300-101 dp training 6-00 level1 manual v4

Course Code: 300-101

DefensePro Level1

Training Manual

February, 2012

300-101: DefensePro Level 1 Lab Manual | Page 2

Radware 2011. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.

This document is protected by United States and International copyright laws. Neither this document nor any material contained within it may be duplicated, copied or reproduced, in whole or part, without the expressed written consent of Radware, Inc.

The features and functions of Radware devices discussed in this document are based on the following firmware version.

Product Version

DefensePro 6.00.x

APSolute Vision 1.12

If your Radware device is running an older version of firmware or if you are using an older version of APSolute Vision, some of the features and implementations discussed in this manual may not be available.

To upgrade your existing Radware device, please contact your Radware sales person.

Conventions

The following font conventions are used in this manual:

Bold indicates the series of menu items in APSolute Vision used to reach a particular screen or window

Underline indicates an option or entry within a APSolute Vision screen or window

Italics indicates the value or setting supplied in a window or screen

Courier indicates CLI or telnet commands



Table of Contents

Lab Configuration Information .......................................................................................... 5

Lab 1a Initial DefensePro Setup .................................................................................... 6

Lab 1b - Connecting to your DefensePro using APSolute Vision .................................... 12

Lab 2 Administering DefensePro ................................................................................. 19

Lab 3 Behavioral DoS Protection ................................................................................. 24

Lab 4 Worm Propagation Prevention & Anti-Scanning ................................................. 36

Lab 5 SYN Flood Protection ........................................................................................ 40

Lab 6 Connection Limits .............................................................................................. 42

Lab 7 Server Cracking Protection ................................................................................ 45

Lab 8 HTTP Mitigator Protection.................................................................................. 49

Lab 9 Signature Protection .......................................................................................... 53

Lab 10 - Building a Custom Signature ............................................................................ 59

Lab 11 Policy Exceptions (Black & White lists) ............................................................ 63

Lab 12 Stateful Access List (ACL) ............................................................................... 67

Lab 13 Bandwidth Management .................................................................................. 71

Lab 14 APSolute Vision Reporter ................................................................................ 75

Lab 1b CLI Configuring the DefensePro using APSolute Vision for attack reporting .... 79

Lab 2 CLI Administering DefensePro in CLI ................................................................ 84

Lab 3 CLI Behavioral DoS Protection .......................................................................... 87

Lab 4 CLI Worm Propagation Prevention & Anti-Scanning ........................................ 100

Lab 5 CLI SYN Flood Protection ................................................................................ 104

Lab 6 CLI Connection Limits ...................................................................................... 107

Lab 7 CLI Server Cracking Protection........................................................................ 110

Lab 8 CLI HTTP Mitigator Protection ......................................................................... 113

Lab 9 CLI Signature Protection .................................................................................. 117

Lab 10 CLI - Building a Custom Signature .................................................................... 123

Lab 11 CLI Policy Exceptions (Black & White lists) .................................................... 128

Lab 12 CLI Stateful Access List (ACL) ....................................................................... 132

Appendix-A Install APSolute Vision Client ................................................................. 135



Lab Configuration Information

During the training, students are divided into teams (Team 1, Team 2, etc) and each team will configure and manage a single Radware device. The steps and diagrams within the training material are based on this type of lab setup.

In some situations, your instructor may have to deviate from the standard configuration to accommodate more students or to account for less available time.

The labs in this manual are designed to demonstrate the more commonly used features and functions on Radwares DefensePro. There are a great number of features on all Radware devices, and it would be impossible to provide labs for all of them without increasing the training period to several weeks.

Each lab contains step-by-step instructions on how to configure the device correctly using APSolute Vision. These steps are illustrative only and are usually based only on the configuration of one device in the training lab.

Pay close attention to the tables and charts within the lab instructions. You will be expected to apply the appropriate settings for your device only. It will make for a particularly long day for you (and your instructor) if several students mistakenly use addresses and settings that belong to other students.

If you have any questions about how to configure your Radware device during a particular lab, please ask your instructor for assistance.

Figure 1 Team # Lab Configuration



Lab 1a Initial DefensePro Setup

Go back to Table of Content

Lab Goals:

Establish a serial connection to the device (In this lab the connection is already configured to the terminal server, you will telnet to the port given in class)

Apply the required minimum settings through the Startup Menu to allow APSolute Vision connectivity

Configure and test SSH access

Configure and test Secured Web Based Management

Review the various options and settings available through the initial command line menu



Step-by-step:

1. Review your topology on page 4 (Note # = Team number) if you have any questions please ask your instructor

2. Connect to your device with the information your instructor provided at the start of the lab exercises.

3. Follow the steps below to reset the device to factor defaults:

a. Press the enter key a few times and make sure you get an DefensePro> prompt.

b. Login in with default user name and password (radware).

c. From the DefensePro# prompt type reboot and hit enter.

d. When the device begins to boot up, you will see a message that says Press any key to pause autoboot

e. Press any key on the keyboard (you have 3 seconds to do this)

f. From the > prompt type q1 and press enter

g. This action removes configuration file. Do you want to continue (y/n) ? press y

h. When the erase configuration completes and the > comes back, type @ and press enter.

The device will be reset to factory defaults and the Startup Configuration screen will come up.

Startup Configuration

0. IP address

1. IP subnet mask

2. Default router IP address

3. User Name

4. User Password

5. Enable Web Access (y/n) [n]

6. Enable Secure Web Access (y/n) [n]

7. Enable Telnet Access (y/n) [n]

8. Enable SSH Access (y/n) [n]

9. SNMP Configuration

4. Assign the following values for management of the DefensePro: 0. IP address = 10.10.244.# 1. IP subnet mask = 255.255.248.0

2. Port number = MNG-1

3. Default router IP address = 10.10.240.1 For ALL other values press to use the default settings!

Note: # = team number



5. You cannot go back to a previous menu item if you made a mistake. You must enter all items and then at the end select Y then N to go back to the start

6. When you hit at the SNMP Configuration option, a new window will appear with additional settings for SNMP:

SNMP Startup Configuration

0. Supported SNMP versions [1 2 3]

1. Community [public]

2. SNMP root user

3. Privacy Protocol (NONE/DES) [DES]

4. Privacy Password

5. Authentication Protocol (NONE/SHA/MD5) [MD5]

6. Authentication Password

7. NMS IP address

8. Configuration file name

7. Please leave everything to default by hitting for the each item to apply default settings, so that your instructor can access the device during training.

Continue with the current configuration (y/n): y

8. If your configuration is correct, select y and hit enter. The device will reboot and

you should be able to connect to it with APSolute Vision in the next lab.

9. If you have made a mistake, select n and then hit to reach the desired

line and make whatever changes are necessary.

10. When the device has finished restarting, you will have to log in to the unit by

typing: login.

Unless you changed the username and password during the initial configuration, you should be able to use radware for both the username and password.

11. When you have logged in, use the question mark (?) to display the commands.



12. You should see a list of commands similar to the one below:

acl Access control list

bwm Policy management and classification

classes Configures traffic attributes used for classification

device Device Settings

dp DefencePro Security settings

help Displays help for the specified command

login Login into the device

logout Logout of the device

manage Device management configuration

net Network configuration

ping Pings a remote host.

reboot Reboot the device

security Device Security

services General networking services

shutdown Shutdown

ssh Connect via SSH to a remote host.

statistics Device statistics configuration.

system Sets system parameters.

telnet Connects to a remote host via telnet.

trace-route Measures hops and latency to a given destination.

DefensePro#

13. Use the command net ip-interface to make sure the unit shows the

appropriate interface address.

14. From the command line, ping the default gateway address 10.10.240.1. Then ping the IP address of the APSolute Vision server 10.10.240.10 to make sure you have basic network connectivity. Let your instructor know if you are unable to reach either of these hosts.

15. Take a look at some of the CLI commands available. Feel free to ask your instructor questions about these functions, but bear in mind that almost all of the commands available here will be accessible through APSolute Vision.

Note: As a general rule, you will find it helpful to leave your workstations connected to the Defense Pro through the CLI for the duration of the labs. There are a number of traps and error messages that the device will generate through the CLI and these can useful for trouble-shooting.



16. Enable SSH from the Command Line Interface:

manage ssh status set 1 (1=enable, 2=disable)

17. Create a username and password so that you can access the device through Telnet or you can use the default username and password of radware:

manage user table create team# -pw team#

Use your teams number (#) for the username and password.

18. Change the prompt of the CLI to show your Team#

manage terminal prompt set DP-Team#

19. Open a SSH session to your device from the VNC station using putty and the

management IP and supply the appropriate username and password. Type ? and

then hit the key. You should see a list of commands identical to those displayed through the CLI.

20. Enable Web Based Management. From the CLI or from your Telnet connection, enter the following command (Secure Web is also supported):

manage web status set enable

21. You can now open a browser from your workstation (Not the VNC Station) http://: (9201 9212)

For example, students of Team 1 using the NJ LAB use: http://njlab1.radware.net:9201

22. You should be prompted for a username and password. Use the username and password that you created.

23. Enable NTP time synchronization for accurate reporting services ntp server-name set 10.10.240.1

services ntp status set enable



Enabled Features

By default all the needed features are enabled. To verify you type the commands below and the status for each feature should show as enable

Application Security:

dp signatures-protection application-security global status

Packet Reporting:

dp reporting packet-report status

DOS Shield:

dp signatures-protection dos-shield global status

Session Table:

device session-table status

SYN Protection:

dp syn-protection status

Behavioral DoS:

dp behavioral-DoS global status

Anti Scanning:

dp anti-scanning global status

HTTP Mitigator:

dp http-mitigator global status



Lab 1b - Connecting to your DefensePro using APSolute Vision


To manage a Radware device using APSolute Vision, please follow the steps below:

1. For your convenience, the classroom central APSolute Vision device is already setup.

2. You need to install APSolute Vision please refer to Appendix-A Installing the APSolute Vision Client.

3. Start APSolute Vision using the Icon (Desktop or Start-Menu)

4. login screen type in the following information: User Name DP-Team# (where # is your team number) Password radware Vision Server vision.radware.muc (in Munich) or 10.10.240.10 (in the USA) Authentication Local and click on Login to login.



5. After few seconds, the main APSolute Vision window appears:

6. If you device is not visible (please do not delete your device if it IS visable) do a right click on Default in the System window and select New > DefensePro

7. In the Edit Device Connection Information window you only need to fill the Name of the device and the Management IP, the rest we use the defaults in our training. Name DefensePro Team # (where # is your team number) Management IP 10.10.244.#

Note: If youre facing problems connecting to your device, contact your instructor.

8. Click OK, APSolute Vision will now connect to the device.



9. Right click on the DP and select Lock;

The DP logo should show a lock now:

NOTE: This feature will prevent anyone else from making configuration changes during your session.



Enabling Security Reporting

1. You find the Security Reporting settings at the Configuration perspective > Advanced Parameters > Security Reporting Settings.

2. Click the Security Reporting Settings in the tab navigation pane. The setting appears on the right part of the content area.

3. In order to receive security traps in CLI place a check-mark in the box beside Enable Sending Terminal Echo (enable it).

4. In order to send security traps to a Syslog server place a check-mark in the box beside Enable Sending Syslog (enable it).

5. Make sure the Enable Sending Traps is checked.

6. Make sure at the Data Reporting Destination the IP of the Vision appliance is

added (10.10.240.10). Use right mouse click or the button.

7. Make sure the following are sets:

a. Minimal Risk for Sending Traps: Info

b. Minimal Risk for Sending Syslog: Info

c. Minimal Risk for Sending Terminal Echo: Info

d. Minimal Risk for Sending Email: Info



8. Make sure that in the Data Reporting Destinations section the Vision appliance is listed as the target:

9. Click the submit button to apply your changes.

10. Go to Configuration > Device Security > SNMP >Target Address and add an entry to send SNMP traps to the Vision server

Press the button and make sure the following are sets:

a. Name: Vision

b. IP Address and L4 Port: 10.10.240.10-162

c. Mask: 0.0.0.0

d. Tag list: v3Traps

e. Target Parameters Name: public-v1

Modifying Classes

Port Groups:

1. Go to Configuration perspective > Classes > Modify Configuration >

Physical Ports and click the button.

2. For the Physical Ports Group Name use G1-Inbound and select in the drop-down menu Inbound Port G-1.

3. Click OK to add the port group.

4. Click Activate Latest Changes



Networks:

5. Select the Networks folder under Modify Configuration

6. Do a right click in the Network Name Table and select Add New Network

7. In the Edit Network Entry window enter the Network Name protected and do a right click in the table below to create a new Network Group.

Fill in the following information:

Entry Type IP Mask

Network Type IPv4

Network Address 27.1.0.0

Mask 255.255.0.0

Click OK to add the new entry and click Close to close the Edit Network Entry window.

8. Click Activate Latest Changes in the Network window.

Creating a Network Protection Rule

9. Go to Configuration perspective > Network Protection and click the button.

10. The Add New Network Protection Rule window appears.

11. Name the policy in the Basic Parameters section.

Rule Name: NWRule_Team#.

12. In the Classification section select for SRC Network the predefined network any from the dropdown list.

13. For the DST Network select protected from the dropdown list.

14. In the drop-down-button next to Port Group and select the port group we just created in the beginning of the lab and click OK.

15. In the New Network Protection Rule window change the Direction to Two Way and click OK to close this window.



16. Click Activate Latest Changes below the Network Protection Rule

17. Your Network Protection Rule table should look like this:



Lab 2 Administering DefensePro


Lab Goals:

Enable and configure various options related to managing the DefensePro itself:

1. Upgrade the devices software

2. Security Update Service Updating the Attack Database

3. Downloading device configuration file

4. Updating the Devices License

5. Enabling Syslog Reporting

In Most classes no new Software or Attack Database are available, the next two sections are more for information reference.

Most of this will be done in the Monitoring perspective if you do a right click on the device:



Upgrade the devices software

1. Obtain the new firmware file from your instructor along with a password for your device.1

2. Right-click the device and select Manage Software Versions and the Software Upgrade window will open.

3. Click the Browse button, and locate the new firmware file.

4. In the Software Version section enter the new version number: for example 5.01.04

5. In the Password section, enter the password for your specific unit and verify it in the Verify Password section.

6. Click the Send button, this will perform the software update including a reboot.

7. You will get the following message:

8. If you want to see what happens during the upgrade open a connection to the serial console of your device.

1 This may not be possible to perform in all lab environments since your instructor will need access to the

internet in order to generate a password for the unit.



Security Update Service Updating the Attack Database

1. Right-click the device and select Update Security Signature and the Update Attack Signature File window will open.

2. Select the source of the update: - Radware.com will download the latest Vision version from the internet

- Client: if you have downloaded the latest version already to your client

3. Click the Send button to start the update process via the internet.

4. You will get the following message:

5. Review the Alert pane to see if the update has successfully finished.



Download Device Configuration File

1. Right-click the device and select Export Configuration File from Device and the Export Configuration File from Device window will open.

2. Here you can select if you want to save the configuration file at the APSolute Vision appliance or local at your client machine and the transport protocol.

3. Click Save to save the configuration file with the suggested name at the appliance.

4. The status of the process you can review again in the Alert pane



Updating the Devices License

1. Select the Configuration perspective and select in the Setup tab the License Upgrade menu point.

2. Enter the new license in the New License Key or Throughput License Key field

and Click the Submit button to apply your changes:

Note: If you add a new feature license you need to reboot the device to activate. Throughput licenses will be applied on the fly without reboot.

3. If you needed a reboot and after reboot is completed, close all opened window and repeat steps 1-2 to see the new license active.

Enabling Syslog Reporting

1. Select the Configuration perspective and select in the Setup tab the Syslog menu point.

2. Enable Syslog and use as the Server Address 192.168.150.253 (ask your instructor if you need to use a different syslog server and how to view the messages).

3. Click the Submit button to apply your changes



Lab 3 Behavioral DoS Protection


Lab Goals:

Configure and monitor Behavioral DoS Protections

Step By Step:

1. The Behavioral DoS Module should already have been enabled on your teams device. However, you should verify this before proceeding.

2. Select the Configuration perspective and select in the Security Settings tab the BDos Protection menu point.

3. Make sure Enable BDos Protection and Enable Traffic Statistics Sampling are checked.

4. Set the Learning Response Period to Day.

5. Make sure the Footprint Strictness is set to Low.

6. Click the Submit button to apply your changes

7. Go to the Network Protection tab and select BDoS Profiles.

8. To create a new BDOS profile, click the Add button. The Add New BDoS Profile window appears.

9. For the Profile Name, enter BDoS.

10. Under Flood Protection Settings select all attacks to the profile by marking the check box in front of the attack name.

11. Under the section for Bandwidth Settings, change the values for Inbound and Outbound to 5000



12. For testing purposes, we are going to modify the default Quota settings since the device hasnt had time to learn any network traffic patterns.

13. Make sure the Incoming and Outgoing TCP are set to 90.

14. Make sure the Incoming and Outgoing UDP are set to 70.

15. Change the Incoming and Outgoing ICMP values to 30.

16. Change the Incoming and Outgoing IGMP to 38.

17. Leave the Transparent Footprint Optimization unchecked.

18. Click OK to close this window.

19. In the menu tree of the Network Protection tab click on Network Protection Rules and double-click on the Rule we defined in Lab1

20. In the Action Section select the BDoS Profile we have just created and press OK

Note: You can also add here a new BDoS Profile while pressing the button.

21. Press the button before you continue.



Testing

1. Connect to a prepared Attacker PC via VNC :790# password = team#

Note: please verify the URL of the Remote Lab you are using

2. In the New VNC session you might need to hit any key (for example the down arrow) to see the screen, since the PC will disable the display after some time.

3. Select Configure from the application main menu.

4. Select Manual (select it by hitting the space key) and then hit OK.

5. Enter IP address for the attacking PC: 27.1.#.10 ( # = Team-Number)

6. Enter Subnet mask for the attacking PC: 255.255.255.0

7. Enter Default Gateway: 27.1.#.100

8. Select Back.

TCP Flood Scenario

1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source TCP SYN Attack.

2. Make sure the destination address is set to 27.1.#.100 (# = Team-Number) and click OK.

3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:

20-08-2010 14:45:12 WARNING 73 Behavioral-DoS "network flood IPv4 TCP

-SYN" TCP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop


-SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" sampled 1 0 0 0 N/A

high drop


-SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" ongoing 0 0 0 0 N/A

high drop


-SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" term 0 0 0 0 N/A high

drop

4. In APSolute Vision, select the Security Monitoring perspective and select your device in the Security Dashboard tab.



5. You will see the Security Dashboard. If you move the mouse over the attack you will see more informations.

6. Select Current Attacks in the content area to see the actual attacks.

7. Keep the filter on default and click the button

8. To see more details on the attack double-click on it.

Explanation

From the Current Attacks table it can be seen that this is a TCP-SYN attack. The source address indicates a single source attack.

The attack footprint can be seen in the attack details. It reveals the ingredients of the footprint: source-port, source IP and packet size.

The general attack characteristics can be viewed in the lower table.

The attack statistics will show the attack statistics table.

The Attack Statistics Graph will show the graphical representation of the attack over time.



If you like you can also view during the attack the Real-Time Behavioral-DOS statistics if you select the Protection Monitoring tab. Select Attack Traffic TCP(IPv4) in the tree menu and select the Protection Type TCP SYN.

1. No Attack



2. Attack is starting Footprint lookup phase

3. Attack is ongoing Blocking phase



4. Attack has finished



UDP Flood Scenario

1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source UDP Data Flood.

2. Make sure the destination address is set to 27.1.#.100 (#=Team-Number) and click OK.

3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:

20-08-2010 15:13:17 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP"

ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop

20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP"

UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" sampled 1 4 0 0 N/A high

drop


UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" ongoing 0 0 0 0 N/A high

drop


UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" term 0 0 0 0 N/A high drop

4. In APSolute Vision, select the Security Monitoring and Current Attacks tab.

5. Double click on the attack event.



Explanation

The attack type is UDP flood distributed source (you can notice the 0.0.0.0 IP in the source address column).

Note:

If you monitor the target computer with a sniffer software (like Ethereal), you could see some UDP packets reaching the target computer but then it stops as the DP is blocking the attack.



ICMP Flood

1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source ICMP Echo Request Flood.

2. Make sure the destination address is set to 27.1.#.100 ( # = Team-Number) and click OK.

Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button: 20-08-2010 16:57:07 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP"

ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop


ICMP 27.1.1.10 0 27.1.#.100 0 2 N/A "lab" sampled 1 4 0 0 N/A high drop


ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" ongoing 0 0 0 0 N/A high drop


ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" term 0 0 0 0 N/A high drop

3. In APSolute Vision, select the Current Attacks tab.



4. Double click on the attack event to see Attack Information.

Explanation

The attack type is ICMP flood from multiple sources. The attack footprint (the blocking rule created by the BDoS engine) is composed from Source IP.



Lab 4 Worm Propagation Prevention & Anti-Scanning


Lab Goals:

Configure a worm propagation and Anti-Scanning Policy

Monitor Anti Scanning using the Attack Tool.

Step By Step:

1. Select Configuration (perspective) > Security Settings (tab) > Anti-Scanning

2. In the Anti Scanning Parameters (right pane), mark the Enable Protection for Very Slow Scans.

3. Click the Submit button to apply the setting.

4. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1

5. In the Action section click on the button next to Anti Scanning Profile and the Anti-Scanning Profiles window will open.

6. Right click inside the table and add a new entry.

7. For the new entry use the following entries:

a. Rule Name AntiScanning

b. Type GW

c. Detection Sensitivity Level High

d. Accuracy Medium

8. Click OK to add the Profile and click OK to add the profile to rule.

9. Click OK to close the Edit Network Protection Rule window.

10. Click the Activate Latest Changes button to apply the changes.



Testing Anti-Scanning

Worm Propagation

This attack demonstrates a worm propagation attack.

1. On the Attacking PC, from the main Welcome Screen, select Network Attacks.

2. Select Worm Propagation.

3. Select Slammer (UDP).

4. Enter the Destination Network Address: 27.1.20.x (really type x since the tool needs it!).

5. Review the CLI traps and monitor the security reports in Vision: 24-08-2010 11:23:17 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP

27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" start 0 0 0 0 N/A medium drop

24-08-2010 11:23:27 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP

27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" ongoing 46 0 0 0 N/A medium drop

24-08-2010 11:23:52 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP

27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" term 0 0 0 0 N/A medium drop

6. Try to send legitimate traffic to the attacked host from the legitimate user station.

7. The DP will detect and block the attack while letting legitimate traffic to go through.



Scanning

This attack demonstrates a scan attempt:

1. On the Attacking PC, from the main Welcome Screen, select Network Attacks.

2. Select Scans.

3. Select TCP (L4).

4. Select Horizontal.

5. Select High (using space key).

6. Enter the Destination network address: 27.1.20.x (really type x since the tool needs it!):

7. Soon after the attack is initiated, the following traps are printed on the CLI:

24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP

27.1.1.10 0 0.0.0.0 80 2 Regular "lab" start 0 0 0 0 N/A medium drop


27.1.1.10 0 0.0.0.0 80 2 Regular "lab" ongoing 271064 127061 0 0 N/A

medium drop


27.1.1.10 0 0.0.0.0 80 2 Regular "lab" term 0 0 0 0 N/A medium drop

8. Select Security Monitoring (perspective) > Current Attacks (tab) and double-click on the attack

9. If there are no monitoring data visible, mark the DP and press GO button.



10.



Lab 5 SYN Flood Protection


Lab Goals:

Configure a profile and policy to protect against SYN Floods

Monitor the attack logs via Vision

Step By Step:


2. In the Action section click on the button next to SYN Flood Profile and the SYN Profiles window will open.

3. Right click inside the table and add a New SYN Profile.

4. For the Profile Name select SYNFlood

5. Right click inside the table and add a new SYN Flood Protection.

6. Select HTTP as the Protection Name

7. Click OK to add the protection to the profile

8. Click OK to close the Edit SYN Profiles window

9. Click OK to add the profile to rule.

10. Unselect the BDoS Profile from your Network Protection Rule.

11. Click OK to close the Edit Network Protection Rule window.

12. Click the Activate Latest Changes button to apply the changes.



Testing SYN Protection

1. On the attacking computers, select Network Attacks Floods Single Source TCP SYN Attack.

2. Enter the destination address: 27.1.#.100 (# = Team-Number) and click OK.

3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button: 09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0

0 27.1.#.100 80 0 Regular "protected" start 0 0 0 0 N/A medium proxy

DefensePro#09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP"

TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" ongoing 60364 28295 0 0

N/A medium proxy

DefensePro#09-07-2008 15:24:09 WARNING 200000 SynFlood "SYN Flood HTTP"

TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" term 0 0 0 0 N/A medium

proxy

4. In APSolute Vision, select the Security Monitoring perspective and select the Current Attack tab. Click the Go button:

5. Double-Click on the SYN Flood HTTP attack to see more details:



Lab 6 Connection Limits


Lab Goals:

Create and test a Connection Limit policy.

Step By Step:

1. Go to Configuration > Network Protection > Connection Limit Profiles > Connection Limit Protections and add a new Protection. Click the Go To Protection Table button to add new parameters.

2. Use the following information:

a. Protection Name HTTPLimit

b. Application Port Group Name http

c. Protection Name TCP

d. Number of Connections 2

e. Tracking Type Source Count

f. Action Mode Drop

g. Risk Medium

h. Suspend Action Source IP

3. Click OK to add the new protection.

4. Go to Configuration > Network Protection > Connection Limit Profiles and add a new Profile.

5. For the Profile Name use MyConLimit and click OK

6. Right click in the table to add a Connection Limit Protection to the Profile.

7. Select in the Protection Name the protection we just created and click OK

8. Click OK to add the profile

9. Go to Configuration > Network Protection Network > Protection Rules and double-click on your Network Protection Rule.

10. In the action section select the Connection Limit Profile we just created and click OK

11. Click on Activate Latest Changes



Testing this lab

1. At the attacker go to Services Attacks > HTTP > Scanning and launch the attack against your target server 27.1.#.100.

2. You should see the following message at the DP serial console:

20-08-2010 12:33:36 WARNING 450001 DoS "HTTPLimit" TCP 27.1.1.10

36369 27.1.1.100 80 1 Regular "NWRule_Team1" start 1 0 0 0 N/A

medium drop

3. Review the attack details in APSolute Vision > Security Monitoring > Security Dashboard.



Review the attack details in APSolute Vision > Security Monitoring > Current Attacks.



Lab 7 Server Cracking Protection


Lab Goals:

Configure a policy to protect against server cracking attacks.

Monitor server cracking logs via Vision

Step By Step:

1. Make sure you removed the Connection Limit from Lab6 before you start.

2. Select Configuration (perspective) > Server Protection (tab) > Server Protection Policy

3. Press the button to add a New Server Protection


a. Server Name WebserverTeam#

b. IP Range just type: 27.1.#.100

5. On Server Cracking Profile, click on the button to create a new Server Cracking Profile.

6. Right click inside the table and add a New Server Cracking Profile.

7. For the Profile Name use ServerCracking and click OK

8. Select in the Edit Server Cracking Protection window

the Action Block and Report

9. Right click inside the table and add a New Server Cracking Protection

10. For the new entry select the following entries:

a. Server Cracking Protection Name Brute Force Web

b. Sensitivity Medium

c. Risk Medium

11. Click OK to add the new protection to the profile

12. Right click inside the table and add a New Server Cracking Protection

13. For the new entry select the following entries:

a. Server Cracking Protection Name Web Scan


c. Risk Medium

14. Click OK to add the new protection to the profile



15. Your Server Cracking Profile should look like this:

16. Click OK close the new create Server Cracking Profile.

17. Click OK to select the new Server Cracking Profile in the Server ProtectionName the profile.

18. Your New Server Protection should look like this:

19. Click OK to add the New Server Protection.

20. Click the Activate Latest Changes button to activate the new settings.



Testing Server Cracking Protection Brute Force:

1. On the attacking PC, select Services Attacks HTTP Cracking.

2. Enter IP address for the attacked PC: 27.1.#.100 (# = Team-Number) and click OK.

3. Enter destination URL /account.aspx

4. Soon after the attack is initiated, the following CLI traps are printed: DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan"

TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" start 0

0 N/A 0 N/A medium drop

5. DP-Team1#01-12-2011 21:03:27 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1 .1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" ongoing

2 1 N/A 0 N/A medium drop

6. DP-Team1#01-12-2011 21:04:07 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1. 1.10 35080 27.1.1.100 80 1 Regular "Webserver Team1" term 0 0

N/A 0 N/A medium drop

7. In Vision, select the Security Monitoring > Current Attacks tab.

8. Double-Click on the Brute Force Web attack to see the attack details:



Testing Server Cracking Protection Web Scan:

1. On the attacking PC, select Services Attacks HTTP Scanning.

2. Enter IP address for the attacked PC: 27.1.#.100 and click OK.

3. Enter destination URL (i.e. /accounts.aspx).

4. Soon after the attack is initiated, the following CLI traps are printed:

DP-Team1#01-12-2011 21:11:57 WARNING 401 Cracking-Protection "Web Scan" TCP

27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" start 0 0 N/A 0 N/A

medium drop


27.1.1.10 50496 27.1.1.100 80 1 Regular "Webserver Team1" ongoing 82 47 N/A 0

N/A medium drop



N/A medium drop



N/A medium drop


5. Double-Click on the Web Scan attack to see the attack details:



Lab 8 HTTP Mitigator Protection


Lab Goals:

Configure a security policy to protect against HTTP Mitigation attacks.

Monitor HTTP Mitigator logs and web server behavioral parameters in Vision

Step By Step:

1. Select Configuration (perspective) > Security Settings (tab) > HTTP Flood Protections

2. Change the Learning Period Before Activation to 0 Days. Note: This is needed since we want the system to block immediate.

3. Click the (Submit) button to apply the setting.

4. Select Configuration (perspective) > Server Protection (tab) > Server Protection Policy

5. Double-Click on the Server Protection we created in the last lab.

6. Remove the Server Cracking Profile

7. Click on the button to create a new HTTP Flood Protection Profile.

8. Right click inside the table and add a HTTP Flood Protection Profile.


a. Profile Name HTTPFlood


c. Action Block and Report

10. Since we dont have time to learn we will configure the thresholds manually. For this we need to check the Use the following thresholds to identify HTTP Flood attacks checkbox in the User-Defined Attack Triggers section.

11. In the Manual Configuration section add the following:

a. Get and POST Request-Rate Trigger 5 HTTP req./sec.

b. Other Request-Type-Request-Rate Trigger 2 HTTP req./sec.

c. Outbound HTTP BW Trigger 1 Kbps

d. Request-per-Source Trigger 5 HTTP req./sec.

e. Request-per-Connection Trigger 5 HTTP req./sec.



12. Your HTTP Flood Protection Profile should look like this:

13. Click OK and OK again to add the Profile.

14. Click OK to close the Server Protection window.




Testing HTTP Mitigator:

1. On the attacking computer select Service Attacks HTTP Flooding.

2. Enter IP address for the attacked PC: 27.1.#.100.

3. Make sure the destination URL is set to /index.html.

4. Soon after the attack is initiated, the following traps will be initiated:

24-08-2010 10:13:58 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP

0.0.0.0 0 27.1.#.100 80 0 Regular "server" start 0 0 0 0 N/A medium drop

24-08-2010 10:14:13 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP

0.0.0.0 0 27.1.#.100 80 0 Regular "server" term 0 0 0 0 N/A medium drop


6. Double-Click on the Web Scan attack to see the attack details:



Lab 9 Signature Protection


Lab Goals:

Configure Intrusion Prevention policy.

View Dashboard display of simulated attack traffic

View and Sort Attack Logs by risk level

Create a user-defined view and user-defined report

Step-by-Step:

1. Select Configuration (perspective) > Security Settings (tab) > Signature Protection

2. Uncheck the checkbox for the Enable Session Drop Mechanism Note: We do this to be able to see the same attack generated by the attack tool again if we launch it a second time. For more details ask you instructor.

3. Click the (Submit) button to apply the setting.


5. In the Action section click on the button next to Signature Protection Profile and the Signature Profiles window will open.

6. Right click inside the table and add a New Signature Profile.

7. Set the Profile Name to All

8. Right click inside the table and add a New Signature Rule.


a. Rule Name All_Info

b. Attribute Type Risk

c. Attribute Value Info

Note: This is not a recommended setting for production. We use it only in our training lab!

10. Click OK to add the Rule to the Profile

11. Click OK to create the Profile.

12. Select the new created Profile and click OK.

13. Click OK to close the Network Protection Rule




Testing the Signature Protection

1. On the attacking computer select: Intrusion Attacks Batch Edit.

2. Select a couple of the attacks, but at least two of each of these attack groups:

Apache

Backdoors_Inbound

FTP_AS

IIS

Worms

Note: Based on signature updates its possible that not all of the attack captures used by the attack tool will be detected.

3. After you saved the attacks select Back run Launch the attacks

4. Enter the IP address of the attacked server: 27.1.#.100.

5. The attacking computer initiates attacks towards the DefensePro and you should receive CLI traps as the DefensePro detects and blocks each attack. For example:

17-08-2010 16:28:08 WARNING 5672 Intrusions "Apache-CMD-Command-Exec" TCP

27.1.1.10 2057 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A

medium dest-reset

6. In Vision, select the Security Monitoring > Security Dashboard.

7. You can move the mouse over the attack displayed and see more information.



8. In Vision, select the Security Monitoring > Current Attacks

9. Double-Click one of the attacks to see the attack details:



10. If you like you can go to Security Monitoring > GeoMap and press Go see where

the attacks are coming from. If you click on the country in the map you see the list of attacks.



Packet Reporting

1. Select Configuration (perspective) > Advanced Parameters (tab) > Security Reporting Settings and expand the Packet Reporting and Packet Trace section.

2. Check the Enable Packet Reporting box and enter the Vision IP address (10.10.240.10) in the Destination IP Address field.

3. Click the Commit Changes button. If prompted to do so, reboot the device.


5. In the Packet Reporting and Trace section check the first two checkboxes and press OK.


7. Use the Attack Tool and run the saved attacks again.

8. Go to Security Monitoring > Current Attacks and do a right-click on one of the attacks and select Export Packets To Ethereal Format.

9. Select the path and filename of the file and click OK.



10. Open the file you saved for example with Wireshark and you can see the packet which triggered the alert:



Lab 10 - Building a Custom Signature


Lab Goals:

Create a new user-defined attack signature using the Signature Protections feature to block a new workstation vulnerability

1. Create OMPC signature

2. Create Content Signature blocking a URL

Test the new attack signature

Building the filter:

1. Select Configuration (perspective) > Network Protection (tab) > Signature Protection > Signatures

2. In the right window (content area) at the Signatures section press the button

3. Set the Signature Name to UD_Port

4. Right-click in the Filter Table and add a new filter.

5. For the new entry use the following entries (keep the rest default):

a. Signature Name UD_Port1234

b. Protocol TCP c. Destination Application Port 1234

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 11. Select Configuration > Network Protection > Network Protection Rules and

Click the Activate Latest Changes button to activate the new settings.



Testing the custom Filter

1. On the attacking computer press ALT-F3 to switch to a second shell. From here you will try to start TCP session to the blocked port: /usr/sbin/hping3 c 5 p 1234 S 27.1.#.100 (where # is your team number) To return to the attack tool press ALT-F2.

2. The following traps are printed in the DefensePros CLI:

17-08-2010 18:06:08 WARNING 300000 Intrusions "UD_Port" TCP 27.1.1.10

2400 27.1.1.100 1234 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A low drop

3. In Vision, select the Security Monitoring > Security Dashboard and if you move the mouse over the attacks you can see the user defined attack with details (also visible in the Current Attacks tab).



Creating a custom signature to block URL

Step By Step:

1. Select Configuration (perspective) > Network Protection (tab) > Signature

Protection > Signatures

2. In the right window (content area) at the Signatures section press the button

3. Set the Signature Name to UD_URL

4. Right-click in the Filter Table and add a new filter.

5. For the new entry use the following entries (keep the rest default):

a. Signature Name UD_URL

b. Protocol TCP c. Destination Application Port http d. Content Type URL e. Content /testurl f. Content Encoding Case Insensitive

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 12. Select Configuration > Network Protection > Network Protection Rules and

Click the Activate Latest Changes button to activate the new settings.



Testing the custom filter

1. On the attacking computer select Service Attacks HTTP Cracking and press

2. Enter the server address and use 27.1.#.100 (# = your team number) and press

3. As the destination URL you use /testurl (the url we used to filter) and press to start the attack

4. Soon after, the following trap will be printed on the CLI: 17-08-2010 19:49:23 WARNING 300001 Intrusions "UD_URL" TCP 27.1.1.10

35208 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 1 0 0 N/A low drop

5. Review the SecurityReporting > Current Attacks tab in Vision.



Lab 11 Policy Exceptions (Black & White lists)


Lab Goals:

Configure Exceptions in the test the Black & White Lists mechanism.

Configuring Black List:

1. Go to Configuration > Classes > Modify Configuration > Networks

2. Right-Click in the Network Name table to add a new Network

3. For the Network Name use BLHost.

4. Right-click in the table to add a new network group.


a. Entry Type IP Range

b. Network Type IPv4

c. From IP 27.1.#.10

d. To IP 27.1.#.10

6. Click OK to add this entry to the Network Group

7. Click Close to close the Network Entry window.

8. Click Activate Latest Changes button

9. Go to Configuration > ACL > Black List.

10. Right-click in the Black List Policy Table and add a new Black List Rule



11. Select as Source Address the network we just created and as Destination Network Any and click OK

12. Click Activate Latest Changes button

13. Click the Submit button.

Testing Black Lists:

1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks).

2. The DP will print the following trap in CLI: 17-08-2010 20:21:33 WARNING 8 Access "Black List IP" TCP 27.1.1.10 6666

27.1.1.100 179 1 Regular "Black List" occur 1 0 0 0 N/A low drop

3. Click the Security Monitoring > Current Attacks tab in Vision.

4. You will see all the attacks that were blocked by the Black List module.



Configuring White List

1. Remove the BLHost from the Black List before you continue. (Dont forget to activate latest changes)

2. Go to Configuration > ACL > White List.

3. Right-click in the White List Policy Table and add a new White List Rule

4. The New White List Rule window appears:

5. The white list contains IP addresses and network ranges and traffic from these addresses will be bypassing the different security modules in the device.



6. The attacker PC address is already configured (previous step) so in the Source Network use BLHost. In the Destination Network use any.

7. You can define which security modules will be skipped while traffic from the attacker PC arrives to the DP.

8. In the Module Bypass select Bypass All Modules. This means that all the security modules will be skipped for traffic originating in the specified source network.

9. If you unselect the Bypass All Modules then you have to specify which security module will be scanning the traffic and which one will skip it.

10. Click OK to save changes.

11. Click the Activate Latest Changes button.

Testing White Lists:

1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks).

2. The DP will not scan the traffic and therefore none of the initiated attacks will be detected by the DP.

3. On the CLI nothing will be printed.

4. This means that all the traffic is directly delivered to the target computer.

5. On Vision no attack will be detected.

6. Try removing the White List rule to see that the DP now detects the attacks.



Lab 12 Stateful Access List (ACL)


Lab Goals:

Create an ACL policy to block Ping (ICMP Echo) traffic to the target server.

Test the policy.

Step By Step:

1. Go to Configuration > ACL > ACL Policy > Global Settings and enable ACL

2. Click the Submit button to apply the settings.

3. The following window will appear:

4. Click Commit Changes and Reboot

5. The device will now reboot (see serial connection). Vision will notify you after the reboot has finished.

6. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on the default rule.



7. Check Report and click OK

8. Click on Activate Latest Changes

9. Check on the Serial-Console until you see this messages: ACL learning period is over

All ACL policies have Drop actions. All IP traffic will be dropped.

10. Now try to open the web site of your target PC (27.1.#.100) from the good client or launch any attack from the attacker the target. You will see that by default everything is blocked by the ACL!

11. Check as well the Security Monitoring.

12. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on the Default policy.

13. Change the Action to Accept and click OK

14. Do a right-click in the Modify ACL Policy table to add a new policy.


a. Rule Name BlockICMP

b. Rule Index 1

c. Report check this value

d. Protocol ICMP

e. Action Drop



f. ICMP-Flags Echo (check this value)

15. Click OK to add this rule




Testing ACL

1. From the attacking PC, send a flood attack to the target computer (Network Attacks Floods Single Source ICMP Echo Request Flood 27.1.#.100) or simply set up a continuous ping (-t) to the target server. You should not get a response from the target PC.

2. From the CLI, you should see traps indicating that the packet has been blocked:

17-08-2010 21:04:24 WARNING 744 Stateful ACL "ICMP session dropped" ICMP

27.1.1.10 0 27.1.1.100 0 1 Regular "Default" occur 1 0 0 0 N/A high drop

3. You can review this messages also in Security Monitoring > Current Attacks or Security Dashboard

4. Stop the ping from the attacking host.

5. Before you continue with the next lab disable ACL again (including reboot) and enable BWM Choosing Policies(including reboot)



Lab 13 Bandwidth Management


Lab Goals:

Create and test a Bandwidth Management policy to guarantee minimum and maximum application service levels.

Note:

It is difficult to generate enough traffic in a lab environment to saturate the bandwidth available. In order to illustrate the features detailed in this lab, the guaranteed minimum and borrowing bandwidth limits have been set artificially low

Step By Step:

1. Before beginning this lab, lets make a test:

2. On the legitimate user station, close all browser windows.

If you use the virtual Lab this station can be reached via VNC to lab-ip:7910 (password: client). From the Firefox browser started automatic you can select your team attacked host (picture shows target for team1) from the link folder:

3. Now open a new browser and point it to: ftp://27.1.#.100/ [Maybe different name will be provided by your instructor].

4. Your browser will begin the download of the file. Note the copy speed rate.

5. Now lets configure a bandwidth management rule which will limit the traffic.



6. Go to Configuration > BWM > Global Parameters and change the Classification Mode to Policies.

7. Click the Submit button to apply the settings.

8. If BWM was not activated before you need to reboot the DefensePro.

9. Go to Configuration > Classes > Modify Configuration > Networks and click Create to add a new network.


a. Name DMZ

b. From IP 27.1.#.100

c. To IP 27.1.#.100

d. Entry Type IP Range

11. Click OK to add the network


13. Go to Configuration > BWM > Modify Policies and press the button


Policy Name FTP

Index 1

Policy Description FTP-Traffic

Source Network any

Destination Network DMZ

Service Type Basic Service

Service Name ftp-session

Direction Two Way

Priority 0

Guaranteed Bandwidth 20

Maximum Bandwidth 30

15. Click OK to add the Policy




17. Go to Configuration > BWM > Active Policies and you should see this new policy in the list.

18. To be able to see statistics make sure you activate the Policy statistics Monitoring at Configuration > BWM > Global Settings:

19. To see the statistics go to Monitoring select you DP and go to BWM Statistics > Policy Statistics (Last Period or Last Seconds)



Testing this lab

1. On the legitimate user station, close all browser windows.

2. Now open a new browser and point it to: ftp://27.1.#.100/file [Maybe different name will be provided by your instructor].

3. Your browser will begin the download of the file. Note the copy speed rate.

4. Go to Monitoring&Control select you DP and go to BWM Statistics > Policy Statistics (Last Seconds)

5. Stop the FTP session.

6. If time permits, repeat this lab using other guaranteed and maximal values to see the different behavior.



Lab 14 APSolute Vision Reporter


Lab Goals:

Use the APSolute Vision Reporter to review the log we created during the labs.

Your instructor will give you a short introduction demo before you start this lab.

Step By Step:

1. In APSolute Vision select the button to launch the Vision Reporter in a browser window.

2. The APSolute Vision Reporter will start with the default Dashboard

3. You can customize this dashboard or create your own.

4. Play with this to get familiar



5. Click in the Menu on Reports to see the predefined reports.

6. Browse through the reports which are available

7. You can also export this reports



8. Try to export to PDF and review the report.



Lab 1b CLI Configuring the DefensePro using APSolute Vision for attack reporting


To manage a Radware device using APSolute Vision, please follow the steps below:

1. For your convenience, the classroom central APSolute Vision device is already setup.

2. If you need to install APSolute Vision client please refer to Appendix-A Installing the APSolute Vision Client.

3. Start APSolute Vision using the Icon (Desktop or Start-Menu)

4. login screen type in the following information: User Name DP-Team# (where # is your team number) Password radware Vision Server 10.10.240.10 (or the name according to your location) Authentication Local and click on Login to login.



5. After few seconds, the main APSolute Vision window appears:

6. If you device is not visible let your instructor know he will then add a new device for you

7. Right click on the DP and select Lock;

The DP logo should show a lock now:

NOTE: This feature will prevent anyone else from making configuration changes during your session.



Enabling Security Reporting

1. There are two different settings to send data to the Vision server

a. Attack Traffic information (traffic statistics of B-Dos):

dp reporting data-report address create 10.10.240.10

b. Packet capture reporting:

dp reporting packet-report address set 10.10.240.10

2. In order to receive security traps in CLI

dp reporting global send-terminal set 1

3. In order to send security traps to a Syslog:

dp reporting global send-syslog set 1

4. Make sure all traps are set to info (1)

a. dp reporting global terminal-risk set 1

b. dp reporting global traps-risk set 1

c. dp reporting global syslog-risk set 1

d. dp reporting global email-risk set 1

5. Enable the DefensePro to send SNMP traps to a device (Vision)

Syntax:

manage snmp target-address create -a -

-tl -p

For this lab use the following:

manage snmp target-address create Vision -a 10.10.240.10-162

-tl v3Traps -p public-v1



Modifying and creating Classes

Creating Port Groups:

1. Create a physical port group:

Syntax:

classes modify physical-port-groups create

For Our Lab

classes modify physical-port-groups create G1-Inbound 1

2. Activate Latest Changes

classes update-policies set 1

Creating Networks:

3. Select the Networks folder under Modify Configuration

Syntax

classes modify network create

-a

-s

-f

-t

-m

For Our Lab Create the following 3 networks

classes modify network create protected 0 -a 27.1.0.0 -s

255.255.0.0 m "IP Mask"

classes modify network create protected 1 -a 28.1.0.0 -s

255.255.0.0 m "IP Mask"

classes modify network create special 0 -f 27.1.250.10 -t

27.1.250.20 m "IP Range"

4. Activate Latest Changes

classes update-policies set 1



Network Protection Policy

1. Create a Network Policy that will be used in later labs for the different protections

Syntax:

dp policies create - -

Classification Flags:

-di : Direction

-sn : Source Address Name as defined in classes, or specific IP

-dn : Destination Name as defined in classes, or specific IP

-pm : Inbound Physical Port Group Name as defined in classes

-vln : Vlan Tag Group Name as defined in classes

-st : State

-a : Action

Attack Profiles Flags: (Will be added in later labs)

-sig : Signatures Profile

-con : Connection Limit Profile

-sca : Anti Scanning Profile

-dos : Behavioral Dos Profile

-syn : SYN Protection Profile

-pps : PPS Profile

-dns : DNS protection Profile

Advanced Options :

-pt : Packet Trace

-pte : Packet Trace configuration on policy takes precedence

-pr : Packet Report

-pre : Packet Report configuration on policy takes precedence

For our Lab create the following Rules: (For # use your team number)

dp policies create NWRule_Team# -dn protected -di twoway -pm G1-Inbound

dp policies create NWRule2-Team# -sn special

2. To View your rule table:

dp policies



Lab 2 CLI Administering DefensePro in CLI


Lab Goals:

Enable and configure various options related to managing the DefensePro itself:

1. Upgrade the devices software (Web)

2. Security Update Service Updating the Attack Database (Web)

3. Downloading device configuration file

4. Updating the Devices License

5. Enabling Syslog Reporting

Note: Upgrading the software and Updating the signature file can only reliably be done via the Web based Management or Vision. Included below are the steps for Web Based Management

In Most classes no new Software or Attack Database are available, the next two sections are more for information reference.

Upgrade the devices software

1. Have the software and version password ready.

2. Open a browser to the device and select File Software Update

3. Fill in the field:

a. Password = Password Provided

b. Software Version = Version of Software

c. File = Browse to the file and select it for upload

d. Click Set to upload and enable the new version (Device will reboot)

4. If you want to see what happens during the upgrade open a connection to the serial console of your device.



Security Update Service Updating the Attack Database

6. Click on DefensePro Attack Database Send to Device

7. Select the source of the update by clicking on browse:

8. Click the Set button to start the update process.

Viewing Device Configuration File

9. From the CLI type:

system config immediate

Hitting the space will display more of the configuration:



Updating the Devices Throughput License

4. You can upgrade the throughput of the device:

system license throughput set

Enabling Syslog Reporting

5. First enable syslog reporting feature:

manage syslog global-status set 1

6. Next configure the IP of the syslog server (Up to 5 servers)

manage syslog destinations create 192.168.150.253

End of Lab 2



Lab 3 CLI Behavioral DoS Protection


Lab Goals:

Configure and monitor Behavioral DoS Protections

Step By Step:

1. Make sure BDos Protection and Traffic Statistics Sampling are enabled:

dp behavioral-DoS global status

dp behavioral-DoS global advanced sampling-status

2. Set the Learning Response Period to Day.

dp behavioral-DoS global advanced learning response_period set 1

3. Make sure the Footprint Strictness is set to Low.

dp behavioral-DoS global advanced footprint-strictness

To change the Strictness

dp behavioral-DoS global advanced footprint-strictness set

4. Create a new Behavioral DOS Profile to add to your protection policy:

Syntax:

dp behavioral-DoS profile create -

Flood Protection Flags:

-tcpf : TCP FIN+ACK Flood

-tcpr : TCP Reset Flood

-tcps : TCP SYN+ACK Flood

-tcpfrg : TCP Fragmented Flood

-tcpsyn : SYN Flood

-udp : UDP Flood

-igmp : IGMP Flood

-icmp : ICMP Flood



Additional Settings Flags:

-band_in : Quota setting of the inbound traffic in [Kbit/Sec] (Required)

-band_out : Configuration of the outbound traffic in [Kbit/Sec] (Required)

-pr : Packet Report

-pt : Packet Trace

For our lab create a Profile called BDOS with in and out Quota 5000 and all protections enabled:

dp behavioral-DoS profiles create BDOS -tcpf 1 -tcpr 1 -tcps 1 -tcpfrg 1

-tcpsyn 1 -udp 1 -igmp 1 -icmp 1 -band_in 5000 -band_out 5000

5. If you created the pro

300-101 dp training 6-00 level1 manual v4

Documents

lab manual page

apsolute vision screen

existing radware device

product version defensepro

administering defensepro

x apsolute vision

functions of radware

radware sales person