beautypg.com

Binding a dns dpi policy to a virtual port – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 32

background image

20

Brocade Virtual ADX Security Guide

53-1003250-01

DNS-DPI Attack Protection

1

NOTE

A maximum of 255 DNS policies can be configured on a Brocade Virtual ADX. Also, the total number
of rules that can be bound to a single policy is 512 and the global limit for binding rules to a policy
is 2500. For example, if you bind 500 rules to each of 5 policies you will reach 2500 which is the
global limit for binding rules to a policy.

Once a packet matches a configured filter, the following actions can be specified:

Drop the packet that matches the filter

Redirect to a server or server group

Rate limit the packets

Log the times that the rule has been matched (log is a secondary action and cannot be
specified by itself)

The actions are configured within the DNS DPI policy as shown in the following.

Virtual ADX(config)#csw-policy DNSpolicy1 type dns-filter

Virtual ADX(config-csw-dns-policy-P1)#match rule1 redirect 1 log

Virtual ADX(config-csw-dns-policy-P1)#match rule2 drop log

Virtual ADX(config-csw-dns-policy-P1)#match rule3 rate-limit monitor-interval 2

conn-rate 20 hold-down-time 2 log

Virtual ADX(config-csw-dns-policy-P1)#default drop

Syntax: { match rule-name | default } {drop | redirect group| rate-limit monitor-interval mon-value

conn-rate conn-value hold-down-time hold-down-value } { log | no-log }

If the default option is configured under a policy, DNS query packets that do not match any of the
rules bound to that policy are acted on by the configured default option. In the example above, a
DNS query that does not match rules rule1, rule2, and rule3 will be dropped.

The drop parameter directs the Brocade Virtual ADX to drop any packets that match the filter.

The redirect parameter directs the Brocade Virtual ADX redirect any packets that match the filter to
a server or server group specified by server-id or server-grp-id

The rate-limit parameter directs the Brocade Virtual ADX to rate limit packets that match the filter
at the monitor-interval specified by the mon-value variable, the conn-rate specified by the
conn-value and the hold-down-time specified by the hold-down-value variable.

The log parameter directs the Brocade Virtual ADX to report the number of times that a rule has
been matched within a 5 second interval. The log parameter is a secondary action and cannot be
specified by itself.

Binding a DNS DPI policy to a virtual port

To take effect, a DNS DPI policy must be bound to a virtual port. The following applies to this
binding:

A CSW DNS policy can only be applied to port DNS.

You can bind only one policy per virtual port.

You cannot bind a DNS policy to a virtual port if another CSW policy is already bound to port
DNS.

Once a DNS policy is bound to a port, any DNS query that comes to the virtual server will be
matched against the rules bound to that policy and any associated action will be take on the
match.

See also other documents in the category Brocade Computer Accessories: