Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
TCP<br />
The <strong>Firewall</strong> Rule engine, by default, performs a series of checks on fragmented packets. This is<br />
default behavior and cannot be reconfigured. Packets with the following characteristics are dropped:<br />
o Invalid fragmentation flags/offset: A packet is dropped when either the DF and MF<br />
flags in the IP header are set to 1, or the header contains the DF flag set to 1 and an<br />
Offset value different than 0.<br />
o First fragment too small: A packet is dropped if its MF flag is set to 1, its Offset<br />
value is at 0, and it has total length of less than 120 bytes (the maximum combined<br />
header length).<br />
o IP fragment out of boundary: A packet is dropped if its Offset flag value combined<br />
with the total packet length exceeds the maximum datagram length of 65535 bytes.<br />
o IP fragment offset too small: A packet is dropped if it has a non-zero Offset flag with<br />
a value that is smaller than 60 bytes.<br />
TCP Packet Inspection<br />
Deny TCP packets containing CWR, ECE flags: These flags are set when there is network<br />
congestion.<br />
RFC 3168 defines two of the six bits from the Reserved field to be used for ECN (Explicit<br />
Congestion Notification), as follows:<br />
Bits 8 to 15: CWR-ECE-URG-ACK-PSH-RST-SYN-FIN<br />
TCP Header Flags Bit Name Reference:<br />
Bit 8: CWR (Congestion Window Reduced) [RFC3168]<br />
Bit 9: ECE (ECN-Echo) [RFC3168]<br />
Automated packet transmission (such as that generated by a denial of service attack, among other<br />
things) will often produce packets in which these flags are set.<br />
Enable TCP stateful inspection: Enable stateful inspection at the TCP level. If you enable<br />
stateful TCP inspection, the following options become available:<br />
o Enable TCP stateful logging: TCP stateful inspection events will be logged.<br />
o Limit the number of incoming connections from a single Computer to: Limiting<br />
the number of connections from a single Computer can lessen the effect of a denial of<br />
service attack.<br />
o Limit the number of outgoing connections to a single Computer to: Limiting the<br />
number of outgoing connections to a single Computer can significantly reduce the effects<br />
of Nimda-like worms.<br />
o Limit the number of half-open connections from a single Computer to: Setting a<br />
limit here can protect you from DoS attacks like SYN Flood. Although most servers have<br />
timeout settings for closing half-open connections, setting a value here can prevent halfopen<br />
connections from becoming a significant problem. If the specified limit for SYN-<br />
SENT(remote) entries is reached, subsequent TCP packets from that specific Computer<br />
will be dropped.<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 35 -