RE: TCP/IP Stack Hardening
From: Frank Knobbe (frank_at_knobbe.us)
Date: 12/20/03
- Previous message: Tod Beardsley: "Re: TCP/IP Stack Hardening"
- In reply to: Hoffmann, Aran: "RE: TCP/IP Stack Hardening"
- Next in thread: dave kleiman: "RE: TCP/IP Stack Hardening"
- Reply: dave kleiman: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Hoffmann, Aran" <AHoffmann@cta.net> Date: Fri, 19 Dec 2003 22:29:07 -0600
On Fri, 2003-12-19 at 14:12, Hoffmann, Aran wrote:
> I used to work in a data center with high security requirements and we
> applied all the referenced tcp/ip hardening to our Win2k servers. The
> results? Crappy network performance and file transfer timeouts but boy
> were we secure. As soon as we removed the hardening the network
> performance problems went away.
lol.... yeah, the common hardening guidelines contain at least two
issues that cripple performance.
1) PMTU discovery: The recommendation is to turn it off since attackers
may be able to degrade your systems performance by spoofing ICMP "need
frag" packets. So the recommendation is to cripple the performance
yourself! Disabling PMTU discovery reduces ALL packets to 576 bytes or
so (OTOH). That means a lot of small packets within your network. For
performance it is better to leave PMTUD enabled and start off with
packets of a whopping 1500 bytes (and reduce them if needed).
2) Disable ICMP Redirect: In larger networks (well... at least network
with two different gateways) this is a shot in the foot. Most of the
time you direct traffic to your default gateway (e.g. WAN router), but
may need to redirect traffic to a different gateway (e.g. Internet
firewall). This one is noticed pretty quick though. It should be set in
environments where only one gateway is present (for example, disable
ICMP Redirects on systems in the DMZ, but leave it enabled your internal
systems).
Source routing should be disabled of course and the backlog stuff should
be adjusted. I wonder about the usefulness of some of the other settings
though (like no-name-release-on-demand).
Oh, and the previous list did not include the TTL. I recommend changing
the TTL some something odd, like 97 or so. Just to confuse any
script-kiddie :)
Cheers,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Tod Beardsley: "Re: TCP/IP Stack Hardening"
- In reply to: Hoffmann, Aran: "RE: TCP/IP Stack Hardening"
- Next in thread: dave kleiman: "RE: TCP/IP Stack Hardening"
- Reply: dave kleiman: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
