22
Ally IP1000 Factory Default Configuration
Configuration
Parameter
Possible
Settings
Default Intrusion
Implication Mgmt.
Console
Page
AllyRTCfg
Option
Maximum
Segment Size
Range
Any unsigned
32-bit
integers
450 - 1460 During the establishment of a TCP
connection the two communicating
systems negotiate a Maximum
Segment Size (MSS). This value
determines the maximum packet
size that will be transmitted during
the conversation (MSS + 40 =
maximum packet size).
The Ally IP1000 limits the MSS
values to a specified range. This
feature helps prevent an attacker
from consuming excessive network
resources by establishing
connections that generate many
very small packets.
-minmss
-maxmss
UDP Policy
!
Discard All
!
Analyze
!
Allow All
Analyze
Selecting “Analyze” activates the
UDP policy parameters, i.e. the
next 4 entries in this table.
General
Filtering
Options
-av
DNS Policy
!
Discard All
!
Analyze
Analyze
Domain Name Service (DNS) is a
UDP based protocol. This is the
protocol that converts domain
names to IP addresses. Typically,
DNS traffic should be allowed to
pass through the Ally IP1000.
Selecting “Analyze” activates the
DNS sub-policy parameters, i.e.
the next 3 entries in this table.
UDP
Policy
-ad
DNS Cache
Poisoning
Detection
!
Enabled
!
Disabled
Enabled
Some systems accept DNS
information that was not
specifically requested. This allows
an attacker to replace a legitimate
name resolution with another
address. This is referred to as DNS
Cache Poisoning. It causes an
unsuspecting system to connect to
an imposter system instead of the
intended destination.
UDP
Policy
-dv
Summary of Contents for ALLY IP1000
Page 1: ...User Guide...
Page 34: ......