Blog

Jan
20

Making your AIX network more secure

These are some common network parameters that should be set in order to improve your system’s network efficiency and security.

Network Service options

To improve system security, there are several network options that you can change using 0 to disable and 1 to enable. The following list identifies these parameters you can use with the nocommand.

Parameter Command Purpose
arpt_killc – arp /usr/sbin/no -o arpt_killc=5 Buffer time-out; default value is 20 minutes. To avoid arp buffer poisoning attacks, this value should be reduced to between 1 and 5 minutes
bcastping /usr/sbin/no -o bcastping=0 Allows response to ICMP echo packets to the broadcast address. Disabling this prevents Smurf attacks.
clean_partial_conns /usr/sbin/no -o clean_partial_conns=1 Specifies whether or not SYN (synchronizes the sequence number) attacks are being avoided.
directed_broadcast /usr/sbin/no -o directed_broadcast=0 Specifies whether to allow a directed broadcast to a gateway. Setting to 0 helps prevent directed packets from reaching a remote network.
icmpaddressmask /usr/sbin/no -o icmpaddressmask=0 Specifies whether the system responds to an ICMP address mask request. Disabling this prevents access through source routing attacks.
ipforwarding /usr/sbin/no -o ipforwarding=0 Specifies whether the kernel should forward packets. Disabling this prevents redirected packets from reaching remote network.
ipignoreredirects /usr/sbin/no -o ipignoreredirects=1 Specifies whether to process redirects that are received.
ipsendredirects /usr/sbin/no -o ipsendredirects=0 Specifies whether the kernel should send redirect signals. Disabling this prevents redirected packets from reaching remote network.
ip6srcrouteforward /usr/sbin/no -o ip6srcrouteforward=0 Specifies whether the system forwards source-routed IPv6 packets. Disabling this prevents access through source routing attacks.
ipsrcrouteforward /usr/sbin/no -o ipsrcrouteforward=0 Specifies whether the system forwards source-routed packets. Disabling this prevents access through source routing attacks.
ipsrcrouterecv /usr/sbin/no -o ipsrcrouterecv=0 Specifies whether the system accepts source-routed packets. Disabling this prevents access through source routing attacks
ipsrcroutesend /usr/sbin/no -o ipsrcroutesend=0 Specifies whether applications can send source-routed packets. Disabling this prevents access through source routing attacks.
nonlocsrcroute /usr/sbin/no -o nonlocsrcroute=0 Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks.
tcp_icmpsecure /usr/sbin/no -o tcp_icmpsecure=1 Protects TCP connections against ICMP (Internet Control Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks. Checks the payload of the ICMP message to test the sequence number of the TCP header is within the range of acceptable sequence numbers. Values: 0=off (default); 1=on.
ip_nfrag /usr/sbin/no -o ip_nfrag=200 Specifies the maximum number of fragments of an IP packet that can be kept on the IP reassembly queue at a time (default value of 200 keeps up to 200 fragments of an IP packet in the IP reassembly queue).
rfc1122addrchk /usr/sbin/no -o rfc1122addrchk=0 Perform RFC1122 address validation; default is to allow. This should be disabled to block incoming & outgoing SYN packets aimed at loopback and multicast addresses.
rfc1323 /usr/sbin/no -o rfc1323=1 Value of 1 indicates that tcp_sendspace andtcp_recvspace can exceed 64KB. Default=0
tcp_mssdflt /usr/sbin/no -o tcp_mssdflt=1370 Default maximum segment size used in communicating with remote networks. Values: Default: 512, Range: 512 to (MTU of local net – 64) Change takes effect immediately. Change is effective until next boot. Permanent change is made by adding no command to /etc/rc.net.

Diagnosis: N/A Tuning: Increase, if practical.

tcp_conn_request_max       20-500 Number of TCP concurrent connections
tcp_recvspace /usr/sbin/no -o tcp_recvspace= Provide the default value of the size of the TCP socket receive buffer.
Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.Should be equal to tcp_sendspace and uniform on all frequently accessed AIX systems.
sb_max /usr/sbin/no -o sb_max= Default: 16384, Range: 0 to 64KB if rfc1323=0,
Range: 0 to 4GB if rfc1323=1.
Must be less than or equal to sb_max.
Should be equal to tcp_recvspace and uniform on all frequently accessed AIX systems.
tcp_syn_rcvd_max 500 SYN_Flooding can be used in denial of service attacks
tcp_sendspace /usr/sbin/no -o tcp_sendspace=
tcp_tcpsecure /usr/sbin/no -o tcp_tcpsecure=7 Protects TCP connections against vulnerabilities. Values: 0=no protection; 1=sending a fake SYN to an established connection; 2=sending a fake RST to an established connection; 3=injecting data in an established TCP connection; 5-7=combination of the above vulnerabilities.
tcp_pmtu_discover /usr/sbin/no -o tcp_pmtu_discover=0 Disabling this prevents access through source routing attacks.
udp_pmtu_discover /usr/sbin/no -o udp_pmtu_discover=0 Enables or disables path MTU discovery for TCP applications. Disabling this prevents access through source routing attacks.