TCP-UDP
TCP ensures control of data during their transfer. Its role is to check that IP packets sent are received in good order, without any loss of changes integrity-wise.
UDP may replace TCP in the event of minor problems, as it ensures a more fluid transfer since it does not control each of the transmission stages. For example, it is suitable for streaming applications (audio/video broadcast) for which packet loss is not vital. Indeed, during these transmissions, lost packets are ignored.
Profiles screen
“IPS-Connection”
Inspection
| Impose MSS limit | This option allows you to set an MSS (Maximum Segment Size) limit for the inspection of the profile. NOTE If this option is selected, you will enable the following field, which would allow you to set your limit. |
| MSS limit (in bytes) | Define your MSS limit, between 100 and 65535 bytes. |
| Rewrite TCP sequences with strong random values (arc4) | If this option is selected, TCP sequence numbers generated by the client and server will be overwritten and replaced with the Stormshield Network intrusion prevention engine, which will produce random sequence numbers. |
| Enable protection from repeated sending of ACK packets | If this option is selected, you are protecting yourself from session hijacking or “ACK” attacks. |
| Enable automatic adjustment of memory allocated to data tracking | If this option is selected, you will be allowing the firewall to dynamically adjust the memory allocated to data tracking. The maximum value of dynamically allocated memory is equal to the size of the TCP window divided by the MSS limit. When this checkbox is unselected, the maximum value becomes 256. |
| Enable application tracking | This option allows you to log application identifiers in alarm and connection logs in order to generate a report based on these application identifiers. |
Protection against denial of service attacks
| Maximum number of simultaneous connections for a source host (0 disables protection) | This option allows restricting the number of simultaneous connections for a single source host. When the selected value is 0, no restrictions will be applied. IMPORTANT |
| Maximum number of new connections for a source host in the interval defined (0 disables protection) | This option allows restricting the number of new connections initialed by a source host within a defined interval. When the selected value is 0, no restrictions will be applied. IMPORTANT |
| Interval during which new connections are limited | Define the reference interval to calculate the number of new connections allowed for each source host. This value has to be between 1 and 3600 seconds. |
Timeout (in seconds)
| Connection opening timeout (SYN) | Maximum time, in seconds, allowed to fully establish the TCP connection (SYN / SYN+ACK / ACK). It has to be between 10 and 60 (default value: 20 seconds). |
| TCP connection | Maximum time, in seconds, the state of an idle connection is kept. It has to be between 30 and 604800 (default value: 3600 seconds). |
| UDP connection | Maximum time, in seconds, the state of an idle UDP pseudo-connection is kept. It has to be between 30 and 604800 (default value: 120 seconds). |
| Connection closing timeout (FIN) | Maximum time, in seconds, allowed for the TCP connection closing phase (FIN+ACK / ACK / FIN+ACK / ACK). This value has to be between 10 and 3600 seconds (default value: 480 seconds). |
| Closed connections | Number of seconds a closed connection (closed state) is kept in the connection table. It has to be between 2 and 60 seconds (default value: 2 seconds). |
| Small TCP window | To avoid Denial of Service attacks, the counter determine the lifetime of a connection with a small TCP window (lower than 100 byte). This counter is reset when the first small window announcement is received. If no new message is received to increase the window size before this counter expires, the TCP connection will be closed. |
Support
| Disable the SYN proxy | If this option is selected, you will no longer be protected from “SYN” attacks, as the proxy will no longer filter packets. We advise you to disable this option for debug purposes only. |