Nokia IP45 Router Manual PDF (Setup & Configuration Guide)

Page 171 / 342 Scroll up to view Page 166 - 170

SmartDefense

Nokia IP45 Security Platform User’s Guide v4.0

171

±

Welchia

—the Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.

After infecting a computer, the worm begins searching for other live computers to infect. It

does so by sending a specific ping packet to a target and waiting for the reply that signals

that the target is alive. This flood of pings may disrupt network connectivity.

Note

To select values for Welchia, expand the IP and ICMP tree, click Welchia and select the

values from the drop-down list by using the information provided in

Table 37

.

Table 36

Fields for Network Quota

Field

Action

Choose the action to be taken when the number of network

connections from the same source reaches the Max. Connections/

Second per Source IP threshold.

Options:

•

Block: blocks all new connections from the source. Existing

connections will not be blocked

•

None: no action is required

Default value: Block

Track

Specify whether to log the connections from a specific source that

exceed the Max. Connections/Second per Source IP threshold.

Options:

•

Log: logs the connections

•

None: does not log the connections

Default value: Log

Max.

Connections/

Second from

Same Source

IP

Type the maximum number of network connections allowed per

second from source IP address.

Default value: 100

Set a lower threshold for stronger protection against DoS attacks.

Note

Setting this value too low can lead to false alarms.

Page 172 / 342

8

Setting Up the Nokia IP45 Security Platform Security Policy

172

Nokia IP45 Security Platform User’s Guide v4.0

±

Cisco IOS DOS

—Cisco routers are configured to process and accept Internet Protocol

version 4 (IPv4) packets by default. When a Cisco IOS device is sent, a specially crafted

sequence of IPv4 packets (with protocol 53 - SWIPE, 55 - IP Mobility, 77- Sun ND, or 103-

Protocol Independent Multicast - PIM), the router will stop processing inbound traffic on

that interface.

Note

To select values for Cisco IOS DOS, expand the IP and ICMP tree, click Cisco IOS DOS and

select the values from the drop-down list by using the information provided in

Table 38

.

Table 37

Fields for Welchia

Field

Action

Choose the action to be taken when a Welchia worm is detected.

Options:

•

Block: blocks the attack

•

None: no action is required

Default value: Block

Track

Specify whether to log Welchia worm attacks.

Options:

•

Log: logs the attack

•

None: does not log the attack

Default value: Log

Table 38

Fields for Cisco IOS DOS

Field

Action

Choose the action to be taken against a Cisco IOS DOS attack.

Options:

•

Block: blocks the attack

•

None: no action is required

Default value: Block

Track

Specify whether to log the Cisco IOS DOS attacks.

Options:

•

Log: logs the attack

•

None: does not log the attack

Default value: Log

Page 173 / 342

SmartDefense

Nokia IP45 Security Platform User’s Guide v4.0

173

±

Null Payload

—some worms, such as Sasser, use ICMP echo request packets with null

payload to detect potentially vulnerable hosts.

Note

To select values for Null Payload, expand the IP and ICMP tree, click Null Payload and

select the values from the drop-down list by using the information provided in

Table 39

.

Number of

Hops to

Protect

Type the number of hops from the enforcement module that Cisco

routers should be protected.

Default value: 10

Action

Protection for

SWIPE -

Protocol 53/

Action

Protection for

IP Mobility -

Protocol 55/

Action

Protection for

SUN-ND -

Protocol 77/

Action

Protection for

PIM - Protocol

103

Choose the action to be taken when an IPv4 packet of the specific

protocol type is received.

Options:

•

Block: drops the packet

•

None: no action is required

Default value: Block

Table 38

Fields for Cisco IOS DOS (

continued

)

Field

Action

Page 174 / 342

8

Setting Up the Nokia IP45 Security Platform Security Policy

174

Nokia IP45 Security Platform User’s Guide v4.0

TCP

This option allows you to configure various protections related to the TCP protocol.

It includes the following:

±

Strict TCP

—out-of-state TCP packets are SYN-ACK or data packets that arrive out of

order, before the TCP SYN packet.

Note

To select values for Strict TCP, expand the TCP tree, click Strict TCP and select the values

from the drop-down list by using the information provided in

Table 40

.

Table 39

Fields for Null Payload

Field

Action

Choose the action to be taken when null payload ping packets are

detected.

Options:

•

Block: blocks the packets

•

None: no action is required

Default value: Block

Track

Specify whether to log the null payload ping packets.

Options:

•

Log: logs the packets

•

None: does not log the packets

Default value: Log

Table 40

Fields for Strict TCP

Field

Action

Choose the action to be taken when an out-of-state TCP packet

arrives.

Options:

•

Block: blocks the packets

•

None: no action is required

Default value: None

Track

Specify whether to log the out-of-state TCP packets.

Options:

•

Log: logs the packets

•

None: does not log the packets

Default value: Log

Page 175 / 342

SmartDefense

Nokia IP45 Security Platform User’s Guide v4.0

175

±

Small PMTU

—Small PMTU (Packet MTU) is a bandwidth attack in which the client fools

the server into sending large amounts of data using small packets. Each packet has a large

overhead that creates a bottleneck on the server. You can protect from this attack by

specifying a minimum packet size for data sent over the Internet.

Note

To select values for Small PMTU, expand the TCP tree, click Small PMTU and select the

values from the drop-down list by using the information provided in Table 41.

±

SynDefender

—protects against SYN Flooding denial of service attacks. IP45 v4.0 enables

fine tuning SynDefender to avoid false alarms.

Note

To select values for SynDefender, expand the TCP tree, click SynDefender and select the

values from the drop-down list by using the information provided in

Table 42

.

Table 41

TCP - fields for Small PMTU

Field

Action

Choose the action to be taken when a packet is smaller than the

Minimal MTU Size threshold.

Options:

•

Block: blocks the packet

•

None: no action is required

Default value: None

Track

Specify whether to issue logs for packets that are smaller than the

Minimal MTU Size threshold.

Options:

•

Log: issues logs

•

None: does not issue logs

Default value: Log

Minimal MTU

Size

Type the minimum value allowed for the MTU field in IP packets

sent by a client.

An overtly small value will not prevent an attack, while an overtly

large value might degrade performance and cause legitimate

requests to be dropped.

Default value: 300

Rate

Popular Nokia Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share