6-15
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter6 Edit Interface/Connection
General
replies to the falsified source. By sending a continuous stream of such re quests,
the attacker can create a much larger reply stream, which can completely inundate
the host whose address is being falsified.
Disabling IP directed broadcasts drops directed broadcast s that would otherwise
be “exploded” into link-layer broadcasts at that interface.
IP Proxy ARP
ARP is used by the network to convert IP addresses into MAC addresses.
Normally ARP is confined to a single LAN, and a router can act as a proxy for
ARP requests, making ARP queries available across multiple LAN segments.
Because it breaks the LAN security barrier, proxy ARP should be used only
between two LANs with an equal security level, and only when necessary.
IP Route Cache-Flow
This option enables the Cisco IOS Netflow feature. Using Netflow, you can
determine packet distribution, protocol distribution, and current flows of data on
the router. This information is useful for certain tasks, such as searching for the
source of a spoofed IP address attack.
Note The IP Route Cache-Flow option enables Netflow on both inbound and outbound
traffic. To enable Netflow on either inbound traffic or outbound traffic, use the
Netflow options available on the Application Service tab.
IP Redirects
ICMP redirect messages instruct an end node to use a specific router as a part of
its path to a particular destination. In a properly functioning IP n etwork, a router
sends redirects only to hosts on its own local subnets, no end node will ever send
a redirect, and no redirect will ever traverse more than one network hop. However,
an attacker may violate these rules. Disabling ICMP redirects has no negative
impact on the network and can eliminate redirect attacks.