Filter and Firewall
Left running head:
Chapter name (automatic)
800
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
ICMP R
ULES
ICMP packets can be forged to trick computers into re-directing their
communications, stopping all communications or even crashing. Following rules
should be kept in mind when creating policies for ICMP:
• Allow source quench: This tells external host when the local network is saturated
• Allow echo request outbound
• Allow echo reply inbound
• Allow destination unreachable inbound
• Allow service unavailable inbound
• Allow TTL exceeded inbound
• Drop echo request inbound
• Drop and log redirect inbound
• Drop destination unreachable outbound
• Drop service unavailable outbound
• Drop TTL exceeded outbound
• Drop all other ICMP packets.
IP R
ULES
These are some rules that you would want to configure for all packets regardless
of whether they contain TCP or UDP traffic inside them.
• Drop all packets arriving on the internal interface that have source field indicating
that the packet came from outside the network.
• Drop all incoming packets to interior computers that have no externally accessible
service.
• Drop and log all private addresses coming on the external interface. As per RFC
1918, the address blocks 10.0.0.0 to 10.255.255.255.255, 172.16.0.0 to
172.16.31.255 and 192.168.0.0 to 192.168.255.255 are reserved for private
allocation. Hence, any packet arriving with any of the said IP's on the interface
which is connected to the internet should be dropped and logged. If there is
occurrence of the same, it might be because some hacking taking place.
UDP R
ULES
Once the rules for generic IP traffic are put in place, it is better to have some UDP
rules to block egregious security holes, such as X-windows. Each of these UDP
rules specifically denies a port or range of ports:
• Drop packets using ports below 21: There are no services below port 21 that an
average Internet user finds useful.
• Drop X-Windows (packets using ports 6000-6003). It is possible for a hacker to
control mouse and keyboard for a host inside the network.
• Drop SNMP (packets using ports 161 and 162).
To Next Page
Loading...
Need help?
General
