16

Configuring Security on the XSR

This chapter describes the security options available on the XSR including the firewall feature set and methods to protect against hacker attacks.

Features

The following security features are supported on the XSR:

Standard and Extended Access Control Lists (ACLs)

Protection against: LANd attack - Destination IP equals Source IP, ICMP echo to directed subnet, UDP echo request to directed subnet broadcast, SYN flood, FIN attacks

IP packet with multicast/broadcast source address

Spoofed address checking

TCP server resource release

ICMP traffic filtering based on IP data length, IP offset, IP fragmentation bits including:

Fragmented ICMP traffic

Large ICMP packets

Ping of Death attack

Filter TCP traffic with SYN and FIN bits set

AAA services including AAA per port, interface privilege levels, PPP client of AAA, debugging

Firewall feature set

Note: Activating any of the above features will affect system performance.

Access Control Lists

Access Control Lists (ACL) impose selection criteria for certain types of packets, which when used in conjunction with other functions restrict Layer 3 traffic on the XSR. They are configured as:

Standard access lists (1-99) restrict traffic based on source IP addresses

Extended access lists (100-199) filter traffic from source and destination IP addresses, protocol type (ICMP, TCP, UDP, GRE, ESP, AH), port number ((TCP, UDP), and type/code (ICMP)

XSR User’s Guide 16-1

Page 387
Image 387
Enterasys Networks X-PeditionTM manual Configuring Security on the XSR, Access Control Lists