RE: TCP/IP Stack Hardening
From: Scott Cleven-Mulcahy (scottcm3_at_hotmail.com)
Date: 12/22/03
- Previous message: Mike Shaw: "RE: TCP/IP Stack Hardening"
- Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com, frank@knobbe.us Date: Mon, 22 Dec 2003 13:44:07 -0600
When PMTU is disabled, the default MTU is 1500 for local subnet and 576 for
remote. I usually multi-home external facing systems and configure 1
interface for internet traffic (unbind to the interface, especially MS
networking) and the other for backend traffic (but still not on the internal
network). Depending on environment, I'll change the backend NIC's default
MTU size to 1500 - this especially helps traffic between a web server and
database. BTW, 576 bytes is the default MTU for dial-up connections.
Troubleshooting MTU problems is actually pretty easy. Use ping with the -L
switch. This specifies the size of the ICMP packet. Start with 1500 and
keep dropping down until you get a response. It's been a few years since
I've encountered an MTU problem, though.
That said, disabling PMTU is probably not the most important network stack
hardening step you can take. I would rate the SYN flood protection
mechanisms as much more important.
I've not found disabling ICMP redirects a problem as long as the routing
devices have proper routes and the local routing table isn't jacked up. The
only legitimate use of redirects that I've seen is when a segment has
multiple, independent routing devices. Since there can only be 1 default
gateway the system sends the packet to that router, which may not handle
that network, but it knows a router that does, which is on the same segment.
I've always handled that situation by entering static routes on the server
to ensure the correct router is used. Only in vary rare cases have I had to
enter a static route for a specific host (this has a tendency to complicate
the routing table).
Unlike disabling PMTU, I do consider disabling ICMP Redirects an important
network hardening step, especially for externally accessible systems. For
one, I've found it rare for a segment to have multiple routers. And two, a
simple static routing table solves the issue of multiple possible routes.
I'm a bigger stickler for NoNameReleaseOnDemand and RefuseReset on internal
networks than external. I've never bound MS networking to external
interfaces so it's not an issue (it only affects NetBIOS names). One of
them has an exploit released (I forget which).
Scott
_________________________________________________________________
It’s our best dial-up Internet access offer: 6 months @$9.95/month. Get it
now! http://join.msn.com/?page=dept/dialup
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Mike Shaw: "RE: TCP/IP Stack Hardening"
- Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
