RE: TCP/IP Stack Hardening
From: Mike Shaw (mike_at_shawnuff.net)
Date: 12/22/03
- Previous message: dwr3ck_at_hushmail.com: "RE: TCP/IP Stach Hardening"
- Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
- Next in thread: Scott Cleven-Mulcahy: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Dec 2003 09:09:01 -0800 To: AHoffmann@cta.net, frank@knobbe.us
>2) Disable ICMP Redirect: In larger networks (well... at least network
>with two different gateways) this is a shot in the foot. Most of
>the
>time you direct traffic to your default gateway (e.g. WAN router),
> but
>may need to redirect traffic to a different gateway (e.g. Internet
>firewall). This one is noticed pretty quick though. It should be
>set in
>environments where only one gateway is present (for example, disable
>ICMP Redirects on systems in the DMZ, but leave it enabled your
>internal
>systems).
Heh...I've seen ICMP redirects used in effect as a routing protocol.
Particularly in older mainframes where the IP code was fundamentally
broken. Proxy ARP is another thing that often glosses over misconfigured
networks.
Before doing any of these hardening things, it's wise to do a thorough
audit of all the adjacent network devices, and run a sniffer looking
for layer 2 and ICMP chatter. I've rarely seen a network that didn't
have something interesting pop up.
-Mike
CCNA, CISSP, YADDA, YADDA
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: dwr3ck_at_hushmail.com: "RE: TCP/IP Stach Hardening"
- Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
- Next in thread: Scott Cleven-Mulcahy: "RE: TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
