for scanning: 1 = Enabled Default 2 = Disabled -tcp : TCP State -udp : UDP State -icmp : ICMP State Configuration Flags: -t : Device Organization type <1 = Gateway, 2 = Internal, 3 = Carrier Default> -s : Number of events over time to trigger <1 = Very Few, 2 = Low Default, 3 = Medium, 4 = Many events> -a : Minimum number of characteristics required for dynamic signature <1 = One value, 2 = two values Default, 3 = three values> Advanced Options: -sp : Single TCP/UDP port to ignore scans too -pt : Packet Trace Status <1 = Enabled, 2 = Disabled>

300-101: DefensePro Level 1 Lab Manual

| Page 100

For our lab create the following: dp anti-scanning profiles create AntiScanning t 1 s 4 4. Add the new profile to your Policy: dp policies set NWRule_Team# -sca AntiScanning 5. Activate the new settings: dp update-policies set 1

Testing Anti-Scanning
Worm Propagation This attack demonstrates a worm propagation attack. 8. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 9. Select Worm Propagation. 10. Select Slammer (UDP). 11. Enter the Destination Network Address: 27.1.20.x (really type x since the tool needs it!). 12. Review the CLI traps and monitor the security reports in Vision:
24-08-2010 11:23:17 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" start 0 0 0 0 N/A medium drop 24-08-2010 11:23:27 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" ongoing 46 0 0 0 N/A medium drop 24-08-2010 11:23:52 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" term 0 0 0 0 N/A medium drop

13. Try to send legitimate traffic to the attacked host from the legitimate user station. 14. The DP will detect and block the attack while letting legitimate traffic to go through.

300-101: DefensePro Level 1 Lab Manual

| Page 101

Scanning This attack demonstrates a scan attempt: 11. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 12. Select Scans. 13. Select TCP (L4). 14. Select Horizontal. 15. Select High (using space key). 16. Enter the Destination network address: 27.1.20.x (really type x since the tool needs it!): 17. Soon after the attack is initiated, the following traps are printed on the CLI:
24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" start 0 0 0 0 N/A medium drop 24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" ongoing 271064 127061 0 0 N/A medium drop 24-08-2010 11:26:32 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" term 0 0 0 0 N/A medium drop

18. Select Security Monitoring (perspective) > Current Attacks (tab) and doubleclick on the attack

19. If there are no monitoring data visible, mark the DP and press GO button.

300-101: DefensePro Level 1 Lab Manual

| Page 102

20.

300-101: DefensePro Level 1 Lab Manual

| Page 103

Lab 5 CLI SYN Flood Protection

Go back to Table of Content Lab Goals: Configure a profile and policy to protect against SYN Floods Monitor the attack logs via Vision

Step By Step: 1. View pre-created applications for SYN protection: dp syn-protection attacks static 2. Create a new SYN Flood Profile for HTTP traffic: Syntax:
dp syn-protection profiles create <Name> <Attack Name> -<Flag> <value>

Attack Name = can be one of the static attacks, or user created attacks under Dp syn-protection attacks Flags: -auth : TCP authentication method for all protocols (1) - Transparent-proxy validation is done ACK packet and delayed bind is used (2) - Safe-Reset validation is done on new syn and no delayed bind is used : HTTP authentication feature (required for httpauth) (1) - Enable (2) - Disable -httpauth : HTTP authentication method (1) Simple 302-redirect with header cookie (2) JavaScript inserts header cookie Our Lab use the following: dp syn-protection profiles create SYNFlood HTTP

-http

300-101: DefensePro Level 1 Lab Manual

| Page 104

3. To enabled the flags after creation of the profile use the update command:
dp syn-protection profiles update SYNFlood http 1 httpauth 1

4. To add additional protocols to the same profile use the add command dp syn-protection profiles add SYNFlood TELNET 5. Unselect the BDoS Profile from your Network Protection Rule. dp policies set NWRule_Team# -dos none 6. Add the SYN Protection Profile to the policy: dp policies set NWRule_Team# -syn SYNFlood 7. Activate the latest changes: dp update-policies set 1

Testing SYN Protection

6. On the attacking computers, select Network Attacks Floods Single Source TCP SYN Attack. 7. Enter the destination address: 27.1.#.100 (# = Team-Number) and click OK. 8. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:
09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" start 0 0 0 0 N/A medium proxy DefensePro#09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" ongoing 60364 28295 0 0 N/A medium proxy DefensePro#09-07-2008 15:24:09 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" term 0 0 0 0 N/A medium proxy

9. In APSolute Vision, select the Security Monitoring perspective and select the Current Attack tab. Click the Go button:

10. Double-Click on the SYN Flood HTTP attack to see more details:

300-101: DefensePro Level 1 Lab Manual

| Page 105

300-101: DefensePro Level 1 Lab Manual

| Page 106

Lab 6 CLI Connection Limits

Go back to Table of Content Lab Goals: Create and test a Connection Limit policy.

Step By Step: 1. To create a connection limit protection first an attack needs to be defined create the following attack: Syntax: dp connection-limit attack create <ID> -n <Name> -<Flag> <Value> <ID> = Value must start at 450000 and ascend, values can not be skipped Classification Flags: -dp : Destination Application port can be a vale or defined in classes -p : Protocol <2 = tcp, 3 = udp>

Tracking and Suspend Flags -ts : Maximum number of connections per tracking type -tty : Tracking Type <2 = By source IP, 3 = By destination IP, 4 = Source to Destination> -am : Action Mode <0 = Report only, 10 = Drop, 11 = Reset> -sa : Use the Suspend Table <0 = Disable, 1 = By Source IP, 2 = Source IP and Destination IP, 3 = Source IP to Destination Port, 4 = Source IP to Destination IP and Port, 5 = Source IP and Port to Destination IP and Port> Advanced Flags: -pr : Packet Report -rs : Risk <1 = info, 2 = low, 3 = medium, 4 = high> -pt : Packet Trace For the lab create the following: dp connection-limit attack create 450000 n HTTPLimit -dp http -p tcp -ts 2 -tty 2 -am 10 -rs 3 -sa 1

300-101: DefensePro Level 1 Lab Manual

| Page 107

2. Add the Attack to a Profile: dp connection-limit profiles create MyConLimit -at HTTPLimit 3. Add the connection limit profile to the attack policy: dp policies set NWRule_Team# -con MyConLimit 4. Activate Latest Changes dp update-policies set 1

Testing this lab

5. At the attacker go to Services Attacks > HTTP > Scanning and launch the attack against your target server 27.1.#.100. 6. You should see the following message at the DP serial console:
20-08-2010 12:33:36 WARNING 450001 DoS "HTTPLimit" TCP 27.1.1.10 36369 27.1.1.100 80 1 Regular "NWRule_Team1" start 1 0 0 0 N/A medium drop

7. Review the attack details in APSolute Vision > Security Monitoring > Security Dashboard.

300-101: DefensePro Level 1 Lab Manual

| Page 108

Review the attack details in APSolute Vision > Security Monitoring > Current Attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 109

Lab 7 CLI Server Cracking Protection

Go back to Table of Content Lab Goals: Configure a policy to protect against server cracking attacks. Monitor server cracking logs via Vision

Step By Step: 1. Remove the Connection Limit from Lab6 before you start. dp policies set NWRule_Team# -con none dp update-policies set 1 2. View the attacks created for Server Cracking (additional attacks can be crated) dp cracking-protection attacks View information on just Brute Force Web: dp cracking-protection attacks get 400 3. Create the following server cracking profile using a pre-configured attacks: dp cracking-protection profiles create ServerCracking Brute Force Web dp cracking-protection profiles create ServerCracking Web Scan 4. Create a Protected Server in server protections and add the profile above: Syntax: dp server-protection protected-servers create <Name> -dst = Destination IP or Range of IPs -ips = Server Cracking Profile -http = Http Mitagator Profile (Next Lab) For Our Lab dp server-protection protected-servers create WebServerTeam# -dst 27.1.12.100 -ips ServerCracking 5. Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 110

dp update set 1

Testing Server Cracking Protection Brute Force:

10. On the attacking PC, select Services Attacks HTTP Cracking. 11. Enter IP address for the attacked PC: 27.1.#.100 (# = Team-Number) and click OK. 12. Enter destination URL /account.aspx
13. Soon

after the attack is initiated, the following CLI traps are printed:

DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" start 0 0 N/A 0 N/A medium drop 14. DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 2 1 N/A 0 N/A medium drop

15. DP-Team1#01-12-2011 21:04:07 WARNING 401 Cracking-Protection "Web Scan"

TCP 27.1. 1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" term 0 0 N/A 0 N/A medium drop

16. In Vision, select the Security Monitoring > Current Attacks tab. 17. Double-Click on the Brute Force Web attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 111

Testing Server Cracking Protection Web Scan: 6. On the attacking PC, select Services Attacks HTTP Scanning. 7. Enter IP address for the attacked PC: 27.1.#.100 and click OK. 8. Enter destination URL (i.e. /accounts.aspx). 9. Soon after the attack is initiated, the following CLI traps are printed:
DP-Team1#01-12-2011 21:11:57 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" start 0 0 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:11:57 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 82 47 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:12:02 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 84 48 N/A 0 N/A medium drop DP-Team1#01-12-2011 21:12:07 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 90 52 N/A 0 N/A medium drop

18. In Vision, select the Security Monitoring > Current Attacks tab. 10. Double-Click on the Web Scan attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 112

Lab 8 CLI HTTP Mitigator Protection

Go back to Table of Content Lab Goals: Configure a security policy to protect against HTTP Mitigation attacks. Monitor HTTP Mitigator logs and web server behavioral parameters in Vision

Step By Step: 1. Set the HTTP Mitigator to turn on immediately: dp http-mitigator global learning-pre-activation set 0 Note: This is needed since we want the system to block immediate. 2. Remove the Server Cracking Server Protection dp server-protection protected-servers del WebServerTeam# 3. Create a HTTP Mitigator Profile: Syntax: dp http-mitigator profiles create <Name> -<Flags> <Value> Flags: -sns : Sensitivity <1 = Many Events, 2 = Minor, 3 = Medium, 4 = High, very few events will trigger> -ac : Action <0 = Report only, 1 = Block and Report> -pr : Packet Report -pt : Packet Trace For Our Lab create the following: dp http-mitigator profiles create HTTPFlood sns 3 ac 1

300-101: DefensePro Level 1 Lab Manual

| Page 113

4. Since we dont have time to learn we will configure the thresholds manually. We need to enable manual triggers and then set them: Syntax: dp http-mitigator advanced profile-configuration set <Name> -<Flag> <Value> Manual user Flags (0 for any value means ignore): -mts : Enables manual triggers <1 = Enabled, 2 = Disabled> -gps : Get and POST Request-Rate Trigger (HTTP req/sec) -ots : Other Request-type Request-Rate Trigger (HTTP req/sec) -otb : Outbound HTTP BW Trigger (Kbps) -rps : Request-per-Source Trigger (HTTP req/sec) -rpc : Request-per-Connection Trigger (HTTP requests) Triggers that can be set even if Manual is disabled: -sst : Request-Rate Threshold (HTTP req/sec) -cst : Request-per-Connection Threshold (HTTP requests) Advanced Mitigator Settings -sc : Enabled Challenge Escalation <1 = Enabled, 2 = Disabled> -cc : Enabled everyone to be challenged in event of attack -cm : Sets the mode for challenge <1 = HTTP 302 redirect only, 2 = Javascript> -sb : Enable blocking source IPs For our Lab create an advance setting with the following: a. Get and POST Request-Rate Trigger b. Other Request-Type-Request-Rate Trigger c. Outbound HTTP BW Trigger d. Request-per-Source Trigger e. Request-per-Connection Trigger

5 HTTP req./sec. 2 HTTP req./sec. 1 Kbps 5 HTTP req./sec. 5 HTTP req./sec.

dp http-mitigator advanced profile-configuration set HTTPFlood mts 1 gps 5 ots 2 otb 1 rps 5 rpc 5 5. Now add the profile to the server protection: dp server-protection protected-servers create WebServerTeam# -dst 27.1.#.100 http HTTPFlood 6. Dont forgot to Activate Latest Changes dp update-policies set 1 300-101: DefensePro Level 1 Lab Manual | Page 114

Testing HTTP Mitigator:

7. On the attacking computer select Service Attacks HTTP Flooding. 8. Enter IP address for the attacked PC: 27.1.#.100. 9. Make sure the destination URL is set to /index.html. 10. Soon after the attack is initiated, the following traps will be initiated:
24-08-2010 10:13:58 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" start 0 0 0 0 N/A medium drop 24-08-2010 10:14:13 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" term 0 0 0 0 N/A medium drop

11. In Vision, select the Security Monitoring > Current Attacks tab.

300-101: DefensePro Level 1 Lab Manual

| Page 115

12. Double-Click on the Web Scan attack to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 116

Lab 9 CLI Signature Protection

Step-by-Step: 1. Disable Session Drop Mechanism (Default is Enabled) Note: We do this to be able to see the same attack generated by the attack tool again if we launch it a second time. For more details ask you instructor. dp signatures-protection application-security global session-drop set 2 2. We will now create a new profile and signature rule rather then use the pre created signature rules. To create a new signature profile and rule: dp signatures-protection profiles user create <Profile Name> <Rule Name> <Attribute Name> <Attribute Value> Attribute Name and Value dp signatures-protection attributes values Attribute Name = Attribute Type Attribute Value = Attribute Name Rules: Add multiple attributes to a single Rule creates an AND condition, adding multiple Rule names creates an OR condition For our lab create the following:
dp signatures-protection profiles user create ALL all-info Risk Info

Note: This is not a recommended setting for production. We use it only in our training lab! 3. Add the profile to your policy: dp policies set NWRule_Team# -sig ALL Activate Latest Changes: dp update-policies set 1

300-101: DefensePro Level 1 Lab Manual

| Page 117

Testing the Signature Protection

4. On the attacking computer select: Intrusion Attacks Batch Edit. 5. Select a couple of the attacks, but at least two of each of these attack groups: Apache Backdoors_Inbound FTP_AS IIS Worms Note: Based on signature updates its possible that not all of the attack captures used by the attack tool will be detected. 6. After you saved the attacks select Back run Launch the attacks 7. Enter the IP address of the attacked server: 27.1.#.100. 8. The attacking computer initiates attacks towards the DefensePro and you should receive CLI traps as the DefensePro detects and blocks each attack. For example:
17-08-2010 16:28:08 WARNING 5672 Intrusions "Apache-CMD-Command-Exec" TCP 27.1.1.10 2057 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A medium dest-reset

9. In Vision, select the Security Monitoring > Security Dashboard. 10. You can move the mouse over the attack displayed and see more information.

300-101: DefensePro Level 1 Lab Manual

| Page 118

11. In Vision, select the Security Monitoring > Current Attacks

12. Double-Click one of the attacks to see the attack details:

300-101: DefensePro Level 1 Lab Manual

| Page 119

300-101: DefensePro Level 1 Lab Manual

| Page 120

13. If you like you can go to Security Monitoring > GeoMap and press Go see where the attacks are coming from. If you click on the country in the map you see the list of attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 121

Packet Reporting
1. Enable Packet reporting on the Defensepro: dp reporting packet-report status set enable 2. Set the destination address the packets dp reporting packet-report address set 10.10.240.10 3. If prompted to do so, reboot the device 4. Enable Packet reporting on the Policy: dp policies set NWRule_Team# -pr 1 pre 1 5. Activate Latest Changes 6. Use the Attack Tool and run the saved attacks again. 7. Go to Security Monitoring > Current Attacks and do a right-click on one of the attacks and select Export Packets To Ethereal Format.

8. Select the path and filename of the file and click OK. 9. Open the file you saved for example with Wireshark and you can see the packet which triggered the alert:

300-101: DefensePro Level 1 Lab Manual

| Page 122

Lab 10 CLI - Building a Custom Signature

Go back to Table of Content Lab Goals: Create a new user-defined attack signature using the Signature Protections feature to block a new workstation vulnerability 1. Create a basic layer 4 signature 2. Create Content Signature blocking a URL Test the new attack signature

Building a basic filter:

1. Create the filter under signature protections: Syntax: dp signatures-protection filter basic-filters user create <Name> -<Flag> <Value> Relevant Flags for this section: (There are quite a few flags associated with signature creation it is a good idea to build the signature in a txt editor and then paste to the CLI rather then type it all out if many flags will be used) -p : Protocol = <1 = IP, 2 = tcp, 3 = udp, 4 = icmp, 5 = nonIP, 6 = icmpV6> -sp : Source App. Port as defined in classes or a single port -dp : Destination App. Port as defined in classes or a single port For Our lab configure the following: dp signatures-protection filter basic-filters user create UD-Port1234 p 2 dp 1234

300-101: DefensePro Level 1 Lab Manual

| Page 123

2. The next step is to add the filter to an attack policy Syntax: dp signatures-protection attacks user create <ID> -n <Name> -<Flag> <Value> Notes: <ID> = 0, if you use 0 it will automatically assign the next value in the 30000 range, for example if you have created 300000, 300001, 300002 and then removed 300001 an ID of 0 will create it as 300001 The only relevant flag for this lab is -f = Filter name as created above For our lab use the following:
dp signatures-protection attacks user create 0 -n UD-Port f UD-Port1234

3. Optionally you can define the attributes for this attack to view the attributes (These are added by default):

4. To change the attributes: dp signatures-protection attacks attributes set <ID> <Attribute Type> <Attribute Name> 5. Since we already created a profile that added all Risk levels this attack was automatically added to that profile. 6. Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 124

Testing the custom Filter

7. On the attacking computer press ALT-F3 to switch to a second shell. From here you will try to start TCP session to the blocked port: /usr/sbin/hping3 c 5 p 1234 S 27.1.#.100 (where # is your team number) To return to the attack tool press ALT-F2. 8. The following traps are printed in the DefensePros CLI:
17-08-2010 18:06:08 WARNING 300000 Intrusions "UD_Port" TCP 27.1.1.10 2400 27.1.1.100 1234 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A low drop

9. In Vision, select the Security Monitoring > Security Dashboard and if you move the mouse over the attacks you can see the user defined attack with details (also visible in the Current Attacks tab).

300-101: DefensePro Level 1 Lab Manual

| Page 125

Creating a custom signature to block URL

Step By Step: 1. Create a new attack filter: New Relevant Flags: -ct : Content Type can be the following <1 = None Default, 2 = URL, 3 = Text, 4 = Host Name, 5 = Header Field 25 additional ones see CLI reference for full list these are the most common> -c : Content search string (Exact match) -cr : Content Regular Expression (Use instead of c if content is a regex) -ce : Content Encoding (1) None (2) Case Insensitive (3) Case Sensitive (4) HEX (5) International For our lab configure the following: dp signatures-protection filter basic-filters user create UD-URL p 2 dp http ct 2 c /testurl ce 2 2. Next add the filter to an attack policy
dp signatures-protection attacks user create 0 -n UD-URL f UD-URL

3. As before the Risk is set to low by default and since we have an all profile this will be added on the next update to the Attack Policy 4. Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 126

Testing the custom filter

5. On the attacking computer select Service Attacks HTTP Cracking and press <Enter> 6. Enter the server address and use 27.1.#.100 (# = your team number) and press <Enter> 7. As the destination URL you use /testurl (the url we used to filter) and press <Enter> to start the attack 8. Soon after, the following trap will be printed on the CLI:
17-08-2010 19:49:23 WARNING 300001 Intrusions "UD_URL" TCP 27.1.1.10 35208 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 1 0 0 N/A low drop

9. Review the SecurityReporting > Current Attacks tab in Vision.

300-101: DefensePro Level 1 Lab Manual

| Page 127

Lab 11 CLI Policy Exceptions (Black & White lists)

Go back to Table of Content Lab Goals: Configure Exceptions in the test the Black & White Lists mechanism.

Configuring Black List: 1. Create a new network under classes: classes modify network create BLHost 0 f 27.1.#.10 t 27.1.#.10 m IP Range 2. Activate the network: classes update-policies set 1 3. Create a Black List rule: Syntax: dp black-list table create <Name> -<Flag> <Value> Relevant Flags for the Lab: -sn : Source, can be an IP, any, or Value from the Network table -dn : Destination, can be an IP, any, or Value from the Network table -sp : Source TCP/UDP Port, can be a single value or from classes -dp : Destination TCP/UDP Port -p : Protocol = <1 = Any, 2 = TCP, 3 = UDP, 4 = ICMP, there are 6 more less used protocols defined in the CLI guide For our lab configure the following: dp black-list table create MyBlackList sn BLHost dn any 4. Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 128

Testing Black Lists:

5. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks). 6. The DP will print the following trap in CLI:
17-08-2010 20:21:33 WARNING 8 Access "Black List IP" TCP 27.1.1.10 6666 27.1.1.100 179 1 Regular "Black List" occur 1 0 0 0 N/A low drop

7. Click the Security Monitoring > Current Attacks tab in Vision. 8. You will see all the attacks that were blocked by the Black List module.

300-101: DefensePro Level 1 Lab Manual

| Page 129

Configuring White List

1. Remove the Black List created before: dp black-list table del MyBlackList 2. White lists can be configured to bypass everything or bypass specific modules Configure a new White List rule: Syntax: dp white-list create <Name> -<Flag> <Value> Classification Flags: (Same as Black List) -sn : Source Network -dn : Destination Network -sp : Source TCP/UDP Port Group -dp : Destination TCP/UDP Port Group -pg : PhysicalPortGroup -vt : VLANTag -p : Protocol Bypass Flags <1 = Enable, 2 = Disable>: -am : All Modules Bypass, enabling this rule ignores all others -syn : SYN Protection Bypass -sta : Stateful Inspection Bypass -sca : Anti-Scanning Bypass -sig : Signature Protection Bypass -htt : HTTP Mitigator Bypass -src : Server Cracking Bypass For our lab configure a rule to allow BLHost to bypass all filters: dp white-list create MyWhiteList -sn BLHost dn any am 1 3. Activate Latest Changes

300-101: DefensePro Level 1 Lab Manual

| Page 130

Testing White Lists:

4. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks). 5. The DP will not scan the traffic and therefore none of the initiated attacks will be detected by the DP. 6. On the CLI nothing will be printed. 7. This means that all the traffic is directly delivered to the target computer. 8. On Vision no attack will be detected. 9. Try removing the White List rule to see that the DP now detects the attacks.

300-101: DefensePro Level 1 Lab Manual

| Page 131

Lab 12 CLI Stateful Access List (ACL)

Go back to Table of Content Lab Goals: Create an ACL policy to block Ping (ICMP Echo) traffic to the target server. Test the policy.

Step By Step: 1. Enable the ACL Module on the DefensePro (Requires a reset) acl global-parameters status set 1 2. Reboot the device reboot 3. Once the device is up it will be in learning mode and then will block all traffic that it did not learn, to speed up the learning mode: acl global-parameters learning-period set <seconds> Set the learning period to 5 seconds Check on the Serial-Console until you see this messages:
ACL learning period is over All ACL policies have Drop actions. All IP traffic will be dropped.

4. Change the reporting status of the Default policy default is not to report dropped traffic acl modified-policies set Default -rs 1 5. Update ACL Policies: acl update-policies set 1

300-101: DefensePro Level 1 Lab Manual

| Page 132

6. Now try to open the web site of your target PC (27.1.#.100) from the good client or from the attacker the target. You will see that by default everything is blocked!

7. Check as well the Security Monitoring.

8. Change the Default policy to accept all traffic rather then block: acl modified-policies set Default ac 1 9. Update the ACL Policies: acl update-policies set 1 10. Create a new ACL Policy to block ICMP Syntax:
acl modified-policies create <Name> -i <Index> -<Flag> <value>

Flags: -pr : Protocol <1 = TCP, 2 = UDP, 3 = ICMP, 4 = All Others, 5 = ANY> -ac : Action <1 = Allow, 2 = Drop, 3 = Drop and Reset> -src : Source Network or IP -dst : Destination Network or IP -srv : Service = Defined in classes for advanced layer 4 7 matching -rs : Report Status <1 = Enabled, 2 = Disabled Default> -if : ICMP Flags For this lab configure the following:
acl modified-policies create BlockICMP -i 1 pr 3 ac 2 rs 1 if Echo

11. Activate Latest Changes acl update-policies set 1

300-101: DefensePro Level 1 Lab Manual

| Page 133

Testing ACL
12. From the attacking PC, send a flood attack to the target computer (Network Attacks Floods Single Source ICMP Echo Request Flood 27.1.#.100) or simply set up a continuous ping (-t) to the target server. You should not get a response from the target PC. 13. From the CLI, you should see traps indicating that the packet has been blocked:
17-08-2010 21:04:24 WARNING 744 Stateful ACL "ICMP session dropped" ICMP 27.1.1.10 0 27.1.1.100 0 1 Regular "Default" occur 1 0 0 0 N/A high drop

14. You can review this messages also in Security Monitoring > Current Attacks or Security Dashboard 15. Stop the ping from the attacking host. 16. Before you continue with the next lab disable ACL again and enable BWM (including reboot)

300-101: DefensePro Level 1 Lab Manual

| Page 134

Appendix-A Install APSolute Vision Client

Go back to Table of Content Lab Goals: Install the APSolute Vision client.

Step By Step: 1. Check the actual Installation and Maintenance Guide for the pre-requirements (Chapter 3 Installing the APSolute Vision Client). 2. Open your browser and enter the IP address of the APSolute Vision server. (10.10.240.10). 3. An Authentication Required dialog box is displayed. 4. Use the following information: a. Username b. Password visionweb radware

5. You will see the following web site:

6. Click the Download Client icon 7. Save the EXE file to a directory on your hard drive 8. Start the EXE file and follow the instructions, enter the appropriate information and accept the terms of the license agreement.

300-101: DefensePro Level 1 Lab Manual

| Page 135

Forcepoint NGFW 7.0 Administrator Lab Guide
No ratings yet
Forcepoint NGFW 7.0 Administrator Lab Guide
138 pages
Trend Vision One XDR Advanced - Lab Guide - V1 3
No ratings yet
Trend Vision One XDR Advanced - Lab Guide - V1 3
7 pages
Claroty Edge v1.4.15 Reference Guide 20230720
100% (1)
Claroty Edge v1.4.15 Reference Guide 20230720
10 pages
500-101 27.0 12 Alteon Level1 TrainingManual
0% (1)
500-101 27.0 12 Alteon Level1 TrainingManual
116 pages
Blockchain Unconfirmed Transaction Hack Script
No ratings yet
Blockchain Unconfirmed Transaction Hack Script
4 pages
A10 5.2.1-P3 Aflex
No ratings yet
A10 5.2.1-P3 Aflex
536 pages
156-215 80 PDF
100% (1)
156-215 80 PDF
77 pages
BCCPP Student v341 Us WMK PDF
No ratings yet
BCCPP Student v341 Us WMK PDF
334 pages
CP R80.20 GA CLI ReferenceGuide
No ratings yet
CP R80.20 GA CLI ReferenceGuide
1,146 pages
Intro Checkpoint Firewall PDF
No ratings yet
Intro Checkpoint Firewall PDF
79 pages
Sicap 300-101 Defense Pro Level 1
No ratings yet
Sicap 300-101 Defense Pro Level 1
3 pages
Kaspersky security center
From Everand
Kaspersky security center
Mohammed Haytham Khabbaz samkary
No ratings yet
156 915.80 Premium
100% (1)
156 915.80 Premium
108 pages
CCSA Class Slides
No ratings yet
CCSA Class Slides
285 pages
Ccsar80 Theory
No ratings yet
Ccsar80 Theory
271 pages
SEC201.2 Linux Fundamentals
No ratings yet
SEC201.2 Linux Fundamentals
213 pages
Check Point User Center - SMS - License
No ratings yet
Check Point User Center - SMS - License
2 pages
Palo Alto Networks Edu-210: Document Version
100% (1)
Palo Alto Networks Edu-210: Document Version
31 pages
Day1-01-CCSBA-Introduction and Overview-V7.3-169
No ratings yet
Day1-01-CCSBA-Introduction and Overview-V7.3-169
56 pages
ACE 2.1.1 - Lab Guide - HPE Trainers
No ratings yet
ACE 2.1.1 - Lab Guide - HPE Trainers
124 pages
Radware Certainty Support Guide
No ratings yet
Radware Certainty Support Guide
56 pages
CIS Azure Kubernetes Service (AKS) v1.4.0 PDF
100% (1)
CIS Azure Kubernetes Service (AKS) v1.4.0 PDF
160 pages
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
No ratings yet
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
4 pages
Low Latency Performance Tuning For Red Hat Enterprise Linux 7
No ratings yet
Low Latency Performance Tuning For Red Hat Enterprise Linux 7
31 pages
CP R81 LoggingAndMonitoring AdminGuide
No ratings yet
CP R81 LoggingAndMonitoring AdminGuide
214 pages
Palo Alto Networks VMware Workstation 10.0 Academy Lab Deployment Guide
No ratings yet
Palo Alto Networks VMware Workstation 10.0 Academy Lab Deployment Guide
36 pages
Low-Level Design Report
No ratings yet
Low-Level Design Report
4 pages
Documentation
No ratings yet
Documentation
408 pages
Alteon Application Switch Level 1 Course 500-101 PDF
No ratings yet
Alteon Application Switch Level 1 Course 500-101 PDF
116 pages
Deploying Highly Available AD FS 3.0 Solution in Windows Azure For Single Sign-On With Office365
No ratings yet
Deploying Highly Available AD FS 3.0 Solution in Windows Azure For Single Sign-On With Office365
199 pages
UTD-SASE-2.1 Workshop Guide-20231026
No ratings yet
UTD-SASE-2.1 Workshop Guide-20231026
109 pages
CCSA 156-215.80-512Q (2020feb06 Revised)
100% (1)
CCSA 156-215.80-512Q (2020feb06 Revised)
230 pages
AAC-008-1 v2 WMK PDF
100% (1)
AAC-008-1 v2 WMK PDF
225 pages
CNS 222 3I en StudentManual 1 3 Days v01
No ratings yet
CNS 222 3I en StudentManual 1 3 Days v01
611 pages
Pse Strata P Studyguide
No ratings yet
Pse Strata P Studyguide
124 pages
EDU 110 80a Lab Guide
No ratings yet
EDU 110 80a Lab Guide
153 pages
Datasheet Training DLP System Engineer en
100% (1)
Datasheet Training DLP System Engineer en
7 pages
R80 Student Manual + OCR
100% (1)
R80 Student Manual + OCR
256 pages
Radware Installation and Maintenance Guide-Feb-2011
No ratings yet
Radware Installation and Maintenance Guide-Feb-2011
115 pages
CIS Palo Alto Firewall 10 Benchmark v1.1.0
No ratings yet
CIS Palo Alto Firewall 10 Benchmark v1.1.0
210 pages
Pcnsa Study Guide PDF
No ratings yet
Pcnsa Study Guide PDF
181 pages
CCTA R80 Lab Setup Guide
No ratings yet
CCTA R80 Lab Setup Guide
27 pages
An Overview of Trend Micro Deep Security Solution Components
No ratings yet
An Overview of Trend Micro Deep Security Solution Components
7 pages
Trustwave TPP Palo Alto Next Generation Firewall Deployment Service
No ratings yet
Trustwave TPP Palo Alto Next Generation Firewall Deployment Service
9 pages
Panorama Admin
No ratings yet
Panorama Admin
684 pages
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
85DSR2008 Lab G1
No ratings yet
85DSR2008 Lab G1
476 pages
PCCSE Study Guide
No ratings yet
PCCSE Study Guide
119 pages
Trend Micro TippingPoint NX-Platform Best Practices Guide
No ratings yet
Trend Micro TippingPoint NX-Platform Best Practices Guide
55 pages
Checkpoint (CCSA-NGX) Course Details
No ratings yet
Checkpoint (CCSA-NGX) Course Details
16 pages
AlteonOS 30.1.0 AppShape++ Ref
No ratings yet
AlteonOS 30.1.0 AppShape++ Ref
215 pages
Microsoft 70-744 203q
No ratings yet
Microsoft 70-744 203q
166 pages
SEC201.1 Computing Fundamentals
No ratings yet
SEC201.1 Computing Fundamentals
187 pages
TCSE Fundamentals R19-1 Exercise Book
100% (1)
TCSE Fundamentals R19-1 Exercise Book
76 pages
Cisco APIC Python API Documentation
100% (1)
Cisco APIC Python API Documentation
93 pages
Advanced Networking Best Practices With Azure ExpressRoute
No ratings yet
Advanced Networking Best Practices With Azure ExpressRoute
36 pages
Ccsa - 156-215.80 V18.75
No ratings yet
Ccsa - 156-215.80 V18.75
142 pages
ONTAP 90 Network Management Guide
No ratings yet
ONTAP 90 Network Management Guide
154 pages
Trend Micro TippingPoint Security Management System (SMS) High Availability Troubleshooting and Best Practices
No ratings yet
Trend Micro TippingPoint Security Management System (SMS) High Availability Troubleshooting and Best Practices
14 pages
Multivalue Fields - Lab Guide: Index Type Sourcetype Interesting Fields
No ratings yet
Multivalue Fields - Lab Guide: Index Type Sourcetype Interesting Fields
17 pages
Palo Alto Networks Cortex XDR Prevention and Deployment (Z-Library)
No ratings yet
Palo Alto Networks Cortex XDR Prevention and Deployment (Z-Library)
595 pages
JRE-12.b SG
No ratings yet
JRE-12.b SG
174 pages
VMware vSphere Troubleshooting
From Everand
VMware vSphere Troubleshooting
Munir Muhammad Zeeshan
No ratings yet
Horus h59 Reticle Technical Specs
No ratings yet
Horus h59 Reticle Technical Specs
5 pages
Welcome To The
No ratings yet
Welcome To The
49 pages
Delta
No ratings yet
Delta
99 pages
Perception of Music and Dimensional Complexity of Brain Activity
100% (1)
Perception of Music and Dimensional Complexity of Brain Activity
14 pages
Why I Am A Pagan
No ratings yet
Why I Am A Pagan
4 pages
Diamond Build Champion
No ratings yet
Diamond Build Champion
33 pages
Julius Evola Meditation On The Peaks Mountain Climbing As Metaphor For The Spiritual Quest PDF
No ratings yet
Julius Evola Meditation On The Peaks Mountain Climbing As Metaphor For The Spiritual Quest PDF
69 pages
Ts 10039401v020301p
No ratings yet
Ts 10039401v020301p
118 pages
Etsi TS 100 220-1
No ratings yet
Etsi TS 100 220-1
8 pages
Etsi TS 100 396-4
No ratings yet
Etsi TS 100 396-4
104 pages
2017 Blank Weekly Calendar: Sunday Monday Tuesday Wednesday Thursday Friday Saturday
No ratings yet
2017 Blank Weekly Calendar: Sunday Monday Tuesday Wednesday Thursday Friday Saturday
3 pages
ETSI EN 300 058-4: Final Draft V1.3.1
No ratings yet
ETSI EN 300 058-4: Final Draft V1.3.1
22 pages
ETSI EN 300 093-4: Final Draft V1.3.1
No ratings yet
ETSI EN 300 093-4: Final Draft V1.3.1
19 pages
ETSI EN 300 019-1-3: Final Draft V2.1.0
No ratings yet
ETSI EN 300 019-1-3: Final Draft V2.1.0
19 pages
ETSI EN 300 009-2: Final Draft V1.4.1
No ratings yet
ETSI EN 300 009-2: Final Draft V1.4.1
24 pages
ETSI EN 300 092-6: Final Draft V1.4.1
No ratings yet
ETSI EN 300 092-6: Final Draft V1.4.1
26 pages
ETSI EN 300 092-4: Final Draft V1.3.1
No ratings yet
ETSI EN 300 092-4: Final Draft V1.3.1
24 pages
ETSI EG 202 009-3: Final Draft V1.1.0
No ratings yet
ETSI EG 202 009-3: Final Draft V1.1.0
25 pages
ETSI EN 300 052-4: Final Draft V1.3.1
No ratings yet
ETSI EN 300 052-4: Final Draft V1.3.1
22 pages
ETSI EG 201 936: Final Draft V1.1.1
No ratings yet
ETSI EG 201 936: Final Draft V1.1.1
36 pages
TL-WA501G and TL-WA901N Settings For 2wire Modem Router
No ratings yet
TL-WA501G and TL-WA901N Settings For 2wire Modem Router
8 pages
V1 - 7750 SR Os Radius Attributes Reference Guide 12.0R1
No ratings yet
V1 - 7750 SR Os Radius Attributes Reference Guide 12.0R1
212 pages
DGS 1510 ME Series CLI Reference Guide R1!10!57f21656426c8
No ratings yet
DGS 1510 ME Series CLI Reference Guide R1!10!57f21656426c8
718 pages
Network Security v2.0.0
No ratings yet
Network Security v2.0.0
56 pages
BPS UserGuide 8.10
No ratings yet
BPS UserGuide 8.10
1,827 pages
TP 6 RESEAU ASA
No ratings yet
TP 6 RESEAU ASA
19 pages
A TC3844 5 Ethernet Over OC3 Datasheet
No ratings yet
A TC3844 5 Ethernet Over OC3 Datasheet
2 pages
Tp-Link: Jetstream 24-Port Gigabit Smart Poe+ Switch With 4 SFP Slots
No ratings yet
Tp-Link: Jetstream 24-Port Gigabit Smart Poe+ Switch With 4 SFP Slots
5 pages
Java Network Programming
100% (1)
Java Network Programming
17 pages
PTP 850 User Guide - PHN 4969 - 000v001
No ratings yet
PTP 850 User Guide - PHN 4969 - 000v001
560 pages
CN FINAL Practical - File
No ratings yet
CN FINAL Practical - File
45 pages
TCP VS Udp
No ratings yet
TCP VS Udp
3 pages
Hillstone E-2000 Series en
No ratings yet
Hillstone E-2000 Series en
4 pages
ZXA10 C220: Configuration Manual (CLI)
No ratings yet
ZXA10 C220: Configuration Manual (CLI)
190 pages
SNMP / Web Manager: Features
No ratings yet
SNMP / Web Manager: Features
4 pages
3HE09388AAAATQZZA - V1 - 7750 SR OS GX AVPs Reference Guide PDF
No ratings yet
3HE09388AAAATQZZA - V1 - 7750 SR OS GX AVPs Reference Guide PDF
66 pages
Mediant Software SBC Users Manual Ver 72
No ratings yet
Mediant Software SBC Users Manual Ver 72
1,394 pages
Cisco Examcollection 200-901 Vce Download 2022-Nov-04 by Rory 182q Vce
No ratings yet
Cisco Examcollection 200-901 Vce Download 2022-Nov-04 by Rory 182q Vce
11 pages
BRKUCC-2932
No ratings yet
BRKUCC-2932
155 pages
أمثلة على طريقة أسئلة اختبار النظم الموزعة
No ratings yet
أمثلة على طريقة أسئلة اختبار النظم الموزعة
2 pages
Essential Ports for DevOps Engineers
No ratings yet
Essential Ports for DevOps Engineers
4 pages
Bind9 - Debian Wiki
No ratings yet
Bind9 - Debian Wiki
3 pages
10 - Project Report - Merged
No ratings yet
10 - Project Report - Merged
25 pages
Product Sheet WAP 5836
No ratings yet
Product Sheet WAP 5836
2 pages
Lab - 07 - Cisco Packet Tracer
No ratings yet
Lab - 07 - Cisco Packet Tracer
3 pages
Sd9368-Ehldatasheet en
No ratings yet
Sd9368-Ehldatasheet en
3 pages
Unit 4 Network Security: C Tgs KC Tgs
No ratings yet
Unit 4 Network Security: C Tgs KC Tgs
30 pages