Flylib.com

Books Software

 
 
 

Category list


Similar pages

Implement Access Control Lists


Buy on amazon.com >>
Noonan W.J.
    << Previous page
    Table of contents
    Next page >>

    Implement Access Control Lists

    Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality. Implementing ACLs, including specific examples, will be covered in much more detail in Chapter 6. However, here are some types of access you should filter with your ACLs immediately:

    • Block RFC1918 addresses at your perimeter, including the following:

      • 0.0.0.0/8

      • 10.0.0.0/8

      • 169.254.0.0/16

      • 172.16.0.0/20

      • 192.168.0.0/16

    • Block bogon addresses. The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term reserved or unallocated should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.

    • Implement spoof protection.

    • Implement TCP SYN attack protection.

    • Implement LAND attack protection.

    • Implement Smurf attack protection.

    • Implement ICMP filtering.

    • Block multicast traffic if it is not needed.

    • Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).

    • Implement ACLs to control who can manage the router via SNMP.



    Turn Off Unnecessary Features  and  Services

    One point of security that has been hammered on within the desktop/server world
    is the need to turn off unnecessary services. Unfortunately, people commonly overlook the fact that it is not just the desktops and servers that are potentially running unnecessary services ”your network devices are also likely doing this. Detailed configuration examples of how to turn off services will be covered in the device-specific chapters of this book (for example, Chapter 6 for your routers and switches). However, here is a list of services you should look for on your network equipment and turn off if you are not actively using them:

    • Cisco Discovery Protocol (CDP)

    • TCP and UDP small servers

    • Finger server

    • HTTP server

    • Bootp server

    • Network Time Protocol (NTP) service

    • Simple Network Management Protocol (SNMP) services

    • Configuration auto-loading

    • IP source routing

    • Proxy ARP

    • IP directed broadcast

    • IP unreachable, redirects, and mask replies

    • Router name and DNS name resolution services



    Implement Virus Protection

    Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.

    The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests , it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.

    start sidebar
    One Step Further

    I know of a number of companies that have invested heavily in virus protection for their Windows-based systems but run no virus protection on their Unix and Linux systems. As Linux, in particular, continues to gain market share, it is only a matter of time before more Linux-based viruses are written and distributed. Do not overlook the risk of not protecting your Unix/Linux systems. Viruses are not uniquely a Windows problem.

    end sidebar

     

    If you are not running virus protection on all your systems ”Windows, Unix, Linux, and Macintosh based ”you need to be.

    Don t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don t overlook the value of implementing virus protection on your gateways and firewalls.

    The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.



    Buy on amazon.com >>
    Noonan W.J.
      << Previous page
      Table of contents
      Next page >>
       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy