Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
161162163164165166167168169170
Chapter 11: Protecting Your Network From Attacks
146 WatchGuard Firebox System
recorded. If these messages occur frequently when your server is not
under attack, the Maximum Incomplete Connections setting may be too
low. If the SYN Flood protection feature is not preventing attacks from
affecting your server, the setting may be too high. Consult your server’s
documentation for help choosing a new value, or experiment by adjusting
the setting until the problems disappear.
The validation timeout controls how long the Firebox “remembers”
clients that pass the validation test. The default setting of 120 seconds
means that a client that drops a legitimate connection has a two-minute
window to reconnect without being challenged. Setting the validation
timeout to zero seconds means that legitimate connections are “forgotten”
when dropped, so every connection attempt is challenged.
From Policy Manager:
1 On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup => Default.
The Default Packet Handling dialog box appears.
2 Use the SYN Validation Timeout box to set how long the Firebox
“remembers” a validated connection after that connection is dropped.
3 Use the Maximum Incomplete Connections box to set the number of
connections awaiting validation that are allowed to queue before the
Firebox automatically activates SYN flood defense.
Integrating Intrusion Detection
Intrusion detection is an important component of a defense-in-depth
security policy. A good intrusion detection system (IDS) examines over
time the source, destination, and type of traffic directed at your network
and compares it against known patterns of attack. When a match occurs, it
tells you the nature of the attack and recommends possible courses of
action.
The WatchGuard Firebox System default packet handling options provide
a basic intrusion detection system by blocking common and readily
recognizable attacks such as IP address spoofing and linear port space
probes. The intrusion detection capabilities of the Firebox, however, are
necessarily limited. The primary function of your firewall is to examine