Wireless Access

What is the difference between the "Enforce TCP Handshake Before Allowing Data" setting and the "Enforce TCP Sequence numbers" on the global firewall settings page?

Yes I read the guide and command line reference. The actual exaplanation there for the "Enforce TCP sequence numbers" is -

"If enabled, prevents data from passing between two clients until the three-way TCP handshake has been performed"

So what I am asking is what is the operational difference between the two.

This is to provide a defense mechanism against syn flood attacks and split handshake attack.

Enforce TCP Sequence numbers
Enforces the TCP sequence numbers for all packets.

Enforce TCP Handshake Before Allowing Data
Prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.
Default: Disabled

Why are you trying to enable this option ?

If you are planning to , I suggest you open a TAC case and an Aruba Engineer should assist you with these settings

In the absence of any proper documentation I'm trying to understand what the settings are for - some customers have asked about IPS configuration and what the Aruba OS can do. I dont have an answer for them as I cant find out what the settings and how they work. Especially when two settings both have the same brief explanation.

As an IDS/IPS Aruba has RFProtect module :

http://www.arubanetworks.com/pdf/products/DS_AOS_RFPROTECT.pdf 

Unfortunately that is a dead link.

Please find document attached

Attachment(s)

DS_AOS_RFPROTECT.pdf   404 KB 1 version