Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview page 28

Alcatel-Lucent VPN Firewall Brick
remains half-open beyond the timer will have a TCP reset (RST) packet sent by the
Brick device to the affected server, to ensure that associated resources may be cleaned
up and reallocated.
Since this second-generation SYN Flood protection incorporates both an activation
counter as well as a session timer, it may be tweaked much more finely than can
implementations that include one or the other.
TCP state verification and strengthening
Each Firewall Policy Rule can also have Strict TCP Validation enabled. Strict TCP
Validation follows the series of TCP messages as the connection is established and
ensures that only a valid TCP handshake can start a TCP session. All sequence number
and acknowledgement numbers are verified to be in-window, for all packets in the TCP
stream. TCP sessions must be closed with either a valid pair of acknowledged FIN
exchanges, or a valid, in-window RST packet. If the session isn't in a valid TCP
Established (fully-open) state, no data packets will be allowed to flow between the two
endpoints. The Brick device will also protect against bad combinations of TCP flags, as
appropriate to the current TCP state of each connection.
Additionally, the Initial Sequence Number for any TCP-based connection through the
Brick may be optionally strengthened by rewriting the existing sequence number with a
new, Brick-generated pseudorandom number. This can help protected servers or
network elements be protected against ISN-prediction attacks.
Robust fragment reassembly
The Brick device will always reassemble IP fragments that pass through it.
Overlapping fragments or duplicate fragments will be discarded. Packets that do not
fully reassemble will be discarded without forwarding. The Brick will re-fragment
packets as necessary according to the MTU on the destination network.
The Brick device itself is protected against resource starvation attacks designed to
overload fragment reassembly queues. Continuous, sophisticated packet fragment
attacks directed at the firewall will simply be discarded by the Brick device, while
other traffic will continue unaffected.
Application protocol anomaly checks
Application protocol anomaly checks can be performed, which parses all significant
protocol fields to determine field lengths for incoming messages, as a protection from
buffer overrun attacks.
...................................................................................................................................................................................................................................
1-22
™
Security Appliance Denial of Service Protection
260-100-022R9.4
Issue 1, June 2009