HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

121

122

123

124

125

126

127

128

129

130

2-45

Managing TMS zl Firewalls

Configuring Firewalls

10. If you selected Connection Allocation - Zone Limits Timeout, configure

the maximum number of connections per zone and reserve a minimum

number of connections for certain addresses.

SYN Flooding When a new connection request is received, the server allocates

resources for it. A Syn Flood exploits the process of establishing a TCP/

IP session by repeatedly sending SYN packets and not replying to the

responder’s SYN/ACK packets.

The attacker can forge a large number of requests over a very short

period, so your server runs out of resources.

Source Routing With strict and loose source routing (RFC 791), an intruder can direct

datagrams to take a predefined path. In this way, an attacker can access

corporate networks and capture information. When you enable this

check, the firewall filters all datagrams with strict or loose source-routing

options.

WinNuke WinNuke attacks are out-of-band (OOB) data sent to TCP port 139 on the

target PC, causing the PC to freeze up.

Misaligned

Timestamp

A packet with a timestamp that is not aligned on a 32-bit boundary can

significantly decrease performance and crash some systems due to

unaligned memory access.

Sequence

Number

Protection

An attacker might guess the ISN and complete the three-way handshake

with a spoofed IP address. When this setting is enabled, the security

device generates pseudo-random Initial Sequence Numbers (ISNs) used

in the handshake exchange. Enabling IP Sequence Prediction makes it

more difficult for an offender to guess the ISN, which reduces the risk of

an offender possibly accessing your entire network.

Out-of-Sequence

Packets

Some out-of-sequence packets are a part of normal network behavior,

which can increase the number of retransmitted packets thereby using

more bandwidth and decreasing network efficiency. However, offenders

can use out-of-sequence packets to hijack an established session or to

deplete the memory buffers of the receiving host.

Sequence

Number Out of

Range

Packets are received without a range sequence number. Sequence

number ranges are connection-specific, making them hard to apply

universally. Therefore, adjusting the range is only suggested when users

have similar characteristics and endpoints can be identically configured.

When you enable (check) this block, the firewall drops packets whose

sequence number exceeds the Maximum Sequence Number or

Maximum RST (reset) Sequence Number, which must be entered in these

fields

Pre-Connection

ACK

An intruder attempts to penetrate packet-filtering firewalls that block

only SYN packets by sending an ACK packet without having first sent a

SYN packet. When you enable (check) this block, the firewall sends an

RST (reset) packet in response to all ACK packets that are not preceded

by a SYN packet, thereby giving the impression that all ports are filtered.