Best practices for SonicWall VPN Tunnel configuration

There are some factors that we need to consider when we setup Site to Site VPN Tunnel with SonicWall Firewall.
If we forgot to conside these factors, we will encounter frequent connection drop on your Tunnel. (e.g. RDP connection timeout)
Below are those we should consider when we setup VPN Tunnels with SonicWall.

1) TCP Timeout
TCP Connection Inactivity Timeout value of SonicWall and other Firewalls are 15 minutes by Default.
In real world, this value can make your RDP connection drop frequently.
So, Firewall Tech Support are recommended to set the TCP Timeout Value from 30minutes to 60minutes.
Higher TCP Timeout Value are inviting some unnecessary security threats and that's why we should only allow for specific connection in your Policy-Based VPN Tunnels or Route-Based VPN Tunnels.

2) Packet Fragmentation
As RDS is a streaming protocol, packet fragmentation should be avoided.
Almost all Firewall including SonicWall has Fragmented Packet Handling and Ignore DF (Don't Fragment) Bit options.
Tech Support are recommended to enable Fragmented Packet Handling option and disable Ignore DF (Don't Fragment) Bit option.

3) Path Maximum Transmission Unit (Path MTU or PMTU)
As described above, fragmentation of the RDP streaming protocol is undesirable and should be avoided.  The most common cause of such fragmentation is incorrect Maximum Transmission Unit (MTU) values for the traffic's path.
Default MTU value of SonicWall is 1500 Bytes. But we cannot use 1500 Bytes fully as 56 Bytes for Cyptographic overhead and size of used protocols header too. For example, we need to subtract 28 Bytes if we are using IP+ICMP. So, MTU Size will be (1500-56-28=1416 Bytes)
If you want to know how to find MTU settings of your host, pleas read this Article as I am lazy to write. :D
If you want to know how to change MTU settings on your host, please read this Article.

4) Bandwidth Management
Limitation of Bandwidth on Internet connection also is common cause of streaming protocol performance problems.
So, it is recommend to configure Real Time Bandwidth Management Rule for your end to end host connection.

5) Security Services
Security services including Gateway Anti-Virus (GAV), Anti-Spyware (AS) and Intrusion Prevention Service (IPS) are scan specific traffic types (e.g. SMTP, FTP, etc.) or the whole TCP stream for threats.  Whilst they are very efficient in terms of scanning speed, they do introduce some additional latency (typically at least 1ms) and cause dropped RDS connections when applied to the whole TCP stream.
Assuming that the end-points are sufficiently trusted, it is worth considering disabling the firewall's scanning services (at least AS and IPS) to obtain best RDS performance and connection reliability.
But we have to tighten end point security in our host as Firewall Security Services are bypass for these host.

Well. The above are things that we need to consider when we setup VPN Tunnels with SonicWall.
These facts are also usefule to reference for setting up VPN Tunnels on other Firewalls although I write for SonicWall.

Have a good day.
(Be knowledgeable, pass it on then)

Configuring IPS functions in HP MSR Series Router

I've wrote post about Network Attack previously and now I'd like to share how to configure IPS function in HP MSR Series Customer Edge Router.

In general, this kind of router are provided by ISP and Engineer/Technician are configure for you if you pay for the service fees but they will not enable IPS function for you mostly.
If you didn't expense extra service fees for router configuration, then it's fall on your responsibility.

Anyway, the router must enable IPS function either you or they configure it.
Why? It is easy to get our IP address and get attack my attacker nowadays.

OK. Let's start it now.
- First you have to configure attack defense policy
- Then apply on router interfaces respectively.

Use below commands to create Single-Packet Attack policy and prevent
system-view
attack-defense policy 1
signature-detect fraggle enable
signature-detect icmp-redirect enable
signature-detect large-icmp enable
signature-detect route-record enable
signature-detect smurf enable
signature-detect source-route enable
signature-detect tcp-flag enable
signature tracert enable
signature winnuke enable
signature-detect large-icmp max-length 2000 (4000 bytes by default and you can customize the value if you want)
signature-detect action drop-packet

Use below commands to create Scanning Attack policy and prevent
system-view
attack-defense policy 1
defense scan enable
defense scan max-rate 2000 (4000 bytes by default and you can customize the value if you want)
defense scan add-to-blacklist
defense scan blacklist-timeout 10
quit
blacklist enable

Use below commands to create Flood-Attack policy and prevent
Flood Attack is to prevent Server located in DMZ/LAN segment usually.
system-view
attack-defense policy 1
defense syn-flood enable
defense syn-flood rate-threshold high 1000 low 750 (default is 1000 packets per second and 750 packets per second. But you can customize if you want)
defense syn-flood ip x.x.x.x rate-threshold high xxxx low xxx (You can customize IP and rate value if you want or just leave it default as this is optional)
defense sync-flood action drop-packet

system-view
attack-defense policy 1
defense icmp-flood enable
defense icmp-flood rate-threshold high 1000 low 750 (default is 1000 packets per second and 750 packets per second. But you can customize if you want)
defense icmp-flood ip x.x.x.x rate-threshold high xxxx low xxx (You can customize IP and rate value if you want or just leave it default as this is optional)
defense icmp-flood action drop-packet

system-view
attack-defense policy 1
defense udp-flood enable
defense udp-flood rate-threshold high 1000 low 750 (default is 1000 packets per second and 750 packets per second. But you can customize if you want)
defense udp-flood ip x.x.x.x rate-threshold high xxxx low xxx (You can customize IP and rate value if you want or just leave it default as this is optional)
defense udp-flood action drop-packet

Use below commands to apply configured policy on each WAN and DMZ/LAN interfaces.
system-view
interface gi0/0
attack-defense apply policy 1
interface gi0/1
attack-defense apply policy 1

Well. We are done now and do not forget to save configuration.
You router performance will be a bit slow but it is better than you got attack by attacker.

I've used above command in HP MSR930 Router and you can also configure some of attack defense function in Cisco and other brand router. Yes, you might need OS license for some certain feature for IPS as well.

Have a good day.
(Be knowledgeable, pass it on then)

Network Attack Types in brief explanation

In general,we can classify the network attacks in three part as Single-Packet Attack, Scanning Attack and Flood Attack.

Single-packet attack is also called malformed packet attack because many single-packet attacks use defective IP packets, such as overlapping IP fragments and packets with illegal TCP flags.
A single-packet attack occurs when:
• An attacker sends defective IP packets to a target, causing the target system to malfunction or crash.
• An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
Single-Packet Attack has multipe types and below list are Single-Packet Attack types those can be found in real world.
Smurf attack
ICMP redirect attack
ICMP unreachable attack
Large ICMP attack
TCP flag attack
Tracert attack
Fraggle attack
WinNuke attack
Land attack
Source route attack
Route record attack

Scanning Attack is actually an attacker uses some scanning tools (like nmap,nessua, satan,ettercap) to scan host addresses and ports in a network, so as to find
possible targets and the services enabled on the targets and figure out the network topology, preparing
for further attacks to the target hosts. This type has two type, Active and Passive Scanning.
Below is type of Scan Attack which can be face in real world.
Scan attack

Flood attack is an attacker sends a large number of forged requests to the targets in a short time, so that the target
system is too busy to provide services for legal users, resulting in denial of services.
Below attack are the attack-types those you might challenge in real world.
ICMP flood attack
UDP flood attack
SYN flood attack

Well. I believe that you know about what is network attack type and how is their mission on their target briefly.

In fact, talking about network attack is very wide and never ending story I believe.
I write this post as intro to write another post which going to explain how to configure IPS function on HP MSR Router to prevent such attack.
OK. See you at the next post on configuring IPS function on HP MSR Router to prevent network attacks.

Have a good day.
(Be knowledgeable, pass it on then)