Security - Best Practices
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
801
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
TCP RULES
The TCP rules are like UDP rules but with one difference - ACK bit can be used to
stop connections from being initiated from one direction or the other. Blocking
inbound packets with ACK bit cleared for a particular port allows only outbound
connections to be initiated, but allows subsequent data traffic for that connection-
all of which will have the ACK bit set. Some of the important rules are listed below:
• Drop packets using ports below 21; same as the rule like UDP.
• Drop X-Window: same as UDP.
• Disallow incoming telnet connections (incoming packets with port 23). It is worth
using SSH (port 22) which is more secure than telnet.
• Specifically allow any internal services that use ports greater than 1023; This way
subsequent rule can be used to stop backdoor software like Back Orifice, which
opens port internally for remote unauthorized control of computers.
• Drop syn packets from outside to internal ports >1023; Most legitimate services
are configured on ports <1024.
• Disallow incoming FTP data connections thus allowing passive FTP only.
• Disallow SMTP connections (port 25) from the outside to other than mail server.
• Establish service destinations rules for other services such as HTTP.
Many of the users feel that above mentioned rules are not enough; A dedicated
hacker with time and resources can find a way around these rules. Some of the
advanced methods that you can use are:
N
ETWORK ADDRESS TRANSLATION
This feature allows to expose just a handful of IP addresses to the outside world.
The firewall keeps a track of connections and re-writes packet source and
destination and port values on the fly.
F
RAGMENTATION
Fragmented packet should be disallowed into the network. It is wise to
reassemble fragmented packet at the firewall or just drop since the fragmentation
feature is largely obsolete.
R
ATE-LIMITING
Rate limiting is a good method of prevention against Denial -of -service attack.
Most common of them are:
To Next Page
Loading...
