HP ProCurve 5372xl Дополнительное руководство - Страница 18

Просмотреть онлайн или скачать pdf Дополнительное руководство для Переключатель HP ProCurve 5372xl. HP ProCurve 5372xl 36 страниц. Procurve switch 5300xl series
Также для HP ProCurve 5372xl: Руководство рецензента (35 страниц), Технические характеристики (4 страниц), Технические характеристики (1 страниц)

Печатать страницу
HP ProCurve 5372xl Дополнительное руководство
connections to new computers, but instead is more likely to regularly connect to the same set of
computers. This is in contrast to the fundamental behavior of a rapidly spreading worm, which
will attempt many outgoing connections to new computers. For example, while computers
normally make approximately one connection per second, the SQL Slammer virus tries to infect
more than 800 computers per second.
Virus-throttling works by intercepting IP-routed connection requests, that is, connections
crossing VLAN boundaries, in which the source subnet and destination subnet are different. The
virus throttle tracks the number of recently made connections. If a new, intercepted request is
to a destination to which a connection was recently made, the request is processed as normal.
If the request is to a destination that has not had a recent connection, the request is processed
only if the number of recent connections is below a pre-set threshold. The threshold specifies
how many connections are to be allowed over a set amount of time, thereby enforcing a
connection rate limit. If the threshold is exceeded, because requests are coming in at an
unusually high rate, it is taken as evidence of a virus. This causes the throttle to stop processing
requests and, instead, to notify the system administrator.
This applies to most common layer 4-7 session and application protocols, including TCP
connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS—virtually any protocol
where the normal traffic does not look like a virus spreading. For virus-throttling to work, IP
routing and multiple VLANs with member ports must first be configured.
(Some protocols, such as NetBIOS and WINS, and some applications such as network
management scanners, notification services and p2p file sharing are not appropriate for virus-
throttling, because they initiate a broad burst of network traffic that could be misinterpreted by
virus-throttling technology as a threat).
A
A
D
D
In 5300xl Switch Series, virus throttling is implemented through connection-rate filtering. When
the connection-rate filtering is enabled on a port, the inbound routed traffic is monitored for a
high rate of connection requests from any given host on the port. If a host appears to exhibit
the worm-like behavior of attempting to establish a large number of outbound IP connections
(destination addresses, or DAs) in a short period of time, the switch responds depending on how
connection-rate filtering is configured.
Response options
The response behavior of connection-rate filtering can be adjusted by using Filtering options.
When a worm-like behavior is detected, the connection-rate filter can respond to the threats on
the port by
Notify only of potential attack: While the apparent attack continues, the switch generates
an Event Log notice identifying the offending host source address (SA) and (if a trap receiver
is configured on the switch) a similar SNMP trap notice.
B
B
VLAN 1
VLAN 1
5300xl with Routing
5300xl with Routing
VLAN 2
VLAN 2
Configured
Configured
C
C
VLAN 3
VLAN 3
Devices on VLAN 3
Devices on VLAN 3
Infected with Worm-
Infected with Worm-
Like Malicious Code
Like Malicious Code
Figure 3. Throttling virus movements across VLANs
Networked
Networked
Servers
Servers
Intranet
Intranet
18