TCP-UDP
TCP ensures control of data during their transfer. Its role is to check that IP packets sent are received in good order, without any loss of changes integrity-wise.
UDP may replace TCP in the event of minor problems, as it ensures a more fluid transfer since it does not control each of the transmission stages. For example, it is suitable for streaming applications (audio/video broadcast) for which packet loss is not vital. Indeed, during these transmissions, lost packets are ignored.
Profiles screen
IPS-Connection tab
Inspection
| Impose MSS limit | This option allows you to set an MSS (Maximum Segment Size) limit for the inspection of the profile. NOTE If this option is selected, you will enable the following field, which would allow you to set your limit. |
| MSS limit (in bytes) | Define your MSS limit, between 100 and 65535 bytes. |
| Rewrite TCP sequences with strong random values (arc4). | If this option is selected, TCP sequence numbers generated by the client and server will be overwritten and replaced with the Stormshield Network intrusion prevention engine, which will produce random sequence numbers. |
| Enable protection from repeated sending of ACK packets | If this option is selected, you are protecting yourself from session hijacking or “ACK” attacks. |
| Enable automatic adjustment of memory allocated to data tracking | If this option is selected, you will be allowing the firewall to dynamically adjust the memory allocated to data tracking. The maximum value of dynamically allocated memory is equal to the size of the TCP window divided by the MSS limit. When this checkbox is selected, the maximum value becomes 256. |
| Enable application tracking | This option makes it possible to log application IDs in alarm and connection logs in order to generate reports based on these application IDs. |
Protection against denial of service attacks
Connection restrictions
| Maximum number of TCP connections per source IP address (0 disables this protection) | This option makes it possible to restrict the number of TCP connections for a single source IP address. When the selected value is 0, no restrictions will be applied. IMPORTANT |
| Maximum number of UDP sessions per source IP address (0 disables this protection) | This option makes it possible to restrict the number of UDP sessions for a single source IP address. When the selected value is 0, no restrictions will be applied. IMPORTANT |
Maximum frequency with which initial TCP/UDP packets are received
| Maximum number of SYN packets received within the reference interval for a source IP address (0 disables this protection) |
This option makes it possible to set the maximum number of TCP connection requests (SYN packets) received from the same source IP address during the reference period set in the Reference interval for maximum frequency with which initial TCP/UDP packets are received section. This option makes it possible to protect the firewall from SYN flooding (DDoS) attacks. |
| Maximum number of new UDP sessions within the reference interval for a source IP address (0 disables this protection) |
This option makes it possible to set the maximum number of UDP session requests received from the same source IP address during the reference period set in the Reference interval for maximum frequency with which initial TCP/UDP packets are received section. This option makes it possible to protect the firewall from UDP flooding (DoS) attacks. |
Reference interval for maximum frequency with which initial TCP/UDP packets are received
|
Interval during which new TCP connections from the same source address are counted until reaching the threshold set in the calculation of the frequency with which initial TCP packets are received |
This option makes it possible to set the reference time to calculate the maximum frequencies of new TCP connections (SYN packets) for the same source IP address. IMPORTANT
|
| Interval during which new UDP sessions from the same source address are counted until reaching the threshold set in the calculation of the frequency with which initial UDP packets are received |
This option makes it possible to set the reference time to calculate the maximum frequencies of new UDP sessions (SYN packets) for the same source IP address. IMPORTANT
|
NOTE
To track the values of simultaneous connection counters, use the command: sfctl -s host -v.
Timeout (seconds)
| Connection opening timeout (SYN) | Maximum time, in seconds, allowed to fully establish the TCP connection (SYN / SYN+ACK / ACK). It has to be between 10 and 60 (default value: 20 seconds). |
| TCP connection | Maximum duration in seconds for which the state of an idle connection is kept. It has to be between 30 and 604800 (default value: 3600 seconds). |
| UDP session | Maximum time, in seconds, the state of an idle UDP pseudo-connection is kept. It has to be between 30 and 604800 (default value: 120 seconds). |
| Connection closing timeout (FIN) | Maximum time, in seconds, allowed for the TCP connection closing phase (FIN+ACK / ACK / FIN+ACK / ACK). This value has to be between 10 and 3600 seconds (default value: 480 seconds). |
| Closed connections | Number of seconds a closed connection (closed state) is kept in the connection table. It has to be between 2 and 60 seconds (default value: 2 seconds). |
| Small TCP window | To avoid Denial of Service attacks, the counter determine the lifetime of a connection with a small TCP window (lower than 100 byte). This counter is reset when the first small window announcement is received. If no new message is received to increase the window size before this counter expires, the TCP connection will be closed. |
Support
| Disable the SYN proxy | If this option is selected, you will no longer be protected from “SYN” attacks, as the proxy will no longer filter packets. We advise you to disable this option for debug purposes only. |