Document ID: RDWR-ALOS-V2900_AG1302 59
Chapter 3 – Securing Alteon
Secure management is necessary for environments in which significant management functions are
performed across the Internet.
The following topics are addressed in this chapter:
• Protecting Alteon-Owned Addresses from Attacks, page 59
• How Different Protocols Attack Alteon, page 59
• RADIUS Authentication and Authorization, page 62
• TACACS+ Authentication, page 67
• Secure Shell and Secure Copy, page 70
• Deny Routes, page 79
Protecting Alteon-Owned Addresses from Attacks
Denial of Service (DoS) attacks can be targeted not only at real servers, but at any IP address that
is owned by an Alteon. A DoS attack can potentially overwhelm Alteon resources. You can use the
system-wide rlimit (rate limiting) command to prevent DoS attacks over Address Resolution Protocol
(ARP), ICMP, TCP, and UDP traffic by setting the maximum rate at which packets can enter Alteon.
After the configured limit has been reached, packets are dropped. The maximum rate (packets per
second) can be configured differently for each of the supported protocols.
How Different Protocols Attack Alteon
Without the system-wide rate limiting commands enabled, the following protocol packets destined
for an Alteon-owned management interface could potentially overwhelm its management
processor's CPU capacity:
• ARP requests to the management interface IP address.
• ICMP pings to the management interface IP address.
• TCP SYN packets sent the management interface IP address, including Telnet sessions, HTTP
requests via the Browser-Based Interface, and BGP peer connections to Alteon. TCP Rate
Limiting should also be configured to limit TCP packets destined to an Alteon virtual server IP
(VIP) address. For more information, see TCP Rate Limiting, page 613
.
• UDP packets sent to an Alteon interface address, including Routing Information Protocol (RIP)
and Simple Network Management Protocol (SNMP) packets.
To Next Page
Loading...