General Security Precautions

Large ICMP Packets

This protection is triggered for ICMP packets larger than a size you can configure. Such packets are dropped by the XSR if the protection is enabled with the HostDoS command.

Ping of Death Attack

This protection is triggered when an ICMP packet is received with the “more fragments” bit set to 0, and ((IP offset * 8) + IP data length) greater than 65535. As the maximum size for an IP datagram is 65535, this could cause a buffer overflow. The XSR always drops such packets automatically.

Spurious State Transition

Protection against spurious state transition concerns TCP packets with Syn and Fin bits set. This type of attack occurs when an intruder attempts to stall a network port for a very long time, using the state transition from state SYN_RCVD to CLOSE_WAIT, by sending a packet with both SYN and FIN flags set to a host.

The host first processes the SYN flag, generates the ACK packet back, and changes its state to SYN_RCVD. Then it processes the FIN flag, performs a transition to CLOSE_WAIT, and sends the ACK packet back.

The attacker does not send any other packet, and the state machine of the host remains in CLOSE_WAIT state until the keep-alive timer resets it to the CLOSED state. To protect against this attack the XSR checks for TCP packets with both SYN and FIN flags set. With protection always enabled, these packets are harmlessly dropped.

This feature is supported for packets destined for the XSR. Transit packets will be checked.

General Security Precautions

To ensure security on the XSR, we recommend you take these precautions:

Limit physical access

Avoid connecting a modem to the console port

Download the latest security patches

Retain secured backup copies of device configurations

Plan all configuration changes and prepare a back-out procedure if they go wrong

Keep track of all configuration changes made to all devices

Create a database that tracks the OS version, description of last change, back-out procedure, and administrative owner of all routers

Avoid entering clear text passwords in the configuration script

Be sure to change all default passwords

Use strong passwords not found in the dictionary

Change passwords when the IT staff departs

Age passwords after 30 to 60 days

Grant the correct privilege levels to particular users only

Set reasonable timeouts for console and remote management sessions

16-4 Configuring Security on the XSR

Page 390
Image 390
Enterasys Networks X-PeditionTM manual General Security Precautions, Spurious State Transition, Large Icmp Packets