Lucent Technologies 7820-0802-003 manual Requiring acceptance of the pool address

Performing Basic Configuration

Recommended basic security measures

Following is an example of assigning a Telnet password:

admin> read ip-globalIP-GLOBAL read

admin> set telnet-password = SDwiw87

admin> write IP-GLOBAL written

All users attempting to access the TAOS unit unit via Telnet are prompted for the Telnet password. They are allowed three tries, each with a 60-second time limit, to enter the correct password. If all three tries fail, the connection attempt times out.

Requiring acceptance of the pool address

During PPP negotiation, a caller can reject the IP address offered by the TAOS unit and present its own IP address for consideration. For security reasons, you might want to set the Must-Accept-Address-Assign parameter to Yes to ensure that the TAOS unit terminates such a call:

admin> read ip-globalIP-GLOBAL read

admin> set must-accept-address-assign = yes

admin> write IP-GLOBAL written

If you enforce acceptance of the assigned address, the Answer-Defaults profile must enable dynamic assignment, the caller’s configured profile must specify dynamic assignment, and the caller’s PPP dial-in software must be configured to acquire its IP address dynamically. For more details, see the APX 8000/MAX TNT/DSLTNT WAN, Routing and Tunneling Configuration Guide.

Ignoring ICMP redirects

The Internet Message Control Protocol (ICMP) was designed to find the most efficient IP route to a destination. ICMP redirect packets are one of the oldest route-discovery methods on the Internet. They are also one of the least secure, because ICMP redirects can be counterfeited to change the way a device routes packets. The following commands configure the TAOS unit to ignore ICMP redirect packets:

admin> read ip-globalIP-GLOBAL read

admin> set ignore-icmp-redirects = yes

admin> write IP-GLOBAL written

Disabling directed broadcasts

Denial-of-service attacks known as “smurf” attacks typically use ICMP Echo Request packets with a spoofed source address to direct packets to IP broadcast addresses. These attacks are intended to degrade network performance, possibly to the point that the network becomes unusable.