SANGFOR IAM v2.1 User Manual
95
(that directly connects to the IAM gateway device) to the [LAN Router List], so that the
MAC address of this interface is excluded from the anti-DoS rule and from being blocked.
Generally, if the WAN interface of the IAM gateway device connects to any firewall or router,
the interface IP address of this routing device should be added into the [LAN Router List].
By default, the [Max New TCP Connections Per IP] in one minute of an IAM gateway device
anti-DoS module is 1024, and the [Max Attack Packets Per IP] is 300. If the local area
network is virus-infected and sending enormous packets, resulting in disconnection of the
network, it is recommended to modify [Max New TCP Connections Per IP] to 512 and [Max
Attack Packets Per IP] to a smaller value, and then the defense against the LAN
virus-infected computers can be more efficient.
As the download software Thunder allows massive connections, and thus features like DoS
attack. Because of this feature, the IAM gateway device may block the LAN PC that is
running Thunder software. To solve this problem, you can set an appropriate value to lower
the possibility the computer being blocked by the IAM gateway device. Configure the [Max
New TCP Connections Per IP] as 1024 connections/minute and [Max Attack Packets Per IP]
as 512 packets/second.
5.4.
ARP Protection
ARP spoofing is a common LAN virus. The infected computer keeps sending fake (or spoofed)
message (broadcast packets) to the local area network (LAN), and thus interrupts and stops the
normal communication among the LAN devices, or even stops the overall traffic of the local area
network.
Defense against ARP spoofing is fulfilled through the ARP protection function of IAM gateway
device in association with the Ingress Client installed in the LAN PC. After installing the Ingress
Client, the Ingress Client will communicate with the IAM gateway device to get the correct
IP/MAC information of the gateway device and bind with it. The IAM gateway device will refuse
to receive the ARP request or response that features attack, so as to protect the ARP cache of the
local IAM gateway device and get immune from ARP spoofing.
However, if the user related to access control policy is bound with an IP/MAC address(es), the
IAM gateway device will take the bound ones (in [Organization Structure] > [Edit User] page >
[Advanced Settings] > [User Attribute]) as the final IP/MAC address(es).