Check Tcp Syn Bit Before Create Session; Check Tcp Syn Bit Before Create Session For Tunneled Packets; Use Syn-Cookie For Syn Flood Protection - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Check TCP SYN Bit Before Create Session
Check TCP SYN Bit Before Create Session for Tunneled Packets
Use SYN-Cookie for SYN Flood Protection
Copyright © 2010, Juniper Networks, Inc.
Use the TCP SYN Bit Before Create Session option to control how the security device
handles a set SYN bit in the first packet of a session:
When this option is enabled, the security device checks that the SYN bit is set in the
first packet of a session. If the SYN bit is not set, the device drops the packet and does
not create the session.
When this option is disabled, the security device does not enforce SYN checking before
creating a session.
By default, security devices running ScreenOS 5.1 and later have this option enabled.
However, in previous versions of ScreenOS, this option was disabled. If you upgraded
from a ScreenOS release prior to ScreenOS 5.1 and did not change the default setting
for this option, SYN checking remains disabled.
The security devices running ScreenOS 6.3 send a TCP session close notification
acknowledgement (ACK) to both the client and the server when a session is being closed.
To enable a policy to send a TCP session close notification, complete the following
prerequisites:
Enable the TCP SYN checking and the TCP reset options in both the client and the
server zones.
Enable the TCP sequence check only for ISG1000 or ISG2000 and NetScreen–5200
or NetScreen–5400.
Use the TCP SYN Bit Before Create Session for Tunneled Packets option to control how
the security device handles a set SYN bit in the first packet of a VPN session:
When this option is enabled, the security device checks that the SYN bit is set in the
first packet arriving in a VPN tunnel. If the SYN bit is not set, the device drops the packet
and does not create the session.
When this option is disabled, the security device does not enforce SYN checking before
creating a session in a VPN tunnel.
By default, this option is enabled.
Use the SYN-Cookie for SYN Flood Protection option as an alternative to traditional SYN
proxying mechanisms to help reduce CPU and memory usage:
When this option is enabled on the security device, SYN-cookie becomes the
TCP-negotiating proxy for the destination server, and replies to each incoming SYN
segment with a SYN/ACK containing an encrypted cookie as its initial sequence number
(ISN). The cookie is a MD5 hash of the original source address and port number,
destination address and port number, and ISN from the original SYN packet. After
Chapter 4: Advanced Network Settings
125
Advertisement
Table of Contents
