In this section we have only provided information on those settings that applies to a minimum security guideline, and needs to be changed from the default values. Most of the settings in these areas does not represent any security risks, and may be left at their default values unless specifically needed in accordance with extra modules for Firewall-1.

Lookup Priorities

This is our recommended setup:
1. HOSTS (if file exists, and is being used)
2. SYS (Current System Setting)
3. BIND (Internet DNS, will utilize those settings found in TCP/IP properties of Windows NT)

Log Viewer Resolver Properties

Only applies if DNS resolving is being used within the Log Viewer itself. We recommend to turn off DNS resolving within the Log Viewer, and instead use a third-party application for Firewall-1 log analysis.
Default value may be lowered to 6-12 seconds, depending on Internet connection speed, and distance (router hops) to closest DNS server.

Access List settings

Only applies to Firewall-1 installations where a router control module is installed, and should be configured in accordance with the general access lists implemented in both internal and external rout-ers.
(Recommendations on router configuration is not a part of this document)

Security server settings

If the GM site chooses to utilize security servers for Telnet, FTP or Rlogin, remember that Firewall-1 will announce its presence upon login. This banner information reveals the firewall type to (un)authorised users, any may pose a security risk.
If applied, welcome files should contain warnings about unauthorised use and that all transactions are being logged as a minimum.
Authentication settings: Authentication failure track should be set to ‘Log’ as a minimum, or Alert in high-security environments.
Miscellaneous settings:
(no comments)

SYNDefender settings

A SYN attack work by sending large amounts of SYN requests, where the sender IP address is spoofed (ie. fake, non-existing address). These packets may in certain environments slow down or crash the operating system.These options were inroduced in version3 of Firewall-1. Most (if not all) systems today are well-protected against SYN attacks.
Our recommended settings are:
Method: SYN Gateway
Timeout: 10 seconds
Maximum sessions: 5000
Display warning messages: YES (enabled)
If such warning messages occur, it may be an active SYN flood attack. By inspecting the IP packets (using a packet sniffer on the ‘attacked’ segment) for source port numbers and source IP address, ac-cess lists in the external router may be applied to:
Stop IP packets with a specific source port number (unless the attacker is using random source ports)
Stop IP packets that have a non-existent IP address as its source address