WS-SW-FIREWALL-MIB
File:
WS-SW-FIREWALL-MIB.mib (33804 bytes)
Imported modules
Imported symbols
Defined Types
WsSwFirewallDosChecksEntry |
|
SEQUENCE |
|
|
|
|
wsSwFirewallDosCheckType |
INTEGER |
|
|
wsSwFirewallDosCheckEnable |
TruthValue |
|
|
wsSwFirewallDosCheckLogLevel |
INTEGER |
|
WsSwFirewallDosStatsEntry |
|
SEQUENCE |
|
|
|
|
wsSwFirewallDosStatsAttackType |
INTEGER |
|
|
wsSwFirewallDosStatsAttackCount |
Counter32 |
|
|
wsSwFirewallDosStatsLastOccurrence |
TimeTicks |
|
WsSwFirewallL2Entry |
|
SEQUENCE |
|
|
|
|
wsSwFirewallIfName |
OCTET STRING |
|
|
wsSwFirewallARPRate |
Unsigned32 |
|
|
wsSwFirewallDHCPTrustEnable |
TruthValue |
|
|
wsSwFirewallARPTrustEnable |
TruthValue |
|
|
wsSwFirewallBcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallMcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallUcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallL2RowStatus |
AbbrevRowStatus |
|
WsSwFirewallWlanEntry |
|
SEQUENCE |
|
|
|
|
wsSwFirewallWlanIndex |
INTEGER |
|
|
wsSwFirewallWlanBcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallWlanMcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallWlanUcastStormCtrlInRate |
Unsigned32 |
|
|
wsSwFirewallWlanAllowedMUDeniesPerSecond |
Unsigned32 |
|
|
wsSwFirewallWlanMUDeauthenticate |
TruthValue |
|
|
wsSwFirewallWlanDHCPTrustEnable |
TruthValue |
|
|
wsSwFirewallWlanARPTrustEnable |
TruthValue |
|
|
wsSwFirewallWlanARPRate |
Unsigned32 |
|
|
wsSwFirewallWlanRowStatus |
AbbrevRowStatus |
|
WsSwFirewallDhcpSnoopEntry |
|
SEQUENCE |
|
|
|
|
wsSwFirewallDhcpSnoopIndex |
Integer32 |
|
|
wsSwFirewallDhcpSnoopIpAddr |
IpAddress |
|
|
wsSwFirewallDhcpSnoopVlanId |
INTEGER |
|
|
wsSwFirewallDhcpSnoopMACAddr |
PhysAddress |
|
|
wsSwFirewallDhcpSnoopType |
BITS |
|
|
wsSwFirewallDhcpSnoopLeaseTime |
Integer32 |
|
|
wsSwFirewallDhcpSnoopIngressPort |
OCTET STRING |
|
Defined Values
wsSwFirewallMibModule |
1.3.6.1.4.1.388.14.2.16.1 |
MIB for DoS Attacks configuration and L2/L3 firewall configurations
and firewall config for WLAN implemented for bridge level attack
detection/mitigation feature and statistics related to it. |
MODULE-IDENTITY |
|
|
|
wsSwFirewallDosTcpMaxIncompleteCnHigh |
1.3.6.1.4.1.388.14.2.16.1.1.1.1.1 |
Maximum number of half-open TCP connections in the
system after which firewall will start
intercepting TCP connections.
The configured value will be used by TCP Intercept
DoS Attack check to handle SYN Flood Attack. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Integer32 |
1..1000 |
|
wsSwFirewallDosTcpMaxIncompleteCnLow |
1.3.6.1.4.1.388.14.2.16.1.1.1.1.2 |
Maximum number of half-open TCP connections in the
system after which firewall will stop
intercepting TCP connections.
The configured value will be used by TCP Intercept
DoS Attack check to handle SYN Flood Attack.
|
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
Integer32 |
1..1000 |
|
wsSwFirewallDosChecksTable |
1.3.6.1.4.1.388.14.2.16.1.1.1.2 |
Currently wsSwFirewallDoSChecksTable is handling the following configurable
DoS Attacks:
1. Smurf DoS Attack:
Enable this check in the firewall to drop ICMP
echo packets destined to a broadcast IP address.
Attackers use this type of packet to bring down a
target host by spoofing its IP address and flooding
it with ICMP echo responses.
2. Twinge DoS Attack:
Enable this check in the firewall to drop false ICMP
control packets going through the wirless switch.
3. Invalid IP Protocol DoS Attack:
Enable this check in firewall to deny packets with
invalid IP protocol value in the IP header. Some
applications can use non-assigned IP protocol
numbers to send malicious packets.
4. Ascend DoS Attack:
Protocol is UDP, destination port is 9, UDP packet is
mal-formed.
5. Chargen DoS Attack:
The attack consists of a flood of UDP datagram's sent to the
subnet broadcast address with the destination port set to
19 (chargen) and a spoofed source IP address.
6. Fraggle DoS Attack:
When a perpetrator sends a large number of UDP echo (ping)
traffic at IP broadcast addresses, all of it having a fake
source address
7. ICMP Router Solicit DoS Attack:
If the packet received from the network is an ICMP packet
type 10 then it's an ICMP router discovery messages called
Router Solicitations.
8. ICMP Router Advertisement DoS Attack:
Enable this check in firewall to drop route
advertisement packets. Route advertisements are
used by neighboring hosts to configure their route
table. These messages can be used by attackers to
configure routes on hosts to re-direct traffic.
9. IP Source Route Option DoS Attack:
Enable this check in firewall to drop packets with
source route option set in IP header.
10. Snork DoS Attack:
Enable this check in firewall to deny UDP or TCP
packets with destination port set to 135 and source
port set to either 7,19 or 135. This can cause
packets to be exchanged indefinitely between the
two hosts causing them to slow down.
11. FTP Bounce DoS Attack:
Enable this check in firewall to drop FTP packets
if the IP address encoded in the PORT command does
not match the IP address of the FTP client.
12.TCP Intercept DoS Attack:
Enable / disable TCP packet interception. This
should be enabled for protection against TCP SYN
flood attacks.
13. Bcast/Mcast Icmp DoS:
By default we consider bcast-mcast ICMP as DoS and drop
the packets. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
WsSwFirewallDosChecksEntry |
|
wsSwFirewallDosChecksEntry |
1.3.6.1.4.1.388.14.2.16.1.1.1.2.1 |
An entry in the wsSwFirewallDoSChecksTable. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
WsSwFirewallDosChecksEntry |
|
|
wsSwFirewallDosCheckType |
1.3.6.1.4.1.388.14.2.16.1.1.1.2.1.1 |
The Check type for handling the respective DoS Attack. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
smurf(1), twinge(2), invalidIPProtocol(3), ascend(4), chargen(5), fraggle(6), icmpRouterSolicit(7), icmpRouterAdvt(8), ipSourceRoute(9), snork(10), ftpBounce(11), tcpIntercept(12), bcastMcastIcmp(13) |
|
wsSwFirewallDosCheckEnable |
1.3.6.1.4.1.388.14.2.16.1.1.1.2.1.2 |
Status of respective DoS Attack check,
True for being enabled and False for being disabled. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
TruthValue |
|
|
wsSwFirewallDosCheckLogLevel |
1.3.6.1.4.1.388.14.2.16.1.1.1.2.1.3 |
The Current log level for the respective DoS Attack check.
The Default is warning(5) and user can modify as per
his requirement.
Changing the log level will allow the user to enable
logging for the respective DoS check to happen at desried
level of system logging.
Note: setting log level to none(9) will disable the logging even though
the check is enabled. |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
emerg(1), alert(2), crit(3), err(4), warning(5), notice(6), info(7), debug(8), none(9) |
|
wsSwFirewallDosStatsTable |
1.3.6.1.4.1.388.14.2.16.1.1.1.3 |
This Table shows the stats related to each kind of DoS attacks
supported by the switch, few of them can be configured in the
wsSwFirewallDoSChecksTable.
1. Smurf DoS Attack:
ICMP echo packets destined to a broadcast IP address.
Attackers use this type of packet to bring down a
target host by spoofing its IP address and flooding
it with ICMP echo responses.
2. Twinge DoS Attack:
False ICMP control packets going through the wireless
switch.
3. Invalid IP Protocol DoS Attack:
Packets with invalid IP protocol value in the IP header.
Some applications can use non-assigned IP protocol
numbers to send malicious packets.
4. Ascend DoS Attack:
Protocol is UDP, destination port is 9, UDP packet is
mal-formed.
5. Chargen DoS Attack:
The attack consists of a flood of UDP datagram's sent to the
subnet broadcast address with the destination port set to
19 (chargen) and a spoofed source IP address.
6. Fraggle DoS Attack:
When a perpetrator sends a large number of UDP echo (ping)
traffic at IP broadcast addresses, all of it having a fake
source address
7. ICMP Router Solicit DoS Attack:
If the packet received from the network is an ICMP packet
type 10 then it's an ICMP router discovery messages called
Router Solicitations.
8. ICMP Router Advertisement DoS Attack:
Route advertisements are used by neighboring hosts
to configure their route table. These messages can
be used by attackers to configure routes on hosts
to re-direct traffic.
9. IP Source Route Option DoS Attack:
Packets with source route option set in IP header.
10. Snork DoS Attack:
UDP or TCP packets with destination port set to 135
and source port set to either 7,19 or 135. This can
cause packets to be exchanged indefinitely between the
two hosts causing them to slow down.
11. FTP Bounce DoS Attack:
FTP packets if the IP address encoded in the PORT command does
not match the IP address of the FTP client.
12. TCP Intercept DoS Attack:
TCP SYN flood attacks.
13. Bcast/Mcast Icmp DoS:
By default we consider bcast-mcast ICMP as DoS and drop
the packets.
14. TCP Header Fragmented DoS Attack:
TCP packets if the TCP header spans across IP fragments.
15. WINNUKE DoS Attack:
Out of band data to the target computer on TCP port 139
(NetBIOS),
16. LAND DoS Attack:
The attack involves sending a spoofed TCP SYN packet
(connection initiation) with the target host's IP address
and an open port as both source and destination.
17. UDP Short Header DoS Attack:
A UDP header is a minimum of 8-bytes long. However, some
systems (like BeOS) will crash when they receive UDP traffic
with header length less than eight
18. TCP Bad Sequence DoS Attack:
These types of attack are usually man-in-the-middle attacks
where the attacker injects a packet with invalid sequence
number to terminate the connection.
19. TCP FIN Scan DoS Attack:
It attempts to close a non-existent connection on the server.
Either way, it is an error, but systems sometimes give back
different error results depending upon whether the desired
service is available or not. As a result, the attacker doesn't
trigger the normal logging of the system. However, this type of
scan does result in weird network traffic.
20. TCP NULL Scan DoS Attack:
A TCP frame with a sequence number of zero and all control bits
are set to zero.
21. TCP XMAS Scan DoS Attack:
A TCP frame with a sequence number of zero and the FIN, URG, and
PUSH bits are all set.
22. TCP Post SYN Scan DoS Attack:
This attack is caused when an attacker tries to send TCP packet
with SYN flag set after the connection is established.
23. IP TTL zero DoS Attack:
An IP packet set with ttl zero leading the packet to
be dropped before reaching it's destination.
24. IP Spoof DoS Attack:
IP datagram is treated as spoofed if the source
IP address does not belong to the subnet from where
the packet arrived. Most of the DoS attacks use
spoofed IP addresses so that it is difficult to
trace the origin of the attack. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
WsSwFirewallDosStatsEntry |
|
wsSwFirewallDosStatsEntry |
1.3.6.1.4.1.388.14.2.16.1.1.1.3.1 |
An entry in the wsSwFirewallDoSStatsTable. |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
WsSwFirewallDosStatsEntry |
|
|
wsSwFirewallDosStatsAttackType |
1.3.6.1.4.1.388.14.2.16.1.1.1.3.1.1 |
The Check type for handling the respective DoS Attack. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
smurf(1), twinge(2), invalidIPProtocol(3), ascend(4), chargen(5), fraggle(6), icmpRouterSolicit(7), icmpRouterAdvt(8), ipSourceRoute(9), snork(10), ftpBounce(11), tcpIntercept(12), bcastMcastIcmp(13), tcpHeaderFragment(14), winnuke(15), land(16), udpShortHdr(17), tcpBadSequence(18), tcpFinScan(19), tcpNullScan(20), tcpXmasScan(21), tcpPostSynScan(22), ipTtlZero(23), ipSpoof(24) |
|
wsSwFirewallL2Table |
1.3.6.1.4.1.388.14.2.16.1.1.2.1 |
Physical/aggregate port interface configuration for
ARP rate-limiting/ARP Spoof Detection and bcast/mcast/ucast
storm suppression. Maximum permissible rate of ARP packets per
interface is configured in terms of ARP packets/s.
When the configured threshold is crossed, a warning
is posted to the console through syslog.
Interfaces are configured to be DHCP trusted or ARP trusted.
DHCP responses coming from DHCP trusted interfaces
are used for building the trusted IP-MAC binding table.
ARP messages coming through ARP trusted interfaces
are not subjected to ARP spoof checking.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
WsSwFirewallL2Entry |
|
wsSwFirewallL2Entry |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1 |
L2 Fw interface level configuration table for
ARP spoof detection and ARP rate limiting |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
WsSwFirewallL2Entry |
|
|
wsSwFirewallIfName |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1.1 |
layer2 interface name on which ARP Limit/DHCP trust/ARP trust is configured.
For eg names like ge1-ge4 and sa1-sa4 |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
OCTET STRING |
|
|
wsSwFirewallARPRate |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1.2 |
ARP Rate Limit set in packets/second through this interface. Interface refers to
physical/aggregate port interfaces. |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallBcastStormCtrlInRate |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1.5 |
High threshold for broadcast packets coming in from this physical/aggregate interface |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallMcastStormCtrlInRate |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1.6 |
High threshold for multicast packets coming in from this physical/aggregate interface |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallUcastStormCtrlInRate |
1.3.6.1.4.1.388.14.2.16.1.1.2.1.1.7 |
High threshold for unicast packets coming in from this physical/aggregate interface |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallWlanTable |
1.3.6.1.4.1.388.14.2.16.1.1.3.1 |
Per wlan configuration table for b/m/u cast storm suppression,ARP spoof detection
and rogue MU detection
Bcast/Mcast/Ucast Storm Suppression.
A high threshold and a low threshold is configured per wlan,
in IN direction.When the rate of b/m/u cast packets
exceeds the high threshold configured for a wlan, all
packets are throttled till the rate falls below the configured
rate. When the rate of b/m/u cast packets exceeds the configured threshold,
a warning is posted to the console if logging is enabled.
Thresholds are configured in terms of packets/second.
ARP spoof Detection
Marking DHCP and ARP trust on wlan indices for ARP spoof detection
Rogue MU Detection
MUs pumping denied traffic are either de-authentiacted or a warning posted
through syslog based on a user configurable per wlan threshold of
allowed MU denies per second. It's not necessary that the MU hit the same deny
rule for triggering the action. It's the cumulative number of denials within the
specified period that leads to the action. Logging of the event is a must, though
deauthentication is optional.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
SEQUENCE OF |
|
|
|
|
WsSwFirewallWlanEntry |
|
wsSwFirewallWlanEntry |
1.3.6.1.4.1.388.14.2.16.1.1.3.1.1 |
Wlan level configuration table for
ARP spoof detection,ARP rate limiting
Bcast storm suppression and Rogue MU traffic
detection |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
WsSwFirewallWlanEntry |
|
|
wsSwFirewallWlanIndex |
1.3.6.1.4.1.388.14.2.16.1.1.3.1.1.1 |
Wlan index on which to set l2fw configurations. |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
1..256 |
|
wsSwFirewallWlanUcastStormCtrlInRate |
1.3.6.1.4.1.388.14.2.16.1.1.3.1.1.4 |
High Level threshold for packets having unknown unicast address as destination coming from a WLAN |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallWlanAllowedMUDeniesPerSecond |
1.3.6.1.4.1.388.14.2.16.1.1.3.1.1.5 |
Permissble rate of denies for a mobile-unit in the wlan
This is counted in terms of denied/packets/second from that MU |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallWlanARPRate |
1.3.6.1.4.1.388.14.2.16.1.1.3.1.1.9 |
ARP rate-limit threshold specified in ARPpackets/second unit. |
Status: current |
Access: read-create |
OBJECT-TYPE |
|
|
|
|
Unsigned32 |
0..1000000 |
|
wsSwFirewallDhcpSnoopEntry |
1.3.6.1.4.1.388.14.2.16.1.1.4.1.1 |
IP-MAC Binding Table Entry |
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
WsSwFirewallDhcpSnoopEntry |
|
|
wsSwFirewallDhcpSnoopVlanId |
1.3.6.1.4.1.388.14.2.16.1.1.4.1.1.3 |
Vlan id of the client |
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
1..4096 |
|
wsSwFirewallDhcpSnoopType |
1.3.6.1.4.1.388.14.2.16.1.1.4.1.1.5 |
The snoop entry can be a combination of the following bits.Valid combinations are
client-router, server-router, client-router-vrrp, client-router-hsrp, server-router-vrrp,
server-router-hsrp, client, router, server, vrrp-router, hsrp-router. If none of the bits
are set, it's the switch svi
|
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
BITS |
router(0), dhcpclient(1), dhcpserver(2), vrrp(3), hsrp(4) |
|
wsSwFirewallDhcpSnoopIngressPort |
1.3.6.1.4.1.388.14.2.16.1.1.4.1.1.7 |
Name of Port/Wlan through which packet from this entity ingresses.(eg: ge1, wlan1)
|
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
OCTET STRING |
Size(1..10) |
|
wsSwFirewallArpLogLvl |
1.3.6.1.4.1.388.14.2.16.1.1.5.1 |
Enable Logging when ARP ratelimit is exceeded |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
0..8 |
|
wsSwFirewallBcastLogLvl |
1.3.6.1.4.1.388.14.2.16.1.1.5.2 |
Enable logging when broadcast rate-limit is exceeded |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
0..8 |
|
wsSwFirewallMcastLogLvl |
1.3.6.1.4.1.388.14.2.16.1.1.5.3 |
Enable logging when multicast ratelimit is exceeded |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
0..8 |
|
wsSwFirewallUcastLogLvl |
1.3.6.1.4.1.388.14.2.16.1.1.5.4 |
Enable logging when unicast ratelimit is exceeded |
Status: current |
Access: read-write |
OBJECT-TYPE |
|
|
|
|
INTEGER |
0..8 |
|
wsSwFirewallCompliance |
1.3.6.1.4.1.388.14.2.16.1.1.100.1.1 |
Description. |
Status: current |
Access: read-write |
MODULE-COMPLIANCE |
|
|
|
wsSwFirewallObjectGroup |
1.3.6.1.4.1.388.14.2.16.1.1.100.2.1 |
Description. |
Status: current |
Access: read-write |
OBJECT-GROUP |
|
|
|