[Prev][Report an Error]

Configuring Firewall Screen Options—Quick Configuration

You can use J-Web Quick Configuration to quickly configure Firewall/NAT flow.

To configure screen options with Quick Configuration:

  1. Select Configuration > Quick Configuration > Firewall/NAT > Screen.
  2. Click Addto define screen objects; the screen objects screen appears as shown in the figure below.

    Figure 73: Quick Configuration Page for Firewall/NAT Screen

    Quick Configuration Page for Firewall/NAT Screen

  3. Fill in the SCREEN options as shown in the table below.
  4. Click one of the following buttons:

Field

Function

Action

Screen

Name

Name of the screen object.

Specify a unique name for the screen object you are defining.

Generate Alarms without Dropping Packets

Generates alarms without dropping packets.

Select this checkbox to enable alarm generation but do not drop any packets.

Scan/Spoof/Sweep Defense

IP Address Spoof

Enables IP address spoofing. IP spoofing is when a bogus source address is inserted in the packet header to make the packet appear to come from a trusted source.

Select this checkbox to enable IP address spoofing.

IP Address Sweep

Number of ICMP address sweeps. An IP address sweep can occur with the intent of triggering responses from active hosts.

Select this checkbox to enable IP address sweep.

Configure a time threshold (in microseconds) per 10 ICMP packets. Valid values are between 1,000 and 10,000 packets per micro second. The default value is 5,000 ppms.

Port Scan

Number of TCP port scans. The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Select this checkbox to enable port scanning.

Configure a time threshold (in microseconds) per 10 attack packets. Valid values are between 1,000 and 10,000 packets per micro second. The default value is 5,000 ppms.

MS-Windows Defense

WinNuke Attack Protection

Number of Transport Control Protocol (TCP) WinNuke attacks. WinNuke is a DoS attack targeting any computer on the Internet running Windows.

Select this checkbox to enable WinNuke attack protection option.

Denial of Service Defense

Land Attack Protection

Number of land attacks. Land attacks occur when an attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

Select this checkbox to enable land attack protection option.

Teardrop Attack Protection

Number of teardrop attacks. Teardrop attacks exploit the reassembly of fragmented IP packets.

Select this checkbox to enable teardrop protection option.

ICMP Fragment Protection

Number of ICMP fragments. Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

Select this checkbox to enable ICMP fragment protection option.

Ping of Death Attack Protection

ICMP ping of death counter. Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

Select this checkbox to enable ping of death attack protection option.

Large Size ICMP Packet Protection

Number of large ICMP packets.

Select this checkbox to enable large (size >1024) ICMP packet protection option.

Block Fragment Traffic

Number of IP block fragments.

Select this checkbox to enable IP fragment blocking.

Source IP Based Session Limit

Limits sessions from the same source IP.

Select this checkbox to enable source IP based session limit.

Configure the threshold between 50 and 2,000 sessions. The default value is 128 sessions.

Destination IP Based Session Limit

Limits sessions to the same destination IP.

Select this checkbox to enable destination IP based session limit.

Configure the threshold between 50 and 2,000 sessions. The default value is 128 sessions.

SYN-ACK-ACK Proxy Protection

Number of TCP flags enabled with SYN-ACK-ACK. This is designed to prevent flooding with SYN-ACK-ACK sessions. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, JUNOS 8.5 Enhanced Services rejects further connection requests from that IP address.

Select this checkbox to enable the SYN-ACK-ACK proxy protection SCREEN option.

Configure the threshold value between 1 and 250,000 unauthenticated connections. The default value is 512.

IP Option Anomalies

Bad IP Option

Number of bad options counter.

Select this checkbox to enable IP with bad option IDs SCREEN option.

Record Route Option

Records the IP addresses of the network routers along the path that the IP packet travels.

Select this checkbox to enable IP with record route option.

Timestamp Option

Records the time (in Universal Time) when each network router receives the packet during its trip from the point of origin to its destination.

Select this checkbox to enable IP with timestamp option.

Security Option

Provides a way for hosts to send security,

Select this checkbox to enable IP with security option.

Loose Source Route Option

Specifies a partial route list for a packet to take on its journey from source to destination.

Select this checkbox to enable IP with loose source route option.

Strict Source Route Option

Specifies the complete route list for a packet to take on its journey from source to destination.

Select this checkbox to enable IP with strict source route option.

Source Route Option

Number of IP addresses of the routers set at the source that an IP transmission is allowed to take along the path on its way to its destination.

Select this checkbox to enable IP with source route option.

TCP/IP Anomalies

SYN Fragment Protection

Number of TCP SYN fragments.

Select this checkbox to enable SYN Fragment option.

SYN and FIN Flags Set Protection

Number of TCP SYN and FIN flags. When you enable this option, JUNOS Enhanced Services checks if the SYN and FIN flags are set in TCP headers. If it discovers such a header, it drops the packet.

Select this checkbox to enable SYN and FIN flags Set option.

FIN Flag without ACK Flag Set Protection

Number of TCP FIN flags without the acknowledge (ACK) flag. When you enable this option, JUNOS Enhanced Services checks if the FIN flag is set but not the ACK flag in TCP headers. If it discovers a packet with such a header, it drops the packet.

Select this checkbox to enable FIN flag without ACK option.and FIN Flag Set option.

TCP Packet without Flag Set Protection

Number of TCP headers without flags set. A normal TCP segment header has at least one flag control set.

Select this checkbox to enable TCP Packet without Flag Set option.

Unknown Protocol Protection

Number of internet protocols (IP) that are unknown.

Select this checkbox to enable Unknown Protocol Protection option.

Flood Defense

ICMP Flood Protection

Internet Control Message Protocol (ICMP) flood counter. An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

Select this checkbox to enable ICMP Flood Protection option.

Configure threshold value for ICMP flood between 500 and 2,000 ICMP packets per second (pps).

The default value is 1,000 pps.

UDP Flood Protection

User Datagram Protocol (UDP) flood counter. UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.

Select this checkbox to enable UDP Flood Protection option.

Configure threshold value for UDP flood between 500 and 2,000 UDP packets with same destination address per second (pps).

The default value is 1,000 pps.

SYN Flood Protection

Attack Threshold—Number of SYN packets per second required to trigger the SYN proxy mechanism.

Alarm Threshold—Define the number of half-complete proxy connections per second at which the security router makes entries in the event alarm log.

Source Threshold—Number of SYN segments received per second from a single source IP address (regardless of the destination IP address and port number) before the router begins dropping connection requests from that source.

Destination Threshold—Number of SYN segments received per second for a single destination IP address before the router begins dropping connection requests to that destination. If a protected host runs multiple services, you might want to set a threshold based only on destination IP address, regardless of the destination port number.

Timeout—Maximum length of time before a half-completed connection is dropped from the queue. You can decrease the timeout value until you see any connections dropped during normal traffic conditions.

Queue Size—Number of proxy connection requests held in the proxy connection queue before the system starts rejecting new connection requests.

Attack Threshold—Configure a value between 1 and 400 proxied requests per second. The default value is 200.

Alarm Threshold—Configure a value for SYN flood alarm. The default value is 512.

Source Threshold—Configure a value for SYN flood from the same source between 1,000 and 10,000. The default value is 4,000.

Destination Threshold—Configure a value for SYN flood to the same destination between 1,000 and 10,000. The default value is 4,000.

Timeout—Configure a value for SYN attack protection between 1 and 50 seconds. The default value is 20 seconds.

Queue Size—Configure SYN flood queue size between 200 and 2,000. The default value is 20 connections.


[Prev][Report an Error]