RE: [FW1] NT memory management

Thu, 31 Aug 2000 13:17:45 -0700 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nice document, but it misses a few items such as:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"ForwardBroadcasts"=dword:00000000           to turn Broadcast
propagation off
"DisableIPSourceRouting"=dword:00000001      disables source-routing
"DefaultTTL"=dword:000000ff                  sets TTL to 255 (to
prevent or mislead fingerprinting attempts)
"ArpAlwaysSourceRoute"=dword:00000000        should be by default,
but just to make sure
"ArpTRSingleRoute"=dword:00000000            ditto
"DefaultTOS"=dword:00000000                  ditto
"EnableDeadGWDetect"=dword:00000000          set to 0 only if you
have one DG, set to 1 if you have more than one
"EnablePMTUBHDetect"=dword:00000000          disable black-hole
detection
"IGMPLevel"=dword:00000000                   turn Multicasting off
(if you don't need it)
"TcpMaxConnectResponseRetransmissions"=dword:00000001    assist FW in
SYN attack mitigation
"TcpMaxConnectRetransmissions"=dword:00000002            ditto
"TcpMaxDataRetransmissions"=dword:00000003   
"TcpTimedWaitDelay"=dword:00000078           Close Wait states after
2 mins
"TcpUseRFC1122UrgentPointer"=dword:00000000  use BSD style urgent
pointer

Some of these (like source routing) are for security reasons, others
for performance reasons. There are more entries available (such as
window size). You find more info in the file REGENTRY.HLP in the
Windows NT Resource Kit.


Regards,
Frank


> -----Original Message-----
> From: Dan Hitchcock [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 31, 2000 2:15 PM
> 
> Ditto.  My favorite doc for performance and security tuning is at
> http://www.noblesouth.com/downloads/FirewallPerfNT.pdf.  It 
> covers which
> services to remove, which services and devices to disable, 
> and a slew of
> registry modifications to tune NT and FW1 to play nicely together.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBOa69CkRKym0LjhFcEQINUACg3ZiOaR3xswwefj+cJJtz/DEkMQcAn3zG
QX1tlqLcwz1n+aSw01VredV1
=2/vR
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to