Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
411412413414415416417418419420
4-111
Firewall
Attack Checking
The optimal sequence range is the product of these two elements. A correctly
sized range allows data to be sent continuously (without the sender stopping
to wait for acknowledgment) while enabling fast recovery times for lost data.
After you select the Sequence Number Out of Range check box, configure the
following:
In the Range field, type a number between 1 and 65535. The larger the TCP
window size, the larger the range of sequence numbers that will be
accepted. As a result, large TCP window size is more susceptible to
sequence number prediction and session hijack.
In the RST Range field, type a number between 1 and 65535. This value
controls how far outside of the TCP window the packets are allowed to be.
Select or clear the Drop packets outside the range check box as desired.
Pre-Connection ACK
By default, the firewall on the TMS zl Module blocks ACK packets that are not
preceded by a valid SYN and SYN+ACK. However, there are some cases in
which you would want to require the module to send an RST message in
response to such an ACK packet.
For example, some servers send an ACK packet rather than a SYN+ACK
packet when they receive a SYN packet. For example, if a client reboots in the
middle of an active connection with the server, the server will keep the active
connection open for the connection’s five-tuple (Layer 4 protocol, client IP
address, client port, server IP address, server port). When the client reboots,
it sends a SYN packet with the same source port as before, and the server
sends an ACK packet instead of SYN+ACK. If the Pre-Connection ACK check
box is not selected on the TMS zl Module, the packet is simply dropped. If the
check box is selected, the module firewall responds to this ACK packet by
sending an RST packet. The server will then reset the connection.
In both cases, a log entry is generated.
Enable and Disable Optional Attack Checks
To select the attack checks that you want the TMS zl Module to perform,
complete the following steps:
1. Click Firewall > Settings > Attacks.