Symantec™ Security Gateways Reference Guide - Sawmill

118 Preventing attacksLogical network interfacesLogical network interfacesLogical network interfaces are an abstraction of the system’s network interfaces. Logical networkinterfaces let an administrator apply the same general configuration to multiple security gateways, even ifthose security gateways have different physical hardware adapters installed. The benefit of logical networkinterfaces becomes clear when you understand that you can create rules that apply to a logical networkinterface instead of a specific interface with a static IP address.When you run the System Setup Wizard on each security gateway, the name defined for each networkinterface creates a corresponding logical network interface. If you configure each security gateway to usethe same logical network interface naming convention when you configure the network adapters in theSystem Setup Wizard, you can apply the same rules that use those logical network interface names to eachsecurity gateway.The Logical Network Interfaces window lets you turn on and off several of the security features associatedwith the logical network interface.Allow multicast (UDP-based) trafficMulticast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a singlestream of information. Multicast, which uses the Internet Group Management Protocol (IGMP), is based onthe concept of a group, which is defined as an arbitrary number of receivers that have expressed an interestin receiving a particular data stream. Using a multicast router, packets sent from a single source arereviewed, replicated, and then sent only to the members in the multicast group. Systems not part of themulticast group do not receive unecessary traffic.Multicast packets can also traverse networks, assuming that the router between the two networks ismulticast enabled. This is another distinct advantage over using the broadcast address on a network, asrouters do not forward broadcast packets.Enabling this option configures the security gateway to allow multicast traffic.Note: You cannot configure the security gateway to act like a multicast router and rebroadcast multicastpackets to protected hosts. Allowing multicast traffic only instructs the security gateway not to filter anddrop multicast packets it receives.SYN flood protectionA standard TCP connection consists of three phases. In the first phase, the client sends a TCP request to theserver with the SYN bit turned on. When the server receives the packet, it responds with its own packetthat has both the SYN and ACK bits enabled. Finally, the client acknowledges the receipt of the server’spacket by sending a response with the ACK bit enabled. At this point, a socket is created, and both systemscan communicate with one another.Attackers may try to overwhelm a server by initiating a SYN flood attack. In a SYN flood attack, the firstand second phases of the three-way handshake take place. However, the client never responds to theserver’s SYNACK packet. Often, the original client address is spoofed, so the response goes to an invalid IPaddress. This leaves an open, pending connection on the server, and consumes some of the server’sresources. In normal situations, the server is capable of handling these pending connections. However,when the server is repeatedly flooded with requests, and the requests are never closed, the server can bequickly overburdened.The security gateway offers three methods of SYN flood protection. One method, the adaptive SYN floodhandling algorithm, is active all of the time and offers continuous, low-overhead protection. The other twomethods, algorithm 1 and algorithm 2, employ different methods to handle large numbers of SYN packets.Each has its own purpose.