McAfee M-1250 IPS Configuration Guide - Page 208
Considerations in rate limiting, Rate limiting of application protocols using SSL
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 208 highlights
McAfee® Network Security Platform 5.1 The IPS Sensor_Name node 3 If the Sensor is not able to identify a packet in terms of protocol or TCP/UDP ports defined for rate limiting, the rate limiting queues configured for IP Protocol Number are searched. If a match is found, the packet is rate limited according to the rate limiting queue configured for IP Protocol Number. To explain the above, if a rate limiting rule is configured for HTTP protocol as well as TCP Port 80 on a Sensor monitoring port, the Sensor first searches for a matching HTTP rate limiting rule (and not the TCP Port rule). All the incoming HTTP traffic is matched with the configured HTTP protocol rule and rate limited accordingly. Note that in this case, the Protocol rule is given precedence to the Port rule. Note1 : The terms rate limiting rule and rate limiting queue are used synonymously. Note 2: The example mentioned above are applicable to DiffServ and VLAN tagging as well. Considerations in rate limiting The following sections explains two important considerations with respect to rate limiting in the Network Security Sensor: • Rate limiting of application protocols using SSL (on page 200) • Port-level limitations (on page 201) Rate limiting of application protocols using SSL The Sensor rate limiting functionality for protocols with SSL connection, depends on whether the Sensor is configured to decrypt the traffic. SSL keys are present in the Sensor When the Sensor is configured to have SSL keys to decrypt the traffic, the HTTPS traffic reaching the Sensor will be decrypted, and decrypted application protocol will be HTTP (and not SSL). Several scenarios are possible depending on the traffic and rate limiting rule configured. In all the scenarios, the application protocol HTTP using SSL (HTTPS) is used as the example. Case 1: Assume that a SSL rate limiting rule is configured, and HTTPS traffic is processed by the Sensor. In this case, the Sensor will decrypt the HTTPS traffic into HTTP. When the HTTPS traffic rate is beyond the configured SSL rate limiting rule, the Sensor will not rate limit the traffic. This is because the decrypted traffic is HTTP, but the rate limiting rule is configured for SSL. For rate limiting such a traffic, you have to configure a rate limiting rule for HTTP. This is explained in the next case. Case 2: Suppose the HTTP rate limiting rule is configured, and HTTPS traffic is processed by the Sensor. In this case, the Sensor will decrypt the HTTPS traffic into HTTP. The Sensor performs rate limiting of the decrypted traffic. This is because the decrypted traffic is HTTP and the rate limiting rule is also configured for HTTP. 200