Blocking Based On Configured Tcp & Ip Settings; Blocking Of Ip-Spoofed Packets - McAfee M-1250 - Network Security Platform Manual

McAfee® Network Security Platform 6.0
Blocking based on configured TCP & IP Settings
Network Security Sensors have the intelligence to keep a number of TCP/IP connection
parameters, as well as complete state information. The
Sensor_Name > Advanced Scanning > TCP Settings
Advanced Scanning > IP Settings
as the number of supported UDP flows, the TCB inactivity timer length, and accepting old
data or new data for TCP or IP overlaps. All of the TCP/IP Settings parameters relate to
the handling of monitored transmissions while in inline mode. You can use these settings
to deny or drop certain traffic.
Two of the more notable parameters are as follows:
•
•

Blocking of IP-spoofed packets

When enabled, the anti-spoofing option will drop packets containing invalid source IP
addresses. Network Security Platform determines the validity of a source IP by comparing
it against a configured list of internal networks. Thus, as a pre-requisite, you must define
CIDR blocks for each and every internal network that will send traffic through the Sensor
interface in question. Without a comprehensive set of CIDR blocks defined, especially if
outbound anti-spoofing is enabled, Network Security Platform may block valid packets.
Anti-spoofing is available only for Sensors in inline mode.
The way in which Network Security Platform determines the validity of a packet depends
directly on the direction of that packet, as follows:
•
•
action enables you to configure 16 TCP/IP parameters, such
Cold Start Drop Action
: When starting a Sensor for the first time, you can decide to allow
(forward) or drop all packets that do not have a flow control block recognized by the
Sensor. You have the choice to Forward Flows or Drop Flows.
TCP Flow Violation
: How to handle a packet received for a connection that doesn't exist,
such as an ACK packet when no SYN for a connection has been received. Choices
are:
Permit
: reassembles out-of-order packets and processes them. It forwards traffic if
strict TCP protocol violations and if State Not Established on Sensor fails.
Permit out-of-order
: allows out of order packets to continue to transmit without
processing.
Note: 'Permit out-of-order' should be selected if your Sensor is deployed in an
asymmetrical environment in order to avoid session dropping.
Deny
: checks the flow for strict TCP protocol violations; if it discovers violations, it
drops the packet and reassembles out-of-order packets.
Deny no TCB
(Deny if State Not Established): drops the session only if state has not
been established. It forwards traffic only if strict TCP protocol violations fails.
Inbound
: When a packet arrives on the outside interface, its source IP is compared to
the CIDR blocks associated with the interface. If the source IP of the inbound packet
matches one of the CIDR blocks, the packet is considered spoofed and dropped.
Outbound
: When a packet arrives on the inside interface, its source IP is compared to
the CIDR blocks associated with the interface. If the source IP of the outbound
packet does not match one of the CIDR blocks, the packet is considered spoofed and
dropped.
/ My Company / IPS Settings /
/ My Company / IPS Settings / Sensor_Name >
and
20
Block attacks