Paradyne Routers manual Security, IP Filtering, Land Bug/Smurf Attack Prevention

Page 29

Configuring the DSL Router

Security

The DSL router offers security via the following:

HIP Filtering ± Can be enabled or disabled.

HLand Bug/Smurf Attack Prevention ± Always present.

IP Filtering

NOTE:

All Hotwire DSL Router filters are configured on the Hotwire DSL card.

By default, filtering is disabled on the Hotwire DSL card for the DSL router.

If enabled, filtering provides security advantages on LANs by restricting traffic on the network and hosts based on the IP source and/or destination addresses.

IP packets can be filtered based on:

HDestination IP Address

HIP Protocol Type

HSource and Destination Port Number (if applicable)

HSource IP Address

HTCP Filter (prevents the receipt of downstream TCP connect requests)

NOTE:

If the Source IP Address filter is enabled on the Hotwire card and an

IP address is assigned to the DSL interface, there must also be an entry configured in the Hotwire Client Table for the DSL interface's IP address.

For more information about IP filtering, see the Hotwire MVL, RADSL, IDSL, and SDSL Cards, Models 8310/8312, 8510/8373/8374, 8303/8304, and 8343/8344, User's Guide.

Land Bug/Smurf Attack Prevention

Land Bug and Smurf Attack prevention are enhanced firewall features provided by the DSL Router:

HLand Bug ± The DSL router drops all packets received on its DSL interface or Ethernet interface when the source IP address is the same as the destination IP address. This prevents the device from being kept busy by constantly responding to itself.

HSmurf Attack ± The DSL Router will not forward directed broadcasts on its DSL and Ethernet interfaces, nor will it send an ICMP echo reply to the broadcast address. This ensures that a legitimate user will be able to use the network connection even if ICMP echo/reply (smurf) packets are sent to the broadcast address.

6371-A2-GB20-10

August 2000

3-9

Image 29

Contents HOTWIRE DSL Routers Copyright E 2000 Paradyne Corporation All rights reserved Contents Configuring the DSL Router Monitoring the DSL Router Index Document Purpose and Intended Audience About This GuideSection Description Document SummaryDocument Number Document Title Product-Related DocumentsSyntax Translation Document ConventionsDSL Technologies Supported Introduction to Hotwire DSL RoutersWhat is a Hotwire DSL Router? Optional Network Access Provider NAPTypical DSL Router System IP routing with Hotwire DSL Router FeaturesService Subscriber Levels of Access Accessing the DSL RouterAccess Control to the DSL Router Local Console Access Changing Access Session LevelsAdmin enable Show consoleInvalid Characters Value Ascii Hex Translation Setting Up the New Users LoginCUSTOMER#. Type configure terminal and press Enter Determining the Current Access Level Telnet AccessDetermining the Available Commands Local console disabled by conflictChanging the System Identity Using the List CommandExiting from the System Automatically Logging Out If you are accessing the DSL router ThenManually Logging Out Interfaces for the DSL Router Configuring the DSL RouterOverview of DSL Router Configuration Ethernet and DSL Interface Identifiers Service Domain IP Address AssignmentsSimplified Network Topology Numbered DSL InterfaceUnnumbered DSL Interface Network Considerations IP RoutingProxy ARP Address Resolution Protocol ARPNetwork Address Port Translation Napt Network Address Translation NATBasic NAT Applications Supported by NAT Dynamic Host Configuration Protocol Dhcp ServerIP Options Processing Dhcp Relay Agent Land Bug/Smurf Attack Prevention SecurityIP Filtering Routed vs. Bridged PDUs Routed Network Model Standard modeConfiguration Examples DSL Router Configuration ExamplesCustomer Premises CP Basic Configuration ExampleNAT Mapping Public IP Addresses Private IP Addresses Basic NAT Configuration ExampleNapt Mapping Public IP Addresses Private IP Addresses Napt Configuration ExampleCore Router 155.1.3.253 Console Port Connection Dhcp Relay with Proxy ARP Configuration Example Public IP Addresses for Basic NAT Private IP Addresses Dhcp Server with Basic NAT Configuration ExampleDownstream Router Configuration Example What to Monitor Detecting ProblemsMonitoring the DSL Router Show interface Status of InterfacesShow interface eth1 dsl1 ± Ethernet Link up downShow statistics eth1 dsl1 ip Interface StatisticsShow statistics List of Discard Reasons Clearing StatisticsClear statistics eth1 dsl1 ip Discard Reasons for the Ethernet Interface eth1 1Discard Reasons for the DSL Interface dsl1 1 Discard Reasons for the Ethernet Interface eth1 2Discard Reasons for IP Discard Reasons for the DSL Interface dsl1 2Diagnostics and Troubleshooting Overview Diagnostics and TroubleshootingAlarms Inquiry Show alarmsSystem Log Syslog enable disableShow syslog Syslog ip ip-addrSyslog level level Syslog EventsShow log number Syslog Messages 1 Level Description EventReporting Syslog Message DisplaySyslog Messages 2 Level Description Event Ping Test Results PingPing reply x.x.x.x bytes of data=nn Ping reply x.x.x.x Request Timed OUTX.x TraceRouteTraceRoute Test Results Command Line Interface Feature Command Line InterfaceDocument Conventions Command RecallNavigation Configuration Control Commands Command Line Interface CommandsRFC 1483 Encapsulation Ethernet Frame FormatInterface and Service Domain IP Address Ip route create dest-ipdest-mask next-hop-ip remote IP Routing TableDelete eth1ifn dsl1ifn Ip route purge Proxy ARP ARP TableNat napt enable Nat basic enableNat timeout time Nat basic address ip-addrip-maskNat napt delete udp tcp port Nat basic delete private-ipDhcp server enable disable Nat disableDhcp Server Nat purgeDhcp Relay Agent IP processing enable disable IP multicast enable disableTrap disable enable name of trap IP Packet ProcessingNAT disabled or NAT enabled basic NAT Napt Show Command OutputsShow config NAT timeout xx minutes NAT basic mappings Show arp timeoutShow ip route ip-address Show arpShow dhcp server Show NAT naptShow traps Show Dhcp relay Show alarms Show syslog Show log #Show interface Show statistics Sample show dhcp relay displayConfiguration Default Settings Configuration Defaults Command Line ShortcutsAbc123 ParadyneBytes CustomerTable B-2. Command Line Input Shortcuts 1 Command Line Input ShortcutsTable B-2. Command Line Input Shortcuts 2 Show interface dsl1 eth1 Table B-2. Command Line Input Shortcuts 3Configuration Defaults & Command Line Shortcuts Traps Overview Traps & MIBsSnmp Overview Variable Binding DSL Router TrapsStandard MIBs MIBs OverviewMIB II RFC System GroupSystem Ssssssssssss Boot bb.bb.bb 2nd Boot xx.xx.xx DSPInterfaces Interfaces Group RFCIfEntry Yy.yy.yy H/W Releasezzz CCA part numberºIfOperStatus Specifies the current DSL interface IP Group RFC Table C-5. IP Group Objects 1 Description Setting/ContentsExtension to Interfaces Table RFC IP Cidr Route Group RFC Table C-5. IP Group Objects 2 Description Setting/ContentsIpCidrRouteEntry 11 ± Transmission GroupEthernet-Like MIB RFC Snmp GroupDevice Control MIB Paradyne Enterprise MIBsNoOp1 Active1Device Diagnostics MIB Traceroute ApplpingTestEntryAppTracerouteResultsEntry ConfigureApplTracerouteResultsEntry DevStatus Health and Status MIBDevStatus1 Factory1-to-active8 Configuration MIBPdnInetIpAddressTableEntry Interface Configuration MIBPrimary SecondaryDhcp MIB DSL Endpoint MIB Syslog MIB DSL Router Terminal Emulation Accessing the List Command OutputDSL Router Terminal Emulation Terminal Emulation Programs Numbers IndexIN-2 IN-3