HostedDB - Dedicated UNIX Servers

index_190
Router Security Configuration Guide UNCLASSIFIED 190 UNCLASSIFIED Version 1.0g The default timeout and idle times in Cisco IOS 12.0 are longer than necessary.    There are also global CBAC parameters related to half-open TCP session, but these can be left at their default values.  The table below describes the parameters to change. Timeout Name Description Default Suggested Synwait-time Length of time CBAC waits for a new TCP session to reach established state. 30 seconds  15 seconds  Finwait-time Length of time that CBAC continues to manage a TCP session after it has been closed down by a FIN exchange. 5 seconds 1 second TCP idle-time Length of time that CBAC continues to manage a TCP session with no activity. 1 hour 30 minutes (1800 sec.) UDP idle-time Length of time that CBAC continues to manage a UDP ‘session’ with no activity. 30 seconds  15 seconds  Of course, these values might need to be increased for a very slow connection (e.g. a modem) or on a highly congested network. The example below shows how to set the global timeout parameters. South# config t Enter configuration commands, one per line.  End with CNTL/Z. South(config)# ip inspect tcp synwait-time 15 South(config)# ip inspect tcp finwait-time 1 South(config)# ip inspect tcp idle-time 1800 South(config)# ip inspect udp idle-time 15 South(config)# exit South# Step 7. Apply the CBAC Ruleset to the Interface CBAC is not in force until a ruleset has been applied to at least one interface.  Use the interface configuration command  ip inspect name  to apply a ruleset.  The example below applies the ruleset from step 5 to the outside (untrusted network)   interface. South# config t Enter configuration commands, one per line.  End with CNTL/Z. South(config)# interface eth0/0 South(config-if)# ip inspect fw1 out South(config-if)# end South# show ip inspect interface South#