Nortel 4134 用户指南
Configuring global properties
83
Variable
Value
tcp-seq-number-
predict
predict
Enable/disables TCP sequence number check.
Prevents attempts to predict IP sequence numbers. If an
attacker can predict the initial sequence number in the
TCP (Transport Control Protocol) handshake, the attacker
may be able to hijack the TCP session. This option
randomizes the TCP ISNs (Initial Sequence Number)
going through the firewall.
By default, this option is disabled.
Prevents attempts to predict IP sequence numbers. If an
attacker can predict the initial sequence number in the
TCP (Transport Control Protocol) handshake, the attacker
may be able to hijack the TCP session. This option
randomizes the TCP ISNs (Initial Sequence Number)
going through the firewall.
By default, this option is disabled.
tcp-seq-number-r
ange <20000—2
147483647>
ange <20000—2
147483647>
Enables/disables TCP sequence number range.
An attacker can attempt to replay a captured packet
through the firewall by brut-force and thus consume the
bandwidth as well as the resources of the target CPU.
With this check turned on, the firewall allows only those
packets that have sequence numbers in a configured
range from the last acknowledgement seen on the
connection. The range can be configured with value
between 20000 and 2147483647. By default, this option
is disabled.
An attacker can attempt to replay a captured packet
through the firewall by brut-force and thus consume the
bandwidth as well as the resources of the target CPU.
With this check turned on, the firewall allows only those
packets that have sequence numbers in a configured
range from the last acknowledgement seen on the
connection. The range can be configured with value
between 20000 and 2147483647. By default, this option
is disabled.
win-nuke
Enables/disables Win-nuke check.
The Win-nuke attack sends out-of-band data to an IP
address of a Windows machine connected to a network
and/or Internet.
By default, this option is disabled.
The Win-nuke attack sends out-of-band data to an IP
address of a Windows machine connected to a network
and/or Internet.
By default, this option is disabled.
Configuring global NAT hairpinning
If you enable hairpinng, you disable self-IP connections. If you disable
hairpinning, self-IP connections are allowed.
hairpinning, self-IP connections are allowed.
Procedure steps
Step
Action
1
To enter configuration mode, enter:
configure terminal
2
To specify global firewall configuration, enter:
firewall global
3
To enable or disable hairpinning, enter:
[no] hairpinning-SelfIp
—End—
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.