Manuals / Paradyne / Computer Equipment / Network Router

Paradyne Routers manual Security, IP Filtering, Land Bug/Smurf Attack Prevention

Models: Routers

1 97

Download 97 pages 2.16 Kb

Page 29

Configuring the DSL Router

Security

The DSL router offers security via the following:

HIP Filtering ± Can be enabled or disabled.

HLand Bug/Smurf Attack Prevention ± Always present.

IP Filtering

NOTE:

All Hotwire DSL Router filters are configured on the Hotwire DSL card.

By default, filtering is disabled on the Hotwire DSL card for the DSL router.

If enabled, filtering provides security advantages on LANs by restricting traffic on the network and hosts based on the IP source and/or destination addresses.

IP packets can be filtered based on:

HDestination IP Address

HIP Protocol Type

HSource and Destination Port Number (if applicable)

HSource IP Address

HTCP Filter (prevents the receipt of downstream TCP connect requests)

NOTE:

If the Source IP Address filter is enabled on the Hotwire card and an

IP address is assigned to the DSL interface, there must also be an entry configured in the Hotwire Client Table for the DSL interface's IP address.

For more information about IP filtering, see the Hotwire MVL, RADSL, IDSL, and SDSL Cards, Models 8310/8312, 8510/8373/8374, 8303/8304, and 8343/8344, User's Guide.

Land Bug/Smurf Attack Prevention

Land Bug and Smurf Attack prevention are enhanced firewall features provided by the DSL Router:

HLand Bug ± The DSL router drops all packets received on its DSL interface or Ethernet interface when the source IP address is the same as the destination IP address. This prevents the device from being kept busy by constantly responding to itself.

HSmurf Attack ± The DSL Router will not forward directed broadcasts on its DSL and Ethernet interfaces, nor will it send an ICMP echo reply to the broadcast address. This ensures that a legitimate user will be able to use the network connection even if ICMP echo/reply (smurf) packets are sent to the broadcast address.

6371-A2-GB20-10

August 2000

3-9

Image 29

Paradyne Routers manual Security, IP Filtering, Land Bug/Smurf Attack Prevention

Contents

USERS GUIDE HOTWIRE DSL ROUTERSDocument No. 6371-A2-GB20-10 AugustCopyright E 2000 Paradyne Corporation All rights reserved Warranty, Sales, Service, and Training InformationPrinted in U.S.A Document Feedback1 Introduction to Hotwire DSL Routers Contents2 Accessing the DSL Router About This GuideContents Configuring the DSL RouterDSL Router Configuration Examples A Command Line Interface 6 Diagnostics and Troubleshooting5 Monitoring the DSL Router ContentsC Traps & MIBs B Configuration Defaults & Command Line ShortcutsD DSL Router Terminal Emulation IndexDocument Purpose and Intended Audience About This GuideChapter Document SummaryAppendix A Appendix BDocument Title Product-Related DocumentsDocument Number Syntax Document ConventionsTranslation ItalicsDSL Technologies Supported Introduction to Hotwire DSL RoutersWhat is a Hotwire DSL Router? Typical DSL Router System H High-speed Internet or intranet access Hotwire DSL Router FeaturesH IP routing with H Console Terminal Interface. Provides an interface forService Subscriber Levels of Access Accessing the DSL RouterAccess Control to the DSL Router Local Console Access Changing Access Session Levelsadmin enable show consoleProcedure Setting Up the New Users LoginCUSTOMER#. Type configure terminal and press Enter CUSTOMER - CONFIG#Determining the Current Access Level Telnet AccessDetermining the Available Commands Local console disabled by conflictH list config Using the List CommandExiting from the System Changing the System IdentityManually Logging Out If you are accessing the DSL routerAutomatically Logging Out ThenOverview of DSL Router Configuration Configuring the DSL RouterInterfaces for the DSL Router H DSL InterfaceH Ethernet Interface Service Domain IP Address AssignmentsEthernet and DSL Interface Identifiers Simplified Network Topology Numbered DSL InterfaceUnnumbered DSL Interface H Dynamic Host Configuration Protocol DHCP Server H DHCP Relay Agent H Address Resolution Protocol ARP H Proxy ARPIP Routing Network ConsiderationsProxy ARP Address Resolution Protocol ARPNetwork Address Port Translation NAPT Network Address Translation NATBasic NAT Applications Supported by NAT Dynamic Host Configuration Protocol DHCP ServerIP Options Processing Examples DHCP Relay AgentIP Filtering SecurityLand Bug/Smurf Attack Prevention H Land Bug/Smurf Attack Prevention ± Always presentFigure 3-1. 1483 Routed Network Model Standard mode If Using This Network ModelRouted vs. Bridged PDUs 3-10Configuration Examples DSL Router Configuration Examplesip route create upstream eth1 Basic Configuration Exampleifn address eth1 155.1.3.254 ifn address dsl1 155.1.4.254 nat basic map 192.128.1.1 10.1.3.2 10.1.3.5 nat basic enable Basic NAT Configuration ExampleNAT Mapping Public IP Addresses Private IP Addressesnat napt map tcp 10.1.3.4 23 nat napt enable NAPT Configuration ExampleNAPT Mapping Public IP Addresses Private IP Addressesproxy arp dsl1 enable Unnumbered DSL Interface with Proxy ARP Configuration Exampleip route create upstream eth1 155.1.3.253 proxy arp eth1 enable ip route create upstream eth1 155.1.3.253 proxy arp eth1 enable DHCP Relay with Proxy ARP Configuration Exampleproxy arp dsl1 enable dhcp relay enable dhcp relay address nat basic address 192.128.1.0 nat basic enable DHCP Server with Basic NAT Configuration Exampledhcp server enable Public IP Addresses for Basic NATip route create 130.26.7.0 255.255.255.0 Downstream Router Configuration ExampleWhat to Monitor Detecting ProblemsMonitoring the DSL Router show interface Status of Interfacesshow interface eth1 dsl1 ± Ethernet Link up downshow statistics eth1 dsl1 ip Interface Statisticsshow statistics List of Discard Reasons Clearing Statisticsclear statistics eth1 dsl1 ip Table 5-1. Discard Reasons for the Ethernet Interface eth1 1 ofTable 5-2. Discard Reasons for the DSL Interface dsl1 1 of Table 5-1. Discard Reasons for the Ethernet Interface eth1 2 ofDiscard Reasons for the DSL Interface dsl1 Monitoring the DSL RouterTable 5-3. Discard Reasons for IP Discard Reasons for IP Table 5-2. Discard Reasons for the DSL Interface dsl1 2 ofMonitoring the DSL Router Discard Reasons for the DSL Interface dsl1Diagnostics and Troubleshooting Overview Diagnostics and TroubleshootingAlarms Inquiry show alarmsSystem Log syslog enable disableshow syslog syslog ip ip-addrsyslog level level SYSLOG Eventsshow log number Table 6-1. SYSLOG Messages 1 ofTable 6-1. SYSLOG Messages 2 of SYSLOG Message DisplayLevel DescriptionPing Test Results PingPing reply x.x.x.x bytes of data=nn Ping reply x.x.x.x REQUEST TIMED OUTTraceRoute Test Results TraceRouteTracing route to x.x.x.x over a max of nn hops with nnn byte packet Round Trip TimeRefer to Appendix B, Configuration Defaults & Command Line Shortcuts Command Line InterfaceCommand Line Interface Feature Navigation Command RecallDocument Conventions SyntaxConfiguration Control Commands Command Line Interface Commandsconfigure terminal factory RFC 1483 Encapsulationifn address eth1ifn dsl1ifn ip-address mask primary Interface and Service Domain IP Addressifn dsl1ifn eth1ifn primary ifn address dsl1 unnumbered Examples ifn address dsl1 135.300.41.8 ifn dsl1 primarydelete eth1ifn dsl1ifn IP Routing Tableip route create dest-ip dest-mask next-hop-ip remote Example Refer to Chapter 4, DSL Router Configuration Examplesip route delete upstream eth1ifn ip route create upstream eth1ifn next-hop-ipip route purge Example Refer to Chapter 4, DSL Router Configuration Examplesarp timeout complete time arp timeout incomplete timeproxy arp eth1 dsl1 enable disable ARP Tablenat napt enable nat basic enablenat timeout time nat basic address ip-addr ip-masknat napt delete udp tcp port nat basic delete private-ipExample nat basic map 192.128.1.1 Example nat basic deletedhcp server enable disable nat disableDHCP Server A-10DHCP Relay Agent dhcp relay enable disableA-11 dhcp server router ip-addressIP processing enable disable IP multicast enable disabletrap disable enable name of trap IP Packet Processingshow console Displays console enabled or console disabled show system Show Command Outputsshow config A-13A-14 show arp timeoutshow ip route ip-address show arpshow NAT napt A-15show traps show dhcp serverA-16 show alarms show syslog show log #show DHCP relay show interface show statisticsConfiguration Default Settings Configuration Defaults Command Line ShortcutsTable B-1. Default Configuration Settings Configuration OptionTable B-1. Default Configuration Settings 2 ofConfiguration Option Factory Default SettingTable B-2. Command Line Input Shortcuts 1 of Command Line Input Shortcuts1483encap llc vc arp purgeip route delete upstream eth1ifn ip route purge list config logout Table B-2. Command Line Input Shortcuts 2 ofnat basic enable nat disableshow interface dsl1 eth1 Table B-2. Command Line Input Shortcuts 3 ofshow nat basic napt show statistics dsl1 eth1 ip show syslog show system6371-A2-GB20-10 Configuration Defaults & Command Line ShortcutsTraps Overview Traps & MIBsSNMP Overview Table C-1. DSL Router Traps DSL Router TrapsTrap EventTrap # SeverityStandard MIBs MIBs OverviewMIB II RFC System GroupTable C-2. System Group Objects Setting/ContentsObject ssssssssssss Boot bb.bb.bb 2nd Boot xx.xx.xx DSPTable C-3. Interfaces Group Objects 1 of Interfaces Group RFCSetting/Contents ObjectSetting/Contents Table C-3. Interfaces Group Objects 2 ofObject DescriptionIP Group RFC Extension to Interfaces Table RFCTable C-4. Extension to Interfaces Table Table C-5. IP Group Objects 1 ofTable C-5. IP Group Objects 2 of IP CIDR Route Group RFCTable C-6. IP CIDR Route Group Objects 1 of Setting/ContentsTable C-6. IP CIDR Route Group Objects 2 of Transmission GroupSetting/Contents ObjectC-10 SNMP GroupEthernet-Like MIB RFC H Configuration MIB pdnConfig.mib H Device Diagnostics MIB pdndiag.mibH Interface Configuration MIB pdninet.mib H Interface Configuration MIB pdnIfExtConfig.mibC-12 Device Diagnostics MIBTable C-8. Application Test Group Objects 1 of Setting/ContentsTable C-8. Application Test Group Objects 2 of C-13Setting/Contents ObjectTable C-8. Application Test Group Objects 3 of C-14Setting/Contents configureC-15 Health and Status MIBTable C-9. Device Status Group Objects Table Setting/ContentsTable C-10. Device Configuration Copy Group Objects Table Configuration MIBC-16 Setting/ContentsTable C-11. Interface Configuration Group Objects Table Interface Configuration MIBARP MIB NAT MIBC-18 DHCP MIBDSL Endpoint MIB Table C-12. DSL Endpoint Configuration Group Objects TableC-19 Setting/ContentsInterface Configuration MIB SYSLOG MIBC-20 DSL Router Terminal Emulation Accessing the List Command OutputDSL Router Terminal Emulation Procedure Terminal Emulation ProgramsProcedure Index SymbolsNumbers IN-1IN-2 IN-3