Internet Security Router User
’s Manual
Chapter 9. Configuring Firewall/NAT Settings
65
Field
Description
to get into a "stuck state" where they cannot accept connections from
legitimate users. ("SYN" is short for "SYNchronize"; this is the first step in
opening an Internet connection). You can select this box if you wish to
protect the network from TCP SYN flooding. By default, SYN Flood
protection is enabled.
Winnuke
Check or un-check this option to enable or disable protection against
Winnuke attacks. Some older versions of the Microsoft Windows OS are
vulnerable to this attack. If the computers in the LAN are not updated with
recent versions/patches, you are advised to enable this protection by
checking this check box.
MIME Flood
Check or un-check this option to enable or disable protection against MIME
attacks. You can select this box to protect the mail server in your network
against MIME flooding.
FTP Bounce
Check or un-check this option to enable or disable protection against FTP
bounce attack. In its simplest terms, the attack is based on the misuse of the
PORT command in the FTP protocol. An attacker can establish a
connection between the FTP server machine and an arbitrary port on
another system. This connection may be used to bypass access controls
that would otherwise apply.
IP Unaligned Time
Stamp
Check or un-check this option to enable or disable protection against
unaligned IP time stamp attack. Certain operating systems will crash if they
receive a frame with the IP timestamp option that isn't aligned on a 32-bit
boundary.
Sequence Number
Prediction Check
Check or un-check this option to enable or disable protection against TCP
sequence number prediction attacks. For TCP packets, sequence number is
used to guard against accidental receipt of unintended data and malicious
use by the attackers if the ISN (Initial Sequence Number) is generated
randomly. Forged packets w/ valid sequence numbers can be used to gain
trust from the receiving host. Attackers can then gain access to the
compromised system. Note that this attack affects only the TCP packets
originated or terminated at the Internet Security Router.
Sequence Number
Out of Range Check
Check or un-check this option to enable or disable protection against TCP
out of range sequence number attacks. An attacker can send a TCP packet
to cause an intrusion detection system (IDS) to become unsynchronized
with the data in a connection. Subsequent frames sent in that connection
may then be ignored by the IDS. This may indicate an unsuccessful attempt
to hijack a TCP session.
ICMP Verbose
Check or un-check this option to enable or disable protection against ICMP
error message attacks. ICMP messages can be used to flood your network
w/ undesired traffic. By default, this option is enabled.
Maximum IP
Fragment Count
Enter the maximum number of fragments the Firewall should allow for every
IP packet. This option is required if your connection to the ISP is through
PPPoE. This data is used during transmission or reception of IP fragments.
When large sized packets are sent via the Internet Security Router, the
packets are chopped into fragments as large as MTU (Maximum
Transmission Unit). By default, this number is set to 45. If MTU of the
interface is 1500 (default for Ethernet), then there can be a maximum of 45
fragments per IP packet. If the MTU is less, then there can be more number
of fragments and this number should be increased.