Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
151152153154155156157158159160
Chapter 11: Protecting Your Network From Attacks
144 WatchGuard Firebox System
which services are running on the hosts inside that network. From Policy
Manager:
1 On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup => Default.
The Default Packet Handling dialog box appears.
2 Enable the checkbox marked Block Port Space Probes.
3 Enable the checkbox marked Block Address Space Probes.
Stopping IP options attacks
Another type of attack that can be used to disrupt your network involves
IP options in the packet header. IP options are extensions of the Internet
Protocol that are usually used for debugging or for special applications.
For example, if you allow IP options, the attacker can use the options to
specify a route that helps him or her gain access to your network.
Although there is some gain to leaving IP options enabled, the risk
generally outweighs the benefit.
From Policy Manager:
1 On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup => Default.
The Default Packet Handling dialog box appears.
2 Enable the checkbox marked Block IP Options.
Stopping SYN Flood attacks
A SYN Flood attack is a type of Denial of Service (DoS) attack that seeks to
prevent your public services (such as email and Web servers) from being
accessible to users on the Internet.
To understand how SYN Flood works, consider a normal TCP connection.
A user tries to connect by way of a Web browser to your server by
sending what is called a SYN segment. Your Web server acknowledges
the browser by sending what is called a SYN+ACK segment. When the
browser sees the SYN+ACK, it sends an ACK segment. The server is
ready to accept the URL request from the browser when it sees the ACK
statement. However, until the ACK segment has been received, the server
is “stuck”; it knows the browser wants to communicate, but the
connection is not yet established. Many servers in use today can handle
only a finite number of these half-way completed connections at a time.