1. Home
    2. /
  2. Manuals
    3. /
  3. Nokia
    4. /
  4. IP45
    5. /
  5. 34
Page 166 / 342 Scroll up to view Page 161 - 165
8
Setting Up the Nokia IP45 Security Platform Security Policy
166
Nokia IP45 Security Platform User’s Guide v4.0
Note
For handling the Denial of Service attacks like Ping of Death, LAND and DDoS attacks,
follow the procedure
“To handle teardrop attack”
on page 164.
To protect against non TCP Floodings
1.
Select Non TCP Floodings from the Denial of Service tree view.
The Non TCP Flooding configuration information appears.
2.
Select the field values by using
Table 32
.
Page 167 / 342
SmartDefense
Nokia IP45 Security Platform User’s Guide v4.0
167
3.
Click Apply.
IP and ICMP
This option allows you to enable various IP and ICMP protocol tests and configure various
protection against IP and ICMP related attacks. It includes:
±
Packet Sanity
— performs several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the
TCP flags.
Note
To select values for Packet Sanity, expand the IP and ICMP tree, click Packet Sanity and
select the values from the drop-down list by using the information provided in
Table 33
.
Table 32
Fields for Non TCP Flooding
Field
Action
Action
Choose the action to be taken when the percentage of state table
capacity used for non-TCP connections reaches the maximum
percent non TCP traffic threshold.
Options:
Block: blocks any additional non-TCP connections
None: no action is required
Default value: None
Track
Specify whether to log the non-TCP connections that exceed the
maximum percent non TCP traffic threshold.
Options:
Log: logs the connections
None: does not log the connections
Default value: None
Max. Percent
Non-TCP
Traffic
Type the maximum percentage of state table capacity allowed for
non TCP connections.
Default value: 0%.
Page 168 / 342
8
Setting Up the Nokia IP45 Security Platform Security Policy
168
Nokia IP45 Security Platform User’s Guide v4.0
±
Max Ping Size
— uses ICMP protocol to check whether a remote machine is active. A
request is sent by the client, and the server responds with a reply echoing the client’s data.
An attacker can echo the client with a large amount of data, causing a buffer overflow. You
can protect against such attacks by limiting the allowed size for ICMP echo requests.
Note
To select values for Max. Ping Size, expand the IP and ICMP tree, click Max Ping Size and
select the values from the drop-down list by using the information provided in
Table 34
.
Table 33
Fields for Packet Sanity
Field
Action
Action
Choose the action to be taken when a packet fails a sanity test.
Options:
Block: blocks the failed packets
None: no action is required
Default value: Block
Track
Specify whether to issue logs for packets that fail the sanity tests.
Options:
Log: logs the failed packets
None: does not log the failed packets
Default value: Log
Disable
relaxed UDP
length
verification
The UDP length verification sanity check compares the UDP
header length of the packet with the UDP length mentioned in the
UDP header field of the packet. The packet is supposed to be
corrupted if the values are not equal.
IP45v4.0 does not discard the offending packets though the sanity
check is performed.
Options:
True: disable relaxed UDP length verification. The packets that
fail the UDP length verification check are not discarded.
False: does not disable relaxed UDP length verification. The
packets that fail the UDP length verification check are
discarded.
Default value: False
Page 169 / 342
SmartDefense
Nokia IP45 Security Platform User’s Guide v4.0
169
±
IP Fragments
—when an IP packet is too big to be transported by a network link, it is split
into several smaller IP packets and transmitted in fragments. To conceal a known attack or
exploit, an attacker might imitate this common behaviour and break the data section of a
single packet into several fragmented packets. Without reassembling the fragments, it is not
always possible to detect such an attack. Therefore the IP45v4.0 always reassembles all the
fragments of a given IP packet before inspecting it to make sure there are no attacks or
exploits in the packet.
Note
To select values for IP Fragments, expand the IP and ICMP tree, click IP Fragments and
select the values from the drop-down list by using the information provided in
Table 35
.
Table 34
Fields for Max. Ping Size
Field
Action
Action
Choose the action to be taken when an ICMP echo response
exceeds the Max Ping Size threshold.
Options:
Block: blocks the request
None: no action is required
Default value: Block
Track
Specify whether to log ICMP echo responses that exceed the Max
Ping Size threshold.
Options:
Log: logs the responses
None: does not log the responses
Default value: Log
Max Ping Size
Specify the maximum data size for ICMP echo response.
Default value: 1500
Page 170 / 342
8
Setting Up the Nokia IP45 Security Platform Security Policy
170
Nokia IP45 Security Platform User’s Guide v4.0
±
Network Quota
—an attacker may try to overload a server in your network by establishing a
very large number of connections per second. To protect against Denial of Service (DoS)
attacks, Network Quota enforces a limit upon the number of connections per second that are
allowed from the same source IP address.
Note
To select values for Network Quota, expand the IP and ICMP tree, click Network Quota and
select the values from the drop-down list by using the information provided in
Table 36
.
Table 35
Fields for IP Fragments
Field
Action
Forbid IP
Fragments
Specify whether all fragmented packets should be dropped.
Options:
True: drops all fragmented packets.
False: no action is required.
Default value: False
In general, it is recommended to leave the field set to False.
Setting this field to True may disrupt Internet connectivity because
it does not allow any fragmented packets.
Max Number
of Incomplete
Packets
Type the maximum number of fragmented packets allowed.
Packets exceeding this threshold will be dropped.
Default value: 300
Timeout for
Discarding
Incomplete
Packets
When the IP45 receives packet fragments, it waits for additional
fragments to arrive so that it can reassemble the packet. Type the
number of seconds to wait before discarding incomplete packets.
Default value: 10 seconds
Track
Specify whether to log the fragmented packets.
Options:
Log: logs all the fragmented packets.
None: does not log the fragmented packets
Default value: None

Rate

3.5 / 5 based on 2 votes.

Popular Nokia Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top