RE: TCP/IP Stack Hardening

• Previous message: Scott Cleven-Mulcahy: "RE: TCP/IP Stack Hardening"
• In reply to: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Next in thread: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Reply: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@securityfocus.com>
Date: Mon, 22 Dec 2003 19:31:36 -0500

Frank,

That statement is somewhat correct. PMTU discovery only affects packets
outside your local subnet, therefore "should" not affect your internal
network performance.

Secondly if you set the PMTU Discovery to 0, and a host route is added to
the Windows 2000 routing table via an ICMP redirect from the default
gateway, that host route will not be removed.

So, by NOT following your recommendation for PMTU Discovery, you
inadvertently fix your problem caused by NO ICMP redirect.

I of course originally stated that these hardening guidelines be used for
systems in your DMZ, not your internal network.

 
_______________________________
Dave Kleiman, CISSP, MCSE, CIFI
dave@isecureu.com
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us]
Sent: Friday, December 19, 2003 23:29
To: Hoffmann, Aran
Cc: focus-ms@securityfocus.com
Subject: RE: TCP/IP Stack Hardening

On Fri, 2003-12-19 at 14:12, Hoffmann, Aran wrote:
> I used to work in a data center with high security requirements and we
> applied all the referenced tcp/ip hardening to our Win2k servers. The
> results? Crappy network performance and file transfer timeouts but boy
> were we secure. As soon as we removed the hardening the network
> performance problems went away.

lol.... yeah, the common hardening guidelines contain at least two issues
that cripple performance.

1) PMTU discovery: The recommendation is to turn it off since attackers may
be able to degrade your systems performance by spoofing ICMP "need frag"
packets. So the recommendation is to cripple the performance yourself!
Disabling PMTU discovery reduces ALL packets to 576 bytes or so (OTOH). That
means a lot of small packets within your network. For performance it is
better to leave PMTUD enabled and start off with packets of a whopping 1500
bytes (and reduce them if needed).

2) Disable ICMP Redirect: In larger networks (well... at least network with
two different gateways) this is a shot in the foot. Most of the time you
direct traffic to your default gateway (e.g. WAN router), but may need to
redirect traffic to a different gateway (e.g. Internet firewall). This one
is noticed pretty quick though. It should be set in environments where only
one gateway is present (for example, disable ICMP Redirects on systems in
the DMZ, but leave it enabled your internal systems).

Source routing should be disabled of course and the backlog stuff should be
adjusted. I wonder about the usefulness of some of the other settings though
(like no-name-release-on-demand).

Oh, and the previous list did not include the TTL. I recommend changing the
TTL some something odd, like 97 or so. Just to confuse any script-kiddie :)

Cheers,
Frank

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Scott Cleven-Mulcahy: "RE: TCP/IP Stack Hardening"
• In reply to: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Next in thread: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Reply: Frank Knobbe: "RE: TCP/IP Stack Hardening"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]