Tweaks for Specific Operating Systems

The following subsections discuss how to tweak IPSO's TCP/IP stack, Solaris, and Windows NT, as well as provide some changes to help the Security Servers function better.

IPSO-Specific Changes

Each of the following changes should be added to /var/etc/rc.local so they will be active across reboots. Most of these changes increase the performance of the Security Servers (which benefit from increased packet sizes) and also help general TCP/IP traffic.

ipsctl ?w net:ip:tcp:sendspace 65535 # TCP/IP specific changes
ipsctl ?w net:ip:tcp:recvspace 65535
ipsctl ?w net:ip:tcp:default_mss 1460 # Should be MTU minus 40 bytes

Solaris-Specific Changes

All ndd commands listed in this section should be added to an rc startup script. My suggestion is to create a new one, such as /etc/rc2.d/S99nddcmds.

The following commands force 100MB full duplex on hme-type interfaces and will disable autonegotiation. You can also do this on qfe-type interfaces as well by replacing /dev/hme with /dev/qfe in the following commands:

ndd -set /dev/hme adv_autoneg_cap 0
ndd -set /dev/hme adv_100fdx_cap 1

The following commands tune the TCP stack with optimal settings:

ndd -set /dev/tcp tcp_xmit_hiwat 65535
ndd -set /dev/tcp tcp_recv_hiwat 65535
ndd -set /dev/tcp tcp_cwnd_max 65535
ndd -set /dev/tcp tcp_slow_start_initial 2
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_close_wait_interval 60000

Additionally, you should add the following to /etc/system and reboot:

set tcp:tcp_conn_hash_size = 16384

Windows NT?Specific Changes

All of the following changes apply to Windows NT Server 4.0, not Windows 2000.

  1. Set the Windows NT memory strategy to Maximize Throughput for Network Applications. By default it is set to Maximize Throughput for File Sharing, which allocates all available Windows NT memory to file caching. To change this setting, go to Control Panel, select Network, and then select Server.

  2. Next, disable all unnecessary services and drivers. If you followed the suggestions for securing a Windows NT box in Appendix A, you have done most of this already.

  3. If you are using the Security Servers, you should disable performance boost for foreground applications. Go to Control Panel, select System, and then select Performance. Move the Application Performance slider to None.

  4. The Page file (i.e., swap) should be a fixed size at least twice the size of physical RAM and should exist on another (preferably dedicated) drive.

  5. TCP/IP should be tuned for maximum performance. You need to employ regedt32 to make the following changes.

    Parameters\ForwardBufferMemory = 296960

    This REG_DWORD must be a multiple of 256 and be set to a default of 74240. This is the size of the buffer the IP stack allocates to store packet data in the router queue. The default value is enough for 50 1,480-byte packets.

    Parameters\NumForwardPackets = 200

    This REG_DWORD has a default of 50. This corresponds to the number of IP headers allocated for router queue. It should be at least as large as the ForwardBufferMemory/IP data size of the network. Increasing these two parameters can have a significant effect on throughput, especially with slow policies.


    This REG_DWORD has a default of 8760 for Ethernet. A larger TCP receive window size improves performance over high-speed networks. For highest efficiency, the TCP window size should be an even multiple of TCP Maximum Segment Size (MSS), which is usually 1460 for Ethernet.

    Parameters\MaxFreeTcbs = 4000

    This REG_DWORD has a default of 2000 and corresponds to the TCP TIME_WAIT table size.

    Parameters\MaxHashTableSize = 65536

    This REG_DWORD should be a power of 2 and corresponds to the hash value for the TCP TIME_WAIT table size.

    Parameters\MaxUserPort = 65534

    This REG_DWORD with a default value of 5000 increases the number of TCP user ports available to applications, which prevents the Security Servers from running out of ports to use.

  6. Improve the CPU servicing of interrupts generated by network interface cards (NICs). Change the Processor Affinity Mask using regedt32:

    Parameters\ProcessorAffinityMask = 0
  7. Tune the specific vendor NIC's parameters for maximum performance. Note that not all vendors allow you to tune these variables, or the variables may have slightly different names. Go to Control Panel, select Network, select Adapter Properties, and then select Advanced. The actual performance gain will vary depending on the types of traffic. You may want to adjust these parameters for maximum performance gain; otherwise, use these suggestions:

    Receive Buffers = 256

    Transmit Control Blocks = 64

    Coalesce Buffers = 16

  8. If you are using encryption, make the following registry changes with regedt32:

    FW1\ Parameters\PacketPoolSize = 3000 (default of 1000)
    FW1 \parameters\BufferPoolSize = 6000
                      (default of 2000, should be 2xPacketPoolSize)