Cisco Systems 10200 manual Ipforwarddirectedbroadcasts=0, Ipforwardsrcrouted=0, Ipignoreredirect=1

Chapter 2 Managing BTS Users and Commands Using EMS

Solaris OS Security and BTShard Package

•The following UNIX accounts are to be LOCKED but not removed from the system: lp, uucp, nuucp, nobody, listen, and any other Cisco support accounts not used in the normal course of field operation. Services managed by root are the only accounts allowed to utilize one of these identities. This is the default behavior.

•Modifications to the Solaris kernel parameters were made to close potential breeches in the OS. These types of security precautions are most often geared toward “denial of service” attacks. These types of attacks create situations that degrade the performance of a system and as a result, prohibit the critical applications from delivering the service they are designed to provide.

•The TCP protocol uses random initial sequence numbers.

•All failed login attempts are logged.

•The following users are not allowed direct FTP access to the machine: root, daemon, bin, sys, adm, nobody, and noaccess.

•A root user cannot telnet directly to the machine. Direct root user access is granted to the console only. A user who wants to access the root account must use the su command from a nonprivileged account.

•The break key (<STOP> <A>) on the keyboard is disabled.

•IP_FORWARD_DIRECTED_BROADCASTS—This option determines whether to forward broadcast packets directed to a specific net or subnet, if that net or subnet is directly connected to the machine. If the system is acting as a router, this option can be exploited to generate a great deal of broadcast network traffic. Turning this option off helps prevent broadcast traffic attacks. The Solaris default value is 1 (True). For example:

ip_forward_directed_broadcasts=0

•IP_FORWARD_SRC_ROUTED—This option determines whether to forward packets that are source routed. These packets define the path the packet should take instead of allowing network routers to define the path. The Solaris default value is 1 (True). For example:

ip_forward_src_routed=0

•IP_IGNORE_REDIRECT—This option determines whether to ignore the ICMP packets that define new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing tables as part of sophisticated attack (man-in-the-middle attack) or a simple denial of service. The Solaris default value is 0 (False). For example:

ip_ignore_redirect=1

•IP_IRE_FLUSH_INTERVAL—This option determines the period of time at which a specific route will be kept, even if currently in use. Address Resolution Protocol (ARP) attacks may be effective with the default interval. Shortening the time interval may reduce the effectiveness of attacks. The default interval is 1200000 milliseconds (20 minutes). For example:

ip_ire_flush_interval=60000

•IP_RESPOND_TO_ADDRESS_MASK_BROADCAST—This option determines whether to respond to ICMP netmask requests, typically sent by diskless clients when booting. An attacker may use the netmask information for determining network topology or the broadcast address for the subnet. The default value is 0 (False). For example:

ip_respond_to_address_mask_broadcast=0

Cisco BTS 10200 Softswitch Operations and Maintenance Guide, Release 6.0.x