In this section we have only provided information on those settings that
applies to a minimum security guideline, and needs to be changed from the
default values. Most of the settings in these areas does not represent
any security risks, and may be left at their default values unless specifically
needed in accordance with extra modules for Firewall-1.
Lookup Priorities
This is our recommended setup:
1. HOSTS (if file exists, and is being used)
2. SYS (Current System Setting)
3. BIND (Internet DNS, will utilize those settings found in TCP/IP
properties of Windows NT)
Log Viewer Resolver Properties
Only applies if DNS resolving is being used within the Log Viewer itself.
We recommend to turn off DNS resolving within the Log Viewer, and instead
use a third-party application for Firewall-1 log analysis.
Default value may be lowered to 6-12 seconds, depending on Internet
connection speed, and distance (router hops) to closest DNS server.
Access List settings
Only applies to Firewall-1 installations where a router control module
is installed, and should be configured in accordance with the general access
lists implemented in both internal and external rout-ers.
(Recommendations on router configuration is not a part of this document)
Security server settings
If the GM site chooses to utilize security servers for Telnet, FTP or Rlogin,
remember that Firewall-1 will announce its presence upon login. This banner
information reveals the firewall type to (un)authorised users, any may
pose a security risk.
If applied, welcome files should contain warnings about unauthorised
use and that all transactions are being logged as a minimum.
Authentication settings: Authentication failure track should be set
to ‘Log’ as a minimum, or Alert in high-security environments.
Miscellaneous settings:
(no comments)
SYNDefender settings
A SYN attack work by sending large amounts of SYN requests, where the sender
IP address is spoofed (ie. fake, non-existing address). These packets may
in certain environments slow down or crash the operating system.These options
were inroduced in version3 of Firewall-1. Most (if not all) systems today
are well-protected against SYN attacks.
Our recommended settings are:
Method: SYN Gateway
Timeout: 10 seconds
Maximum sessions: 5000
Display warning messages: YES (enabled)
If such warning messages occur, it may be an active SYN flood attack.
By inspecting the IP packets (using a packet sniffer on the ‘attacked’
segment) for source port numbers and source IP address, ac-cess lists in
the external router may be applied to:
Stop IP packets with a specific source port number (unless the attacker
is using random source ports)
Stop IP packets that have a non-existent IP address as its source address
