WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 11: Intrusion Detection and Preventionprotection feature will self-activate. Once active, furtherconnection attempts from the external side of the Fireboxmust be verified before being allowed to reach your servers.Connections that cannot be verified are not allowedthrough, thus protecting your server from having a fullbacklog.The SYN Flood protection feature will self-deactivate whenit senses the attack is over.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block SYN Flood Attacks.Changing SYN flood settingsActive SYN flood defenses can occasionally prevent legitimateconnection attempts from being completed. If youfind that too many legitimate connection attempts failwhen your SYN flood defense is active, you can changeSYN flood settings to minimize this problem.You can set the maximum number of incomplete TCP connectionsthe Firebox allows before the SYN flood defense isactivated. The default setting of 60 means that when thenumber of TCP connections waiting to be validated climbsto 61 or above, SYN flood defense is activated. Conversely,when the number of connections waiting for validationdrops to 59 or less, SYN flood defense is deactivated. Youmight need to adjust this setting to custom-fit the SYN Floodprotection feature for your network. Every time the featureself-activates, a log message will be recorded statingSYN Validation: activated. When the feature selfdeactivates,the log message SYN Validation: deactivatedwill be recorded. If these messages occur frequentlywhen your server is not under attack, the MaximumIncomplete Connections setting may be too low. If the SYNFlood protection feature is not preventing attacks from182 WatchGuard Firebox System
Detecting Man-in-the-Middle Attacksaffecting your server, the setting may be too high. Consultyour server’s documentation for help choosing a newvalue, or experiment by adjusting the setting until theproblems disappear.The validation timeout controls how long the Firebox“remembers” clients that pass the validation test. Thedefault setting of 120 seconds means that a client thatdrops a legitimate connection has a two-minute window toreconnect without being challenged. Setting the validationtimeout to zero seconds means that legitimate connectionsare “forgotten” when dropped, so every connectionattempt is challenged.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Use the SYN Validation Timeout box to set how longthe Firebox “remembers” a validated connection afterthat connection is dropped.3 Use the Maximum Incomplete Connections box to setthe number of connections awaiting validation that areallowed to queue before the Firebox automaticallyactivates SYN flood defense.Detecting Man-in-the-Middle AttacksMan-in-the-middle attacks deceive two parties into thinkingthey are communicating with each other while they areactually both communicating with a third party. Theattacker can then intercept data passing through the connection.User Guide 183
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
- Page 177 and 178: Configuring the DNS Proxy ServiceGE
- Page 179 and 180: Configuring the DNS Proxy Service3
- Page 181 and 182: Configuring the DNS Proxy ServiceYo
- Page 183 and 184: CHAPTER 10Creating Aliases andImple
- Page 185 and 186: Using AliasesGroupfireboxtrustedopt
- Page 187 and 188: How User Authentication WorksHow Us
- Page 189 and 190: Defining Firebox Users and Groups f
- Page 191 and 192: Defining Firebox Users and Groups f
- Page 193 and 194: Configuring RADIUS Server Authentic
- Page 195 and 196: Configuring CRYPTOCard Server Authe
- Page 197 and 198: Configuring SecurID AuthenticationC
- Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
- Page 201 and 202: Default Packet Handlingtion. In con
- Page 203: Default Packet Handlingnetwork. Alt
- Page 207 and 208: Blocking Sites• Permanently block
- Page 209 and 210: Blocking SitesUsing an external lis
- Page 211 and 212: Blocking PortsBy default, the Fireb
- Page 213 and 214: Blocking PortsAvoiding problems wit
- Page 215 and 216: Integrating Intrusion Detectionand
- Page 217 and 218: Integrating Intrusion DetectionUsin
- Page 219 and 220: Integrating Intrusion Detectionposs
- Page 221 and 222: CHAPTER 12Setting Up Loggingand Not
- Page 223 and 224: Developing Logging and Notification
- Page 225 and 226: WatchGuard Logging Architecturehost
- Page 227 and 228: Designating Log Hosts for a Firebox
- Page 229 and 230: Setting up the WatchGuard Security
- Page 231 and 232: Setting up the WatchGuard Security
- Page 233 and 234: Setting Global Logging and Notifica
- Page 235 and 236: Setting Global Logging and Notifica
- Page 237 and 238: Customizing Logging and Notificatio
- Page 239 and 240: Customizing Logging and Notificatio
- Page 241 and 242: Customizing Logging and Notificatio
- Page 243 and 244: CHAPTER 13Reviewing andWorking with
- Page 245 and 246: Viewing Files with LogViewer2 Brows
- Page 247 and 248: Displaying and Hiding FieldsCopying
- Page 249 and 250: Displaying and Hiding Fieldsthen co
- Page 251 and 252: Working with Log Filescurrent log f
- Page 253 and 254: Working with Log Files5 Stop and re
Chapter 11: Intrusion Detection and Preventionprotection feature will self-activate. Once active, furtherconnection attempts from the external side of the <strong>Firebox</strong>must be verified before being allowed to reach your servers.Connections that cannot be verified are not allowedthrough, thus protecting your server from having a fullbacklog.The SYN Flood protection feature will self-deactivate whenit senses the attack is over.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block SYN Flood Attacks.Changing SYN flood settingsActive SYN flood defenses can occasionally prevent legitimateconnection attempts from being completed. If youfind that too many legitimate connection attempts failwhen your SYN flood defense is active, you can changeSYN flood settings to minimize this problem.You can set the maximum number of incomplete TCP connectionsthe <strong>Firebox</strong> allows before the SYN flood defense isactivated. The default setting of 60 means that when thenumber of TCP connections waiting to be validated climbsto 61 or above, SYN flood defense is activated. Conversely,when the number of connections waiting for validationdrops to 59 or less, SYN flood defense is deactivated. Youmight need to adjust this setting to custom-fit the SYN Floodprotection feature for your network. Every time the featureself-activates, a log message will be recorded statingSYN Validation: activated. When the feature selfdeactivates,the log message SYN Validation: deactivatedwill be recorded. If these messages occur frequentlywhen your server is not under attack, the MaximumIncomplete Connections setting may be too low. If the SYNFlood protection feature is not preventing attacks from182 <strong>WatchGuard</strong> <strong>Firebox</strong> <strong>System</strong>