Predefined Screen Options Overview

Typically, a network forwarding device such as a router or switch does not reassemble fragmented packets that it receives. It is the responsibility of the destination host to reconstruct the fragmented packets when they all arrive. Because the purpose of forwarding devices is the efficient delivery of traffic, queuing fragmented packets, reassembling them, refragmenting them, and then forwarding them is unnecessary and inefficient. However, passing fragmented packets through a firewall is insecure. An attacker can intentionally break up packets to conceal traffic strings that the firewall otherwise would detect and block.

You can enable predefined screen options that detect and block various kinds of traffic that the security device determines to be potentially harmful. To secure all connection attempts, security devices use a dynamic packet filtering method known as stateful inspection. Using this method, the device notes various components in a packet header, such as source and destination IP addresses, source and destination port numbers, and packet sequence numbers. The device uses this information to maintain the state of each session traversing the firewall.

A security device uses stateful inspection to secure a zone by inspecting, and then permitting or denying, all connection attempts that require crossing an interface from and to that zone. To protect against attacks from other zones, you can enable defense mechanisms known as screen attack protections, which detect and deflect TCP, UDP, IP, and ICMP packet attacks. Common screen attacks are SYN floods, packet fragments, and SYN and FIN bits set. When screen attack protections are enabled, the device generates a screen alarm log entry for each violation.

To configure Screen attack protections, open a device configuration and select Network > Zone to display the Zone configuration. Double-click a zone to display the Predefined Zone dialog box and select SCREEN.

Note: For instructions for configuring the SCREEN options, see the Network and Security Manager Online Help topic “ Configuring SCREEN Options.” For information about the SCREEN alarm log entries that enabling these options can generate, see the Network and Security Manager Administration Guide.

Related Documentation