AIX Security Expert Tuning Network Options group

Tuning network options to the proper values is a large part of security. Setting a network attribute to 0 disables the option and setting the network attribute to 1 enables the option.

The following table lists the network attribute settings for High, Medium, and Low Level Security. This table also provides a description of how the proposed value of any particular network option helps ensure the security of the network.

Table 1. AIX Security Expert Tuning Network Options for network security
Action button name Description Value set by AIX® Security Expert Undo
Network option ipsrcrouteforward Specifies whether or not the system forwards source-routed packets. Disabling ipsrcrouteforward prevents access through source routing attacks.
High Level Security
0
Medium Level Security
0
Low Level Security
No effect
AIX Standard Settings
1
Yes
Network option ipignoreredirects Specifies whether or not to process received redirects.
High Level Security
1
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
No limit
Yes
Network option clean_partial_conns Specifies whether or not to avoid synchronization character (SYN) attacks.
High Level Security
1
Medium Level Security
1
Low Level Security
1
AIX Standard Settings
No limit
Yes
Network option ipsrcrouterecv Specifies whether or not the system accepts source-routed packets. Disabling ipsrcrouterecv prevents access through source routing attacks.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
No limit
Yes
Network option ipforwarding Specifies whether or not the kernel should forward packets. Disabling ipforwarding prevents redirected packets from reaching a remote network.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
No limit
Yes
Network option ipsendredirects Specifies whether or not the kernel should send redirect signals. Disabling ipsendredirects prevents redirected packets from reaching a remote network.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
1
Yes
Network option ip6srcrouteforward Specifies whether or not the system forwards source-routed IPv6 packets. Disabling ip6srcrouteforward prevents access through source routing attacks.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
1
Yes
Network option directed_broadcast Specifies whether or not to permit a directed broadcast to a gateway. Disabling directed_broadcast helps prevent directed packets from reaching a remote network.
High Level Security
0
Medium Level Security
0
Low Level Security
0
AIX Standard Settings
No limit
Yes
Network option tcp_pmtu_discover Enables or disables path MTU discovery for TCP applications. Disabling tcp_pmtu_discover prevents access through source routing attacks.
High Level Security
0
Medium Level Security
0
Low Level Security
0
AIX Standard Settings
1
Yes
Network option bcastping Permits response to ICMP echo packets sent to the broadcast address. Disabling bcastping prevents smurf attacks.
High Level Security
0
Medium Level Security
0
Low Level Security
0
AIX Standard Settings
No limit
Yes
Network option icmpaddressmask Specifies whether or not the system responds to an ICMP address mask request. Disabling icmpaddressmask prevents access through source routing attacks.
High Level Security
0
Medium Level Security
0
Low Level Security
0
AIX Standard Settings
No limit
Yes
Network option udp_pmtu_discover Enables or disables path maximum transfer unit (MTU) discovery for UDP applications. Disabling udp_pmtu_discover prevents access through source routing attacks.
High Level Security
0
Medium Level Security
0
Low Level Security
0
AIX Standard Settings
1
Yes
Network option ipsrcroutesend Specifies whether or not applications can send source-routed packets. Disabling ipsrcroutesend prevents access through source routing attacks.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
1
Yes
Network option nonlocsrcroute Specifies to the Internet Protocol whether or not strictly source-routed packets can be addressed to hosts outside the local network. Disabling nonlocsrcroute prevents access through source routing attacks.
High Level Security
0
Medium Level Security
No effect
Low Level Security
No effect
AIX Standard Settings
No limit
Yes
Network option tcp_tcpsecure Protects TCP connections against vulnerabilities.
Values:
  • 0 = no protection
  • 1 = sending a fake SYN to an established connection
  • 2 = sending a fake RST to an established connection
  • 4 = injecting data in an established TCP connection
  • 5-7 = combination of the above vulnerabilities
High Level Security
7
Medium Level Security
7
Low Level Security
5
AIX Standard Settings
No limit
Yes
Network option sockthresh Specifies the network memory usage limit. No new socket connections are allowed to exceed the value of the sockthresh tunable.

Specifies the maximum amount of network memory that can be allocated for sockets.

High Level Security
60
Medium Level Security
70
Low Level Security
85
AIX Standard Settings
No limit
Yes

The following network options are related to network performance rather than network security.

Table 2. AIX Security Expert Tuning Network Options for network performance
Action button name Description Value set by AIX Security Expert Undo
Network option rfc1323 The rfc1323 tunable enables the TCP window scaling option.
High Level Security
1
Medium Level Security
1
Low Level Security
1
AIX Standard Settings
No limit
Yes
Network option tcp_sendspace The tcp_sendspace tunable specifies how much data the sending application can buffer in the kernel before the application is blocked on a send call.
High Level Security
262144
Medium Level Security
262144
Low Level Security
262144
AIX Standard Settings
16384
Yes
Network option tcp_mssdflt Default maximum segment size used in communicating with remote networks.
High Level Security
1448
Medium Level Security
1448
Low Level Security
1448
AIX Standard Settings
1460
Yes
Network option extendednetstats Enables more-extensive statistics for network memory services.
High Level Security
1
Medium Level Security
1
Low Level Security
1
AIX Standard Settings
No limit
Yes
Network option tcp_recvspace The tcp_recvspace tunable specifies how many bytes of data the receiving system can buffer in the kernel on the receiving sockets queue.
High Level Security
262144
Medium Level Security
262144
Low Level Security
262144
AIX Standard Settings
16384
Yes
Network option sb_max The sb_max tunable sets an upper limit on the number of socket buffers queued to an individual socket, which controls how much buffer space is consumed by buffers that are queued to a sender's socket or to a receiver's socket.
High Level Security
1048576
Medium Level Security
1048576
Low Level Security
1048576
AIX Standard Settings
1048576
Yes