$SSHQGL[%&RQILJXUDWLRQIRU&RPPRQ&ULWHULD($/
,QVWDOOHU·V*XLGH %
To disable this default policy on the NetScreen-5XP and -5XT, enter the
following CLI command:
unset policy id 0
• NetScreen devices must be configured to prevent all types of Denial of Service
(DoS) and attack signatures on every security zone to prevent these types of
attacks from occurring on the LAN. See Chapter 2, “Zones,” in Volume 2 in the
NetScreen Concepts & Examples manual for more information on configuring the
Screen functions and for descriptions of the attacks that the Screen functions are
designed to prevent.
You must turn on IP spoofing and enable dropping of traffic where there is no
source route by using the following command:
set zone zone screen ip-spoofing drop-no-rpf-route
where zone is the name of the zone (for example, trust or untrust). See the zone
commands in the NetScreen CLI Reference Guide for more information.
The screening options that are enabled by default for interfaces in the Untrust
security zone in ScreenOS 4.0 are listed below:
Tear-drop Attack Protection on
SYN Flood Protection (200) on
Alarm Threshold: 512
Queue Size: 1024
Timeout Value: 20
Source Threshold: 4000
Destination Threshold: 4000
Drop unknown MAC (transparent mode only): no
Ping-of-Death Protection on
Source Route IP Option Filter on
Land Attack Protection on
All other security zones have no screens enabled by default. The CLI command
below enables all screens, on a per-zone basis (and are applied to all interfaces
within that zone):
set zone name screen all
The command set zone name screen all enables all screen functions on all
interfaces that are configured within the zone. For the purposes of Common
Criteria, you must run the following two commands to protect the internal and
external interfaces:
set zone untrust screen all
set zone trust screen all
You must run the same command for each additional security zone that is
configured and used.
• NetScreen device administrators must choose logins and passwords that are not
only long (at least 8 characters), but that also employ as many types of
characters as possible. Passwords are case sensitive, so mixing lower case and
upper case is required to ensure proper protection. In addition, user names and
To Next Page
Loading...
Need help?
General
