300-101 DP Training 5-10 Level1 Manual v1

Course Code: 300-101 DefensePro Level1 Training Manual November, 2010

300-101: DefensePro Level 1 Lab Manual | Page 2 © Radware 2010. All rights reserved. Distribution of this document needs approval from Radware Knowledge & Education Services.

This document is protected by United States and International copyright laws. Neither this document nor any material contained within it may be duplicated, copied or reproduced, in whole or part, without the expressed written consent of Radware, Inc.

The features and functions of Radware devices discussed in this document are based on the following firmware version.

Product Version DefensePro 5.10.x APSolute Vision 1.0.5

If your Radware device is running an older version of firmware or if you are using an older version of APSolute Vision, some of the features and implementations discussed in this manual may not be available.

To upgrade your existing Radware device, please contact your Radware sales person.

Conventions The following font conventions are used in this manual:

• Bold – indicates the series of menu items in APSolute Vision used to reach a particular screen or window

• Underline

• Italics – indicates the value or setting supplied in a window or screen

– indicates an option or entry within a APSolute Vision screen or window

• Courier – indicates CLI or telnet commands

http://www.radware.com/content/company/contactinfo/default.asp�


Table of Contents Course Code: 300-101 ..................................................................................................... 1

Lab Configuration Information .......................................................................................... 4

Lab 1a – Initial DefensePro Setup .................................................................................... 5

Lab 1b - Connecting to your DefensePro using APSolute Vision .................................... 12

Lab 2 – Administering DefensePro ................................................................................. 18

Lab 3 – Behavioral DoS Protection ................................................................................. 23

Lab 4 – Worm Propagation Prevention & Anti-Scanning ................................................. 34

Lab 5 – SYN Flood Protection ........................................................................................ 38

Lab 6 – Server Cracking Protection ................................................................................ 40

Lab 7 – HTTP Mitigator Protection .................................................................................. 44

Lab 8 – Signature Protection .......................................................................................... 47

Lab 9 - Building a Custom Signature .............................................................................. 52

Lab 10 – Stateful Inspection ........................................................................................... 56

Lab 11 – Policy Exceptions (Black & White lists) ............................................................ 59

Lab 12 – Connection Limits ............................................................................................ 62

Lab 13 – Stateful Access List (ACL) ............................................................................... 65

Lab 14 – Bandwidth Management .................................................................................. 68

Lab 15 – APSolute Vision Reporter ................................................................................ 72

Appendix-A – Install APSolute Vision Client ................................................................... 76


Lab Configuration Information During the training, students are divided into teams (Team 1, Team 2, etc) and each team will configure and manage a single Radware device. The steps and diagrams within the training material are based on this type of lab setup. In some situations, your instructor may have to deviate from the standard configuration to accommodate more students or to account for less available time. The labs in this manual are designed to demonstrate the more commonly used features and functions on Radware’s DefensePro. There are a great number of features on all Radware devices, and it would be impossible to provide labs for all of them without increasing the training period to several weeks. Each lab contains step-by-step instructions on how to configure the device correctly using APSolute Vision. These steps are illustrative only and are usually based only on the configuration of one device in the training lab. Pay close attention to the tables and charts within the lab instructions. You will be expected to apply the appropriate settings for your device only. It will make for a particularly long day for you (and your instructor) if several students mistakenly use addresses and settings that belong to other students. If you have any questions about how to configure your Radware device during a particular lab, please ask your instructor for assistance.

Figure 1 – Team # Lab Configuration


Lab 1a – Initial DefensePro Setup Go back to Table of Content Lab Goals:

• Establish a serial connection to the device (directly with cable or via terminal server)

• Apply the required minimum settings through the Startup Menu to allow APSolute Vision connectivity

• Configure and test SSH access • Configure and test Secured Web Based Management • Review the various options and settings available through the initial command line

menu Connection Note:

You have three different options to connect to your device: • Direct via Serial (described below) • Terminal Server to the serial console

(putty/telnet to 192.168.150.252 on port 7008 + # where # is your team number) => skip in Lab 1 to step 6 (page 7)

• VNC to a workstation: x.x.x.590# with password team# (where # is your team number) and use preconfigured Putty connection => skip in Lab 1 to step 6 (page 7)

Please ask you instructor which is used in your class.


Step-by-step:

Note: The DefensePro will apply a default configuration if you do not intervene at the Startup Menu within 30 seconds. Please make certain you pay attention when you initially start the device to avoid delaying the class while the instructor has to erase the default configuration. You can simply hit enter when the Startup Menu appears and the device will not apply a default configuration. The default configuration will apply the following: Interface 1 = 192.168.1.1 Mask = 255.255.255.0 Username and Password = radware/radware

1. Attach the enclosed serial cable to the port on the DefensePro and attach the

other end to a communication port on the management PC. 2. Open HyperTerminal and create a new connection. 3. Select the communication port that the Radware device is connected to. 4. Set the following values:

Figure 1 - Communication Port Settings

5. Power on the device and note the various messages during the boot process.


6. Follow the steps below to reset the device: a. Press the enter key a few times and make sure you get an DefensePro>

prompt. b. Login in with default user name and password (radware). c. From the DefensePro# prompt type reboot and hit enter. d. When the device begins to boot up, you will see a message that says

“Press any key to pause autoboot…” e. Press any key on the keyboard (you have 3 seconds to do this) f. From the > prompt type q1 and press enter g. “This action removes configuration file. Do you want to continue (y/n) ?”

press y h. When the erase configuration completes and the > comes back, type @

and press enter. The device will be reset to factory defaults and the Startup Configuration screen will come up.

Startup Configuration

0. IP address

1. IP subnet mask

2. Default router IP address

3. User Name

4. User Password

5. Enable Web Access (y/n) [n]

6. Enable Secure Web Access (y/n) [n]

7. Enable Telnet Access (y/n) [n]

8. Enable SSH Access (y/n) [n]

9. SNMP Configuration

7. Assign the values that your instructor has provided for your device unit using the following table: 0. IP address = 10.10.244.# 1. IP subnet mask = 255.255.248.0 2. Port number = MNG-1 3. Default router IP address = 10.10.240.1 For ALL other values press <Enter> to use the default settings! Note: # = team number

8. You cannot go back to a previous menu item if you made a mistake. You must enter all items and then at the end select Y then N to go back to the start


9. When you hit <Enter> at the SNMP Configuration option, a new window will appear with additional settings for SNMP:

SNMP Startup Configuration

0. Supported SNMP versions [1 2 3]

1. Community [public]

2. SNMP root user

3. Privacy Protocol (NONE/DES) [DES]

4. Privacy Password

5. Authentication Protocol (NONE/SHA/MD5) [MD5]

6. Authentication Password

7. NMS IP address

8. Configuration file name

10. Please leave everything to default by hitting <Enter> for the each item to

apply default settings, so that your instructor can access the device during training.

Continue with the current configuration (y/n):

11. If your configuration is correct, select y and hit enter. The device will reboot and you should be able to connect to it with APSolute Vision in the next lab.

12. If you have made a mistake, select n and then hit <Enter> to reach the desired line and make whatever changes are necessary.

13. When the device has finished restarting, you will have to log in to the unit by typing: login. Unless you changed the username and password during the initial configuration, you should be able to use “radware” for both the username and password.

14. When you have logged in, use the question mark (“?”) to display the commands.


15. You should see a list of commands similar to the one below:

acl Access control list

bwm Policy management and classification

classes Configures traffic attributes used for classification

device Device Settings

dp DefencePro Security settings

help Displays help for the specified command

login Login into the device

logout Logout of the device

manage Device management configuration

net Network configuration

ping Pings a remote host.

reboot Reboot the device

security Device Security

services General networking services

shutdown Shutdown

ssh Connect via SSH to a remote host.

statistics Device statistics configuration.

system Sets system parameters.

telnet Connects to a remote host via telnet.

trace-route Measures hops and latency to a given destination.

DefensePro#

16. Use the command net ip-interface to make sure the unit shows the

appropriate interface address. 17. From the command line, ping the default gateway address 10.10.240.1. Then

ping the IP address of the APSolute Vision server 10.10.240.10 to make sure you have basic network connectivity. Let your instructor know if you are unable to reach either of these hosts.

18. Take a look at some of the CLI commands available. Feel free to ask your instructor questions about these functions, but bear in mind that almost all of the commands available here will be accessible through APSolute Vision.

Note: As a general rule, you will find it helpful to leave your workstations connected to the Defense Pro through the CLI for the duration of the labs. There are a number of traps and error messages that the device will generate through the CLI and these can useful for trouble-shooting.


19. Enable SSH from the Command Line Interface:

manage ssh status set 1 (1=enable, 2=disable)

20. Create a username and password so that you can access the device through

Telnet or you can use the default username and password of “radware”:

manage user table create team# -pw team#

Use your team’s number (#) for the username and password.

21. Change the prompt of the CLI to show your Team#

manage terminal prompt set DP-Team#

22. Open a SSH session to your device and supply the appropriate username and password. Type ? and then hit the <Enter> key. You should see a list of commands identical to those displayed through the CLI.

23. Enable Secure Web Based Management. From the CLI or from your Telnet connection, enter the following command:

manage secure-web status set enable

24. You can now open a browser from your workstation and use

https://ip_address of your DefensePro. For example, students of Team 1 use: https://10.10.244.1

25. You should be prompted for a username and password. Use the username and password that you created. It may take a few moments for the browser to load the applets that will give you access to various functions on the device so be patient.

https://10.10.244.1/�


Enabled Features By default all the needed features are enabled. To verify you type the commands below and the status for each feature should show as “enable” Application Security:

dp signatures-protection application-security global status

Packet Reporting: dp reporting packet-report status get

DOS Shield:

dp signatures-protection dos-shield global status

Session Table:

device session-table status get SYN Protection:

dp syn-protection status get

Behavioral DoS: dp behavioral-DoS global status get

Anti Scanning: dp anti-scanning global status

HTTP Mitigator: dp http-mitigator global status


Lab 1b - Connecting to your DefensePro using APSolute Vision Go back to Table of Content To manage a Radware device using APSolute Vision, please follow the steps below:

1. For your convenience, the classroom central APSolute Vision device is already setup.

2. If you don’t have the APSolute Vision icon on your desktop or you don’t find it at the start menu (Start –> Programs -> APSolute Vision –> APSolute Vision) go to Appendix-A “Installing the APSolute Vision Client).

3. Start APSolute Vision using the Icon (Desktop or Start-Menu)

4. login screen type in the following information: User Name DP-Team# (where # is your team number) PasswordVision Server vision.radware.muc (or the IP/name according to your location)

radware

Authentication Local and click on “Login” to login.


5. After few seconds, the main APSolute Vision window appears:

6. If you device is not visible do a right click on Default in the System window and select New > DefensePro

7. In the “Edit Device Connection Information” window you only need to fill the Name of the device and the Management IP, the rest we use the defaults in our training. Name DefensePro Team # (where # is your team number) Management IP 10.10.244.# Note: If you’re facing problems connecting to your device, contact your instructor.

8. Click OK, APSolute Vision will now connect to the device.


9. Right click on the DP and select Lock;

The DP logo should show a lock now:

NOTE: This feature will prevent anyone else from making configuration changes during your session.


• Enabling Security Reporting

1. You find the Security Reporting settings at the Configuration perspective > Advanced Parameters > Security Reporting Settings.

2. Click the Security Reporting Settings in the tab navigation pane. The setting

appears on the right part of the content area. 3. In order to receive security traps in CLI place a check-mark in the box beside

Enable Sending Terminal Echo (enable it). 4. In order to send security traps to a Syslog server place a check-mark in the box

beside Enable Sending Syslog (enable it). 5. Make sure the Traps Sending is checked. 6. Make sure at the Data Reporting Destination the IP of the Vision appliance is

added (10.10.240.10). Use right mouse click or the button. 7. Make sure the following are sets:

a. Minimal Risk for Sending Traps: Info b. Minimal Risk for Sending Syslog: Info c. Minimal Risk for Sending Terminal Echo: Info d. Minimal Risk for Sending Email: Info


8. Make sure that in the Packet Reporting section the Vision appliance is listed as the target:

9. Click the commit button to apply your changes. 10. Go to Configuration > Device Security > SNMP >Target Address and add an

entry to send SNMP traps to the Vision server Press the button and make sure the following are sets:

a. Name: Vision b. IP Address and L4 Port: 10.10.240.10-162 c. Mask: 0.0.0.0 d. Tag list: v3Traps e. Target Parameters Name: public-v1

• Creating a Network Protection Rule

1. Go to Configuration perspective > Classes > Modify Configuration > Physical Ports and click the button.

2. For the Physical Ports Group Name use G1-Inbound and select in the drop-down menu Inbound Port G-1.

3. Click OK to add the port group. 4. Click Activate Latest Changes

5. Go to Configuration perspective > Network Protection and click the button.

6. The Add New Network Protection Rule window appears. 7. Name the policy in the Basic Parameters section.

Rule Name: NWRule_Team#. 8. In the Classification section select for SRC Network the predefined network any

from the dropdown list.

9. For the DST Network click on the button to create a new network and the Networks window will appear.

10. Do a right click in the Network Name Table and select Add New Network


11. In the Edit Network Entry window enter the Network Name protected and do a right click in the table below to create a new Network Group. Fill in the following information: Entry Type IP Mask Network Type IPv4 Network Address 27.1.0.0 Mask 255.255.0.0 Click OK to add the new entry and click Close to close the Edit Network Entry window.

12. Click Activate Latest Changes in the Network window. 13. Highlight the new network and click OK 14. In the drop-down-button next to Port Group and select the port group we just

created in the beginning of the lab and click OK. 15. In the New Network Protection Rule window change the Direction to Two Way

and click OK to close this window. 16. Click Activate Latest Changes below the Network Protection Rule 17. Your Network Protection Rule table should look like this:


Lab 2 – Administering DefensePro Go back to Table of Content Lab Goals:

• Enable and configure various options related to managing the DefensePro itself: 1. Upgrade the device’s software 2. Security Update Service – Updating the Attack Database 3. Downloading device configuration file 4. Updating the Device’s License 5. Enabling Syslog Reporting

Most of this will be done in the Monitoring & Control perspective if you do a right click on the device:


Upgrade the device’s software

1. Obtain the new firmware file from your instructor along with a password for your device.1

2. Right-click the device and select Manage Software Versions and the Software Upgrade window will open.

3. Click the Browse button, and locate the new firmware file. 4. In the Software Version section enter the new version number: for example

5.01.04 5. In the Password section, enter the password for your specific unit and verify it in

the Verify Password section. 6. Click the Send button, this will perform the software update including a reboot.

7. You will get the following message:

8. If you want to see what happens during the upgrade open a connection to the

serial console of your device. 1 This may not be possible to perform in all lab environments since your instructor will need access to the internet in order to generate a password for the unit.


Security Update Service – Updating the Attack Database

1. Right-click the device and select Update Attack Signature File and the Update Attack Signature File window will open.

2. Select the source of the update:

- Radware.com will download the latest Vision version from the internet - Client: if you have downloaded the latest version already to your client

3. Click the Send button to start the update process via the internet. 4. You will get the following message:

5. Review the Alert pane to see if the update has successfully finished.


Download Device Configuration File

1. Right-click the device and select Get Device Configuration File and the Get Device Configuration File window will open.

2. Here you can select if you want to save the configuration file at the APSolute

Vision appliance or local at your client machine and the transport protocol. 3. Click Save to save the configuration file with the suggested name at the

appliance. 4. The status of the process you can review again in the Alert pane


Updating the Device’s License

1. Select the Configuration perspective and select in the Setup tab the License Upgrade menu point.

2. Enter the new license in the New License Key or Throughput License Key field

and Click the commit button to apply your changes:

Note: If you add a new feature license you need to reboot the device to activate. Throughput licenses will be applied on the fly without reboot.

3. If you needed a reboot and after reboot is completed, close all opened window and repeat steps 1-2 to see the new license active.

Enabling Syslog Reporting

1. Select the Configuration perspective and select in the Setup tab the Syslog menu point.

2. Enable Syslog and use as the Server Address 192.168.150.253 (ask your instructor if you need to use a different syslog server and how to view the messages).

3. Click the commit button to apply your changes


Lab 3 – Behavioral DoS Protection Go back to Table of Content Lab Goals:

• Configure and monitor Behavioral DoS Protections Step By Step:

1. The Behavioral DoS Module should already have been enabled on your team’s device. However, you should verify this before proceeding.

2. Select the Configuration perspective and select in the Security Settings tab the BDos Protection menu point.

3. Make sure BDos Protection and Traffic Statistics Sampling are enabled 4. Set the Learning Response Period to Day. 5. Make sure the Footprint Strictness is set to Low.

6. Click the commit button to apply your changes

7. Go to the Network Protection tab and select BDoS Profiles.

8. To create a new BDOS profile, click the Add button. The Add New BDoS Profile window appears.

9. For the Profile Name, enter BDoS. 10. Under Flood Protection Settings select all attacks to the profile by marking the

check box in front of the attack name. 11. Under the section for Bandwidth Settings, change the values for Inbound and

Outbound to 5000 12. For testing purposes, we are going to modify the default Quota settings since the

device hasn’t had time to learn any network traffic patterns.


13. Make sure the Incoming and Outgoing TCP are set to 90. 14. Make sure the Incoming and Outgoing UDP are set to 70. 15. Change the Incoming and Outgoing ICMP values to 30. 16. Change the Incoming and Outgoing IGMP to 38. 17. Leave the Transparent Footprint Optimization unchecked. 18. Click OK to close this window.

19. In the menu tree of the Network Protection tab click on Network Protection

Rules and double-click on the Rule we defined in Lab1 20. In the Action Section select the BDoS Profile we have just created and press OK

Note: You can also add here a new BDoS Profile while pressing the button.

21. Press the button before you continue.


Testing

1. Connect to a prepared Attacker PC via VNC <remote lab>:790# password = team# Note: please verify the URL of the Remote Lab you are using

2. In the New VNC session you might need to hit any key (for example the down arrow) to see the screen, since the PC will disable the display after some time.

3. Select Configure from the application main menu. 4. Select Manual (select it by hitting the space key) and then hit OK. 5. Enter IP address for the attacking PC: 27.1.#.10 ( # = Team-Number) 6. Enter Subnet mask for the attacking PC: 255.255.255.0 7. Enter Default Gateway: 27.1.#.100 8. Select Back. 9. Select Network Attacks.

TCP Flood Scenario

1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source TCP SYN Attack.

2. Make sure the destination address is set to 27.1.#.100 (# = Team-Number) and click OK.

3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button:

20-08-2010 14:45:12 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop 20-08-2010 14:45:27 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" sampled 1 0 0 0 N/A high drop 20-08-2010 14:45:42 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" ongoing 0 0 0 0 N/A high drop 20-08-2010 14:45:52 WARNING 73 Behavioral-DoS "network flood IPv4 TCP -SYN" TCP 27.1.1.10 31337 27.1.#.100 25 2 N/A "lab" term 0 0 0 0 N/A high drop

4. In APSolute Vision, select the Real-Time Monitoring perspective and select your device in the Security Dashboard tab.


5. You will see the Security Dashboard. If you move the mouse over the attack you

will see more information’s.

6. Select Current Attacks in the content area to see the actual attacks.

7. Keep the filter on default and click the button

8. To see more details on the attack double-click on it.

Explanation From the Current Attacks table it can be seen that this is a TCP-SYN attack. The source address indicates a single source attack. The attack footprint can be seen in the attack details. It reveals the ingredients of the footprint: source-port, source IP and packet size. The general attack characteristics can be viewed in the lower table. The attack statistics will show the attack statistics table. The Attack Statistics Graph will show the graphical representation of the attack over time.



If you like you can also view during the attack the real-time Behavioral-DOS statistics if you select the BDoS Monitoring tab. Select Attack Traffic – TCP(IPv4) in the tree menu and select the Protection Type TCP SYN. 1. No Attack

2. Attack is starting – Footprint lookup phase


3. Attack is ongoing – Blocking phase

4. Attack has finished


UDP Flood Scenario

1. On the Attacking PC, from the main Welcome Screen, select Network AttacksFloods Single Source UDP Data Flood.

2. Make sure the destination address is set to 27.1.#.100 (#=Team-Number) and click OK.

3. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button: 20-08-2010 15:13:17 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop

20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" sampled 1 4 0 0 N/A high drop

20-08-2010 15:10:57 WARNING 70 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" ongoing 0 0 0 0 N/A high drop

20-08-2010 15:11:02 WARNING 71 Behavioral-DoS "network flood IPv4 UDP" UDP 27.1.1.10 31337 27.1.#.100 135 2 N/A "lab" term 0 0 0 0 N/A high drop

4. In APSolute Vision, select the Real Time Monitoring and Current Attacks tab.

5. Double click on the attack event.


Explanation The attack type is UDP flood distributed source (you can notice the 0.0.0.0 IP in the source address column). Note: If you monitor the target computer with a sniffer software (like Ethereal), you could see some UDP packets reaching the target computer but then it stops as the DP is blocking the attack.


ICMP Flood 1. On the Attacking PC, from the main Welcome Screen, select Network

AttacksFloods Single Source ICMP Echo Request Flood. 2. Make sure the destination address is set to 27.1.#.100 ( # = Team-Number) and

click OK. Soon after the attack is initiated from the attacking computer you should receive traps on the CLI. Wait for 1 minute and then click the Stop button: 20-08-2010 16:57:07 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 Regular "lab" start 0 0 0 0 N/A high drop

20-08-2010 16:57:22 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 27.1.1.10 0 27.1.#.100 0 2 N/A "lab" sampled 1 4 0 0 N/A high drop

20-08-2010 16:57:37 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" ongoing 0 0 0 0 N/A high drop

20-08-2010 16:57:47 WARNING 71 Behavioral-DoS "network flood IPv4 ICMP" ICMP 0.0.0.0 0 0.0.0.0 0 0 N/A "lab" term 0 0 0 0 N/A high drop

3. In APSolute Vision, select the Current Attacks tab.


4. Double click on the attack event to see Attack Information.

Explanation The attack type is ICMP flood from multiple sources. The attack footprint (the blocking rule created by the BDoS engine) is composed from Source IP.


Lab 4 – Worm Propagation Prevention & Anti-Scanning Go back to Table of Content Lab Goals:

• Configure a worm propagation and Anti-Scanning Policy • Monitor Anti Scanning using the Attack Tool.

Step By Step:

1. Select Configuration (perspective) > Security Settings (tab) > Anti-Scanning 2. In the Anti Scanning Parameters (right pane), mark the Enable Protection for

Very Slow Scans. 3. Click the commit button to apply the setting. 4. Select Configuration (perspective) > Network Protection (tab) > Network

Protection Rules and double-click on the Rule we defined in Lab1 5. In the Action section click on the button next to Anti Scanning Profile and the

Anti-Scanning Profiles window will open. 6. Right click inside the table and add a new entry. 7. For the new entry use the following entries:

a. Rule Name AntiScanning b. Type GW c. Detection Sensitivity Level High d. Accuracy Medium

8. Click OK to add the Profile and click OK to add the profile to rule. 9. Click OK to close the Edit Network Protection Rule window. 10. Click the Activate Latest Changes button to apply the changes.


Testing Anti-Scanning Worm Propagation This attack demonstrates a worm propagation attack.

1. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 2. Select Worm Propagation. 3. Select Slammer (UDP). 4. Enter the Destination Network Address: 27.1.20.x (really type x since the tool

needs it!). 5. Review the CLI traps and monitor the security reports in Vision:

24-08-2010 11:23:17 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" start 0 0 0 0 N/A medium drop

24-08-2010 11:23:27 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" ongoing 46 0 0 0 N/A medium drop

24-08-2010 11:23:52 WARNING 351 Anti-Scanning "UDP Scan (horizontal)" UDP 27.1.1.10 0 0.0.0.0 1434 2 Regular "lab" term 0 0 0 0 N/A medium drop

6. Try to send legitimate traffic to the attacked host from the legitimate user station. 7. The DP will detect and block the attack while letting legitimate traffic to go

through.


Scanning This attack demonstrates a scan attempt:

1. On the Attacking PC, from the main Welcome Screen, select Network Attacks. 2. Select Scans. 3. Select TCP (L4). 4. Select Horizontal. 5. Select High (using space key). 6. Enter the Destination network address: 27.1.20.x (really type x since the tool

needs it!): 7. Soon after the attack is initiated, the following traps are printed on the CLI:

24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" start 0 0 0 0 N/A medium drop

24-08-2010 11:26:02 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" ongoing 271064 127061 0 0 N/A medium drop

24-08-2010 11:26:32 WARNING 350 Anti-Scanning "TCP Scan (horizontal)" TCP 27.1.1.10 0 0.0.0.0 80 2 Regular "lab" term 0 0 0 0 N/A medium drop

8. Select Real-Time Monitoring (perspective) > Current Attacks (tab) and double-click on the attack

9. If there are no monitoring data visible, mark the DP and press GO button.


10.


Lab 5 – SYN Flood Protection Go back to Table of Content Lab Goals:

• Configure a profile and policy to protect against SYN Floods • Monitor the attack logs via Vision

Step By Step:

1. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1

2. In the Action section click on the button next to SYN Flood Profile and the SYN Profiles window will open.

3. Right click inside the table and add a New SYN Profile. 4. For the Profile Name select SYNFlood 5. Right click inside the table and add a new SYN Flood Protection. 6. Select HTTP as the Protection Name 7. Click OK to add the protection to the profile 8. Click OK to close the Edit SYN Profiles window 9. Click OK to add the profile to rule. 10. Unselect the BDoS Profile from your Network Protection Rule. 11. Click OK to close the Edit Network Protection Rule window. 12. Click the Activate Latest Changes button to apply the changes.


Testing SYN Protection

1. On the attacking computers, select Network Attacks Floods Single Source TCP SYN Attack.

2. Enter the destination address: 27.1.#.100 (# = Team-Number) and click OK. 3. Soon after the attack is initiated from the attacking computer you should receive

traps on the CLI. Wait for 1 minute and then click the Stop button: 09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" start 0 0 0 0 N/A medium proxy DefensePro#09-07-2008 15:23:54 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" ongoing 60364 28295 0 0 N/A medium proxy

DefensePro#09-07-2008 15:24:09 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "protected" term 0 0 0 0 N/A medium proxy

4. In APSolute Vision, select the Real-Time Monitoring perspective and select the Current Attack tab. Click the Go button:

5. Double-Click on the SYN Flood HTTP attack to see more details:


Lab 6 – Server Cracking Protection Go back to Table of Content Lab Goals:

• Configure a policy to protect against server cracking attacks. • Monitor server cracking logs via Vision

Step By Step:

1. Select Configuration (perspective) > Server Protection (tab) > Server Protection Policy

2. Press the button to add a New Server Protection 3. For the new entry use the following entries:

a. Server Protection Name WebserverTeam# b. Server IP Address 27.1.#.100

4. Click on the button to create a new Server Cracking Profile. 5. Right click inside the table and add a New Server Cracking Profile. 6. For the Profile Name select ServerCracking and click OK 7. Select in the Edit Server Cracking Protection window

the Action Block and Report 8. Right click inside the table and add a New Server Cracking Protection 9. For the new entry select the following entries:

a. Server Cracking Protection Name Brute Force Web b. Sensitivity Medium c. Risk Medium

10. Click OK to add the new protection to the profile 11. Right click inside the table and add a New Server Cracking Protection 12. For the new entry select the following entries:

a. Server Cracking Protection Name Web Scan b. Sensitivity Medium c. Risk Medium

13. Click OK to add the new protection to the profile


14. Your Server Cracking Profile should look like this:

15. Click OK close the new create Server Cracking Profile. 16. Click OK to select the new Server Cracking Profile in the Server ProtectionName

the profile. 17. Your New Server Protection should look like this:

18. Click OK to add the New Server Protection. 19. Click the Activate Latest Changes button to activate the new settings.


Testing Server Cracking Protection – Brute Force:

1. On the attacking PC, select Services Attacks HTTP Cracking. 2. Enter IP address for the attacked PC: 27.1.#.100 (# = Team-Number) and click

OK. 3. Enter destination URL /account.aspx 4. Soon after the attack is initiated, the following CLI traps are printed:

24-08-2010 10:15:33 WARNING 400 Cracking-Protection "Brute Force Web" TCP 27.1.1.10 48056 27.1.#.100 80 3 Regular "lab" start 0 0 0 0 N/A medium drop 24-08-2010 10:15:33 WARNING 400 Cracking-Protection "Brute Force Web" TCP 27.1.1.10 48056 27.1.#.100 80 3 Regular "lab" ongoing 1 0 0 0 N/A medium drop 24-08-2010 10:15:53 WARNING 400 Cracking-Protection "Brute Force Web" TCP 27.1.1.10 48056 27.1.#.100 80 3 Regular "lab" term 0 0 0 0 N/A medium drop

5. In Vision, select the Real-Time Monitoring > Current Attacks tab. 6. Double-Click on the Brute Force Web attack to see the attack details:


Testing Server Cracking Protection – Web Scan:

1. On the attacking PC, select Services Attacks HTTP Scanning. 2. Enter IP address for the attacked PC: 27.1.#.100 and click OK. 3. Enter destination URL (i.e. /accounts.aspx). 4. Soon after the attack is initiated, the following CLI traps are printed:

24-08-2010 10:10:28 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 42158 27.1.#.100 80 3 Regular "lab" start 0 0 0 0 N/A medium drop

24-08-2010 10:10:28 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 42158 27.1.#.100 80 3 Regular "lab" ongoing 2 1 0 0 N/A medium drop

24-08-2010 10:10:43 WARNING 401 Cracking-Protection "Web Scan" TCP 27.1.1.10 42158 27.1.#.100 80 3 Regular "lab" term 2 1 0 0 N/A medium drop

7. In Vision, select the Real-Time Monitoring > Current Attacks tab. 5. Double-Click on the Web Scan attack to see the attack details:


Lab 7 – HTTP Mitigator Protection Go back to Table of Content Lab Goals:

• Configure a security policy to protect against HTTP Mitigation attacks. • Monitor HTTP Mitigator logs and web server behavioral parameters in Vision

Step By Step:

1. Select Configuration (perspective) > Security Settings (tab) > HTTP Flood Protections

2. Change the Learning Period Before Activation to 0 Days. Note: This is needed since we want the system to block immediate.

3. Click the (commit) button to apply the setting. 4. Select Configuration (perspective) > Server Protection (tab) > Server

Protection Policy 5. Double-Click on the Server Protection we created in the last lab. 6. Click on the button to create a new HTTP Flood Protection Profile. 7. Right click inside the table and add a HTTP Flood Protection Profile. 8. For the new entry use the following entries:

a. Profile Name HTTPFlood b. Sensitivity Medium c. Action Block and Report

9. Since we don’t have time to learn we configure the thresholds manually. For this we need to check the Use the following thresholds to identify HTTP Flood attacks checkbox in the User-Defined Attack Triggers section.

10. In the Manual Configuration section add the following: a. Get and POST Request-Rate Trigger 5 HTTP req./sec. b. Other Request-Type-Request-Rate Trigger 2 HTTP req./sec. c. Outbound HTTP BW Trigger 1 Kbps d. Request-per-Source Trigger 5 HTTP req./sec. e. Request-per-Connection Trigger 5 HTTP req./sec.


11. Your HTTP Flood Protection Profile should look like this:

12. Click OK and OK again to add the Profile. 13. Click OK to close the Server Protection window. 14. Click the Activate Latest Changes button to activate the new settings.


Testing HTTP Mitigator:

1. On the attacking computer select Service Attacks HTTP Flooding. 2. Enter IP address for the attacked PC: 27.1.#.100. 3. Make sure the destination URL is set to /index.html. 4. Soon after the attack is initiated, the following traps will be initiated:

24-08-2010 10:13:58 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" start 0 0 0 0 N/A medium drop

24-08-2010 10:14:13 WARNING 150 HttpFlood "HTTP Page Flood Attack" TCP 0.0.0.0 0 27.1.#.100 80 0 Regular "server" term 0 0 0 0 N/A medium drop

5. In Vision, select the Real-Time Monitoring > Current Attacks tab. 6. Double-Click on the Web Scan attack to see the attack details:


Lab 8 – Signature Protection Go back to Table of Content Lab Goals:

• Configure Intrusion Prevention policy. • View Dashboard display of simulated attack traffic • View and Sort Attack Logs by risk level • Create a user-defined view and user-defined report

Step-by-Step:

1. Select Configuration (perspective) > Security Settings (tab) > Signature Protection

2. Uncheck the checkbox for the Enable Session Drop Mechanism Note: We do this to be able to see the same attack generated by the attack tool again if we launch it a second time. For more details ask you instructor.

3. Click the (commit) button to apply the setting. 4. Select Configuration (perspective) > Network Protection (tab) > Network

Protection Rules and double-click on the Rule we defined in Lab1 5. In the Action section click on the button next to Signature Protection Profile

and the Signature Profiles window will open. 6. Right click inside the table and add a New Signature Profile. 7. Set the Profile Name to All 8. Right click inside the table and add a New Signature Rule. 9. For the new entry use the following entries:

a. Rule Name All_Info b. Attribute Type Risk c. Attribute Value Info

Note: This is not a recommended setting for production. We use it only in our training lab!

10. Click OK to add the Rule to the Profile 11. Click OK to create the Profile. 12. Select the new created Profile and click OK. 13. Click OK to close the Network Protection Rule 14. Click the Activate Latest Changes button to activate the new settings. 15. Click the Update Polices button in the right corner and click OK to confirm the

update.


Testing the Signature Protection

1. On the attacking computer select: Intrusion Attacks Batch Edit. 2. Select a couple of the attacks, but at least two of each of these attack groups:

Worms IIS Apache Backdoors_Inbound FTP_AS Note: Based on signature updates it’s possible that not all of the attack captures used by the attack tool will be detected.

3. After you saved the attacks select Back run Launch the attacks 4. Enter the IP address of the attacked server: 27.1.#.100. 5. The attacking computer initiates attacks towards the DefensePro and you should

receive CLI traps as the DefensePro detects and blocks each attack. For example: 17-08-2010 16:28:08 WARNING 5672 Intrusions "Apache-CMD-Command-Exec" TCP 27.1.1.10 2057 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A medium dest-reset

6. In Vision, select the Real-Time Monitoring > Security Dashboard. 7. You can move the mouse over the attack displayed and see more information.


8. In Vision, select the Real-Time Monitoring > Current Attacks

9. Double-Click one of the attacks to see the attack details:


10. If you like you can go to Real-Time Monitoring > GeoMap and see where the

attacks are coming from. If you click on the country in the map you see the list of attacks.


Packet Reporting

1. Select Configuration (perspective) > Network Protection (tab) > Network Protection Rules and double-click on the Rule we defined in Lab1

2. In the Action section check the checkbox called Packet Reporting and press OK. 3. Click the Activate Latest Changes button to activate the new settings. 4. Use the Attack Tool and run the saved attacks again. 5. Go to Real-Time Monitoring > Current Attacks and do a right-click on one of

the attacks and select Export Packets To Ethereal Format.

6. Select the path and filename of the file and click OK. 7. Open the file you saved for example with Wireshark and you can see the packet

which triggered the alert:


Lab 9 - Building a Custom Signature Go back to Table of Content Lab Goals:

• Create a new user-defined attack signature using the Signature Protections feature to block a new workstation vulnerability

1. Create OMPC signature 2. Create Content Signature – blocking a URL

• Test the new attack signature Building the filter:

1. Select Configuration (perspective) > Network Protection (tab) > Signature Protection > Signatures

2. In the right window (content area) at the Signatures section press the button 3. Set the Signature Name to UD_OMPC 4. Right-click in the Filter Table and add a new filter. 5. For the new entry use the following entries (keep the rest default):

a. Signature Name UD_OMPC b. Protocol TCP c. Destination Application Port 1234

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 8. Select Configuration > Network Protection > Network Protection Rules and

Click the Activate Latest Changes button to activate the new settings.


Testing the custom Filter

1. On the attacking computer press “ALT-F2” to switch to a second shell. From here you will try to start TCP session to the blocked port: sudo /usr/sbin/hping3 –c 5 –p 1234 27.1.#.100 (where # is your team number) To return to the attack tool press “ALT-F1”.

2. The following traps are printed in the DefensePro’s CLI: 17-08-2010 18:06:08 WARNING 300000 Intrusions "UD_OMPC" TCP 27.1.1.10 2400 27.1.1.100 1234 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A low drop

3. In Vision, select the Real-Time Monitoring > Security Dashboard and if you move the mouse over the attacks you can see the user defined attack with details (also visible in the Current Attacks tab).


Creating a custom signature to block URL Step By Step:

1. Select Configuration (perspective) > Network Protection (tab) > Signature Protection > Signatures

2. In the right window (content area) at the Signatures section press the button 3. Set the Signature Name to UD_URL 4. Right-click in the Filter Table and add a new filter. 5. For the new entry use the following entries (keep the rest default):

a. Signature Name UD_URL b. Protocol TCP c. Destination Application Port http d. Content Type URL e. Content /testurl f. Content Encoding Case Insensitive

6. Click OK to close the Edit Filter window. 7. Click OK to close the Edit Signature Profile Rule window. 9. Select Configuration > Network Protection > Network Protection Rules and

Click the Activate Latest Changes button to activate the new settings.


Testing the custom filter

1. On the attacking computer select Service Attacks HTTP Cracking and press <Enter>

2. Enter the server address and use 27.1.#.100 (# = your team number) and press <Enter>

3. As the destination URL you use “/testurl” (the url we used to filter) and press <Enter> to start the attack

4. Soon after, the following trap will be printed on the CLI: 17-08-2010 19:49:23 WARNING 300001 Intrusions "UD_URL" TCP 27.1.1.10 35208 27.1.1.100 80 1 Regular "NWRule_Team1" occur 1 1 0 0 N/A low drop

5. Review the Real-Time Reporting > Current Attacks tab in Vision.


Lab 10 – Stateful Inspection Go back to Table of Content Lab Goals:

• Create and test a Stateful Protection policy. Step By Step:

1. First we need to enable the Stateful Inspection module, which needs a reboot. 2. Go to Configuration > Security Settings > Stateful Inspection and check the

checkbox next to Enable Stateful Inspection Protection 3. Click the commit button and accept to reboot the device. 4. After the device rebooted go to the same screen again and change the following:

a. Check the checkbox next to Activate b. Change the Startup Mode to On

5. Go to Configuration > Network Protection > Network Protection Rules and edit your rule.

6. In the Action section click on the … button next to Stateful Inspection Profile to create a new profile.

7. Right click in the table to add a new profile 8. For the Profile Name use MyStateful and check every box for every inspection

method.


9. Your protection profile should look like this:

10. Click OK to add the profile and Click OK to use the new created profile in your

network protection rule. Close the rule with OK. 11. Click on Activate Latest Changes

Testing this lab

1. At the attacker go to Intrusion Attacks > Single > FTP_AS and launch the first attack.

2. You should see the following line on the DP serial console: 20-08-2010 10:06:55 WARNING 240 Anomalies "TCP handshake violation, first packet not syn" TCP 27.1.1.10 41006 27.1.1.100 21 1 Regular "NWRule_Team1" occur 1 0 0 0 N/A low drop

3. Go to the Real-Time Monitoring in APSolute Vision at the Security Dashboard you see the attack:


4. Go to Current Attacks and double-click on the attack to see the details:

5. Before you continue to the next lab remove the Stateful Inspection Profile

from your Network Protection Rule!


Lab 11 – Policy Exceptions (Black & White lists) Go back to Table of Content Lab Goals:

• Configure Exceptions in the test the Black & White Lists mechanism. Configuring Black List:

1. Go to Configuration > Classes > Modify Configuration > Networks 2. Right-Click in the Network Name table to add a new Network 3. For the Network Name use BLHost. 4. Right-click in the table to add a new network group. 5. Use the following information:

a. Entry Type IP Range b. Network Type IPv4 c. From IP 27.1.#.10 d. To IP 27.1.#.10

6. Click OK to add this entry to the Network Group 7. Click Close to close the Network Entry window. 8. Click Activate Latest Changes button 9. Go to Configuration > ACL > Black List. 10. Right-click in the Black List Policy Table and add a new Black List Rule 11. Select as Source Network the network we just created and as Destination

Network Any and click OK 12. Click Activate Latest Changes button

Testing Black Lists:

1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks).

2. The DP will print the following trap in CLI: 17-08-2010 20:21:33 WARNING 8 Access "Black List IP" TCP 27.1.1.10 6666 27.1.1.100 179 1 Regular "Black List" occur 1 0 0 0 N/A low drop

3. Click the Real-Time Monitoring > Current Attacks tab in Vision. 4. You will see all the attacks that were blocked by the Black List module.


Configuring White List

1. Remove the BLHost from the Black List before you continue. (Don’t forget to activate latest changes)

2. Go to Configuration > ACL > White List. 3. Right-click in the White List Policy Table and add a new White List Rule 4. The New White List Rule window appears:


5. The white list contains IP addresses and network ranges and traffic from these addresses will be bypassing the different security modules in the device.

6. The attacker PC address is already configured (previous step) so in the Source Network use BLHost. In the Destination Network use any.

7. You can define which security modules will be skipped while traffic from the attacker PC arrives to the DP.

8. In the Module Bypass select Bypass All Modules. This means that all the security modules will be skipped for traffic originating in the specified source network.

9. If you unselect the “Bypass All Modules” then you have to specify which security module will be scanning the traffic and which one will skip it.

10. Click OK to save changes. 11. Click the Activate Latest Changes button.

Testing White Lists:

1. On the attacker PC, initiate a protocol anomaly attack (Intrusion Attacks Single 27.1.#.100 Protocol Anomalies select one of the attacks).

2. The DP will not scan the traffic and therefore none of the initiated attacks will be detected by the DP.

3. On the CLI nothing will be printed. 4. This means that all the traffic is directly delivered to the target computer. 5. On Vision no attack will be detected. 6. Try removing the White List rule to see that the DP now detects the attacks.


Lab 12 – Connection Limits Go back to Table of Content Lab Goals:

• Create and test a Connection Limit policy. Step By Step:

1. Go to Configuration > Network Protection > Connection Limit Profiles > Connection Limit Protections and add a new Protection.

2. Use the following information: a. Protection Name HTTPLimit b. Application Port Group Name http c. Protection Name TCP d. Number of Connections 2 e. Tracking Type Source Count f. Action Mode Drop g. Risk Medium h. Suspend Action Source IP

3. Click OK to add the new protection. 4. Go to Configuration > Network Protection > Connection Limit Profiles and

add a new Profile. 5. For the Profile Name use MyConLimit and click OK 6. Right click in the table to add a Connection Limit Protection to the Profile. 7. Select in the Protection Name the protection we just created and click OK 8. Click OK to add the profile 9. Go to Configuration > Network Protection Network > Protection Rules and

double-click on your Network Protection Rule. 12. In the action section select the Connection Limit Profile we just created and click

OK 13. Click on Activate Latest Changes


Testing this lab

1. At the attacker go to Services Attacks > HTTP > Scanning and launch the attack against your target server 27.1.#.100.

2. You should see the following message at the DP serial console: 20-08-2010 12:33:36 WARNING 450001 DoS "HTTPLimit" TCP 27.1.1.10 36369 27.1.1.100 80 1 Regular "NWRule_Team1" start 1 0 0 0 N/A medium drop

3. Review the attack details in APSolute Vision > Real-Time Monitoring >

Security Dashboard.


Review the attack details in APSolute Vision > Real-Time Monitoring > Current Attacks.


Lab 13 – Stateful Access List (ACL) Go back to Table of Content Lab Goals:

• Create an ACL policy to block Ping (ICMP Echo) traffic to the target server. • Test the policy.

Step By Step:

1. Go to Configuration > ACL > ACL Policy > Global Settings and enable ACL 2. Click the commit button to apply the settings. 3. The following window will appear:

4. Click Commit Changes and Reboot 5. The device will now reboot (see serial connection). Vision will notify you after the

reboot has finished. 6. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on

the default rule. 7. Check Report and click OK

8. Click on Activate Latest Changes


9. Check on the Serial-Console until you see this messages: ACL learning period is over

All ACL policies have Drop actions. All IP traffic will be dropped.

10. Now try to open the web site of your target PC (27.1.#.100) from the good client or from the attacker the target. You will see that by default everything is blocked!

11. Check as well the Real-Time Monitoring.

12. Go to Configuration > ACL > ACL Policy > Modify Policy and double-click on

the Default policy. 13. Change the Action to Accept and click OK 14. Do a right-click in the Modify ACL Policy table to add a new policy. 13. Use the following information:

a. Rule Name BlockICMP b. Rule Index 1 c. Report check this value d. Protocol ICMP e. Action Drop f. ICMP-Flags Echo (check this value)

15. Click OK to add this rule 16. Click Activate Latest Changes


Testing ACL

1. From the attacking PC, send a flood attack to the target computer (Network Attacks Floods Single Source ICMP Echo Request Flood 27.1.#.100) or simply set up a continuous ping (-t) to the target server. You should not get a response from the target PC.

2. From the CLI, you should see traps indicating that the packet has been blocked: 17-08-2010 21:04:24 WARNING 744 Stateful ACL "ICMP session dropped" ICMP 27.1.1.10 0 27.1.1.100 0 1 Regular "Default" occur 1 0 0 0 N/A high drop

3. You can review this messages also in Real-Time Monitoring > Current Attacks or Security Dashboard

4. Stop the ping from the attacking host. 5. Before you continue with the next lab disable ACL again (including reboot)


Lab 14 – Bandwidth Management Go back to Table of Content Lab Goals:

• Create and test a Bandwidth Management policy to guarantee minimum and maximum application service levels.

Note: It is difficult to generate enough traffic in a lab environment to saturate the bandwidth available. In order to illustrate the features detailed in this lab, the guaranteed minimum and borrowing bandwidth limits have been set artificially low

Step By Step:

1. Before beginning this lab, let’s make a test: 2. On the legitimate user station, close all browser windows.

If you use the virtual Lab this station can be reached via VNC to lab-ip:7910 (password: client). From the Firefox browser started automatic you can select your team attacked host (picture shows target for team1) from the link folder:

3. Now open a new browser and point it to: ftp://27.1.#.100/ [Maybe different name will be provided by your instructor].

4. Your browser will begin the download of the file. Note the copy speed rate. 5. Now let’s configure a bandwidth management rule which will limit the traffic.

ftp://27.1./#.100/�


6. Go to Configuration > BWM > Global Parameters and change the Classification Mode to Policies.

7. Click the commit button to apply the settings. 8. If BWM was not activated before you need to reboot the DefensePro. 9. Go to Configuration > Classes > Modify > Networks and click Create to add a

new network. 10. Use the following information:

a. Name DMZ b. Sub Index 1 c. From IP 27.1.#.100 d. To IP 27.1.#.100 e. Entry Type IP Range

11. Click OK to add the network 12. Click Activate Latest Changes 13. Go to Configuration > BWM > Modify > Policies and press the button 14. Use the following information:

Policy Name FTP Index 1 Policy Description FTP Traffic Source any Destination DMZ Service Type Basic Service Service Name ftp-session Direction Two Way Priority 0 Guaranteed Bandwidth 20 Maximum Bandwidth 30

15. Click OK to add the Policy 16. Click Activate Latest Changes


17. Go to Configuration > BWM > Active Policies and you should see this new policy in the list.

18. To be able to see statistics make sure you activate the Policy statistics Monitoring

at Configuration > BWM > Global Settings:

19. To see the statistics go to Monitoring&Control select you DP and go to BWM

Statistics > Policy Statistics (Last Period or Last Seconds)


Testing this lab

1. On the legitimate user station, close all browser windows. 2. Now open a new browser and point it to: ftp://27.1.#.100/file

[Maybe different name will be provided by your instructor]. 3. Your browser will begin the download of the file. Note the copy speed rate. 4. Go to Monitoring&Control select you DP and go to BWM Statistics > Policy

Statistics (Last Seconds)

5. Stop the FTP session. 6. If time permits, repeat this lab using other guaranteed and maximal values to see

the different behavior.

ftp://172.16.1.110/file�


Lab 15 – APSolute Vision Reporter Go back to Table of Content Lab Goals:

• Use the APSolute Vision Reporter to review the log we created during the labs. • Your instructor will give you a short introduction demo before you start this lab.

Step By Step:

1. In APSolute Vision select the button to launch the Vision Reporter in a browser window.

2. The APSolute Vision Reporter will start with the default Dashboard

3. You can customize this dashboard or create your own.

4. Play with this to get familiar


5. Click in the Menu on Reports to see the predefined reports.

6. Browse through the reports which are available

7. You can also export this reports



8. Try to export to PDF and review the report.


Appendix-A – Install APSolute Vision Client Go back to Table of Content Lab Goals:

• Install the APSolute Vision client. Step By Step:

1. Check the actual “Installation and Maintenance Guide” for the pre-requirements (Chapter 3 – Installing the APSolute Vision Client).

2. Open your browser and enter the IP address of the APSolute Vision server. (10.10.240.10).

3. An “Authentication Required” dialog box is displayed. 4. Use the following information:

a. Username visionweb b. Password radware

5. You will see the following web site:

6. Click the Download Client icon 7. Save the EXE file to a directory on your hard drive 8. Start the EXE file and follow the instructions, enter the appropriate information

and accept the terms of the license agreement.

Documents

300-101 DP Training 5-10 Level1 Manual v1