AIX Security Expert Tuning Network Options group
Tuning network options to the proper values is a large part of security. Setting a network attribute to 0 disables the option and setting the network attribute to 1 enables the option.
The following table lists the network attribute settings for High, Medium, and Low Level Security. This table also provides a description of how the proposed value of any particular network option helps ensure the security of the network.
| Action button name | Description | Value set by AIX® Security Expert | Undo |
|---|---|---|---|
| Network option ipsrcrouteforward | Specifies whether or not the system forwards source-routed packets. Disabling ipsrcrouteforward prevents access through source routing attacks. |
|
Yes |
| Network option ipignoreredirects | Specifies whether or not to process received redirects. |
|
Yes |
| Network option clean_partial_conns | Specifies whether or not to avoid synchronization character (SYN) attacks. |
|
Yes |
| Network option ipsrcrouterecv | Specifies whether or not the system accepts source-routed packets. Disabling ipsrcrouterecv prevents access through source routing attacks. |
|
Yes |
| Network option ipforwarding | Specifies whether or not the kernel should forward packets. Disabling ipforwarding prevents redirected packets from reaching a remote network. |
|
Yes |
| Network option ipsendredirects | Specifies whether or not the kernel should send redirect signals. Disabling ipsendredirects prevents redirected packets from reaching a remote network. |
|
Yes |
| Network option ip6srcrouteforward | Specifies whether or not the system forwards source-routed IPv6 packets. Disabling ip6srcrouteforward prevents access through source routing attacks. |
|
Yes |
| Network option directed_broadcast | Specifies whether or not to permit a directed broadcast to a gateway. Disabling directed_broadcast helps prevent directed packets from reaching a remote network. |
|
Yes |
| Network option tcp_pmtu_discover | Enables or disables path MTU discovery for TCP applications. Disabling tcp_pmtu_discover prevents access through source routing attacks. |
|
Yes |
| Network option bcastping | Permits response to ICMP echo packets sent to the broadcast address. Disabling bcastping prevents smurf attacks. |
|
Yes |
| Network option icmpaddressmask | Specifies whether or not the system responds to an ICMP address mask request. Disabling icmpaddressmask prevents access through source routing attacks. |
|
Yes |
| Network option udp_pmtu_discover | Enables or disables path maximum transfer unit (MTU) discovery for UDP applications. Disabling udp_pmtu_discover prevents access through source routing attacks. |
|
Yes |
| Network option ipsrcroutesend | Specifies whether or not applications can send source-routed packets. Disabling ipsrcroutesend prevents access through source routing attacks. |
|
Yes |
| Network option nonlocsrcroute | Specifies to the Internet Protocol whether or not strictly source-routed packets can be addressed to hosts outside the local network. Disabling nonlocsrcroute prevents access through source routing attacks. |
|
Yes |
| Network option tcp_tcpsecure | Protects TCP connections against vulnerabilities. Values:
|
|
Yes |
| Network option sockthresh | Specifies the network memory usage limit. No new socket connections are
allowed to exceed the value of the sockthresh tunable. Specifies the maximum amount of network memory that can be allocated for sockets. |
|
Yes |
The following network options are related to network performance rather than network security.
| Action button name | Description | Value set by AIX Security Expert | Undo |
|---|---|---|---|
| Network option rfc1323 | The rfc1323 tunable enables the TCP window scaling option. |
|
Yes |
| Network option tcp_sendspace | The tcp_sendspace tunable specifies how much data the sending application can buffer in the kernel before the application is blocked on a send call. |
|
Yes |
| Network option tcp_mssdflt | Default maximum segment size used in communicating with remote networks. |
|
Yes |
| Network option extendednetstats | Enables more-extensive statistics for network memory services. |
|
Yes |
| Network option tcp_recvspace | The tcp_recvspace tunable specifies how many bytes of data the receiving system can buffer in the kernel on the receiving sockets queue. |
|
Yes |
| Network option sb_max | The sb_max tunable sets an upper limit on the number of socket buffers queued to an individual socket, which controls how much buffer space is consumed by buffers that are queued to a sender's socket or to a receiver's socket. |
|
Yes |