Configuring Port Mapping - Symantec 10521146 - Network Security 7120 Administration Manual

Detecting 177

Configuring port mapping

out-of-order TCP segments, you can eliminate the message by increasing this
value, at the cost of greater memory consumption. Consider changing it only if
you have a thorough understanding of its functionality.
TCP 2MSL Timeout
TCP 2MSL Timeout regulates the period of time that a closed connection must
remain idle before it can be opened for a new connection. This idle time allows
any out-of-order segments that may be in transit to drain from the network
before a new connection is established. This enables the sensor to distinguish
between straggling packets that belong to a flow that just closed, and packets
that belong to a new flow.
By default, this parameter is set to 30 seconds. Setting this parameter either too
high or too low can reduce sensitivity. We recommend that you tune TCP 2MSL
Timeout to the normal traffic patterns of your network, which may vary from
host to host. At installation, leave this parameter at default and observe how the
system detects events. Then adjust the parameter as needed until it just barely
alerts, such as once a day, under normal conditions for your environment. In
this way, you will quickly notice a shift in traffic patterns and easily pinpoint the
events that triggered the alert.
TCP Default Window Size
TCP Default Window Size regulates the size of the TCP window that the sensor
uses to determine if a TCP flow is valid. For valid TCP flows, it adds out-of-order
segments to the appropriate queue to process later. The sensor drops
out-of-order segments from TCP flows that it determines to be invalid.
By default, this value is set to 134,217,728. We recommend that you tune TCP
Default Window Size to the normal traffic patterns of your network, which may
vary from host to host. At installation, leave this parameter at default and
observe how the system detects events. Then adjust the parameter as needed
until it just barely alerts, such as once a day, under normal conditions for your
environment. In this way, you will quickly notice a shift in traffic patterns and
easily pinpoint the events that triggered the alert.
Configuring port mapping
Symantec Network Security provides a way to tune the sensors to look for
particular types of anomalies and signatures on a port by reconfiguring the
default port mapping, or adding new mappings. For example, mappings can be
added to run services on non-standard ports or to ignore ports on which you