Filter and Firewall
Left running head:
Chapter name (automatic)
734
Beta
Beta
CLI Configuration Guide
Alcatel-Lucent
TCP R
ULES
The TCP rules are like UDP rules but with one difference - ACK bit can be used to
stop connections from being initiated from one direction or the other. Blocking
inbound packets with ACK bit cleared for a particular port allows only outbound
connections to be initiated, but allows subsequent data traffic for that connection-
all of which will have the ACK bit set. Some of the important rules are listed below:
•
Drop packets using ports below 21; same as the rule like UDP.
•
Drop X-Window: same as UDP.
•
Disallow incoming telnet connections (incoming packets with port 23). It is worth
using SSH (port 22) which is more secure than telnet.
•
Specifically allow any internal services that use ports greater than 1023; This way
subsequent rule can be used to stop backdoor software like Back Orifice, which
opens port internally for remote unauthorized control of computers.
•
Drop syn packets from outside to internal ports >1023; Most legitimate services
are configured on ports <1024.
•
Disallow incoming FTP data connections thus allowing passive FTP only.
•
Disallow SMTP connections (port 25) from the outside to other than mail server.
•
Establish service destinations rules for other services such as HTTP.
Many of the users feel that above mentioned rules are not enough; A dedicated
hacker with time and resources can find a way around these rules. Some of the
advanced methods that you can use are:
N
ETWORK
A
DDRESS
T
RANSLATION
This feature allows to expose just a handful of IP addresses to the outside world.
The firewall keeps a track of connections and re-writes packet source and
destination and port values on the fly.
F
RAGMENTATION
Fragmented packet should be disallowed into the network. It is wise to
reassemble fragmented packet at the firewall or just drop since the fragmentation
feature is largely obsolete.
R
ATE
-L
IMITING
Rate limiting is a good method of prevention against Denial -of -service attack.
Most common of them are:
Summary of Contents for OmniAccess 700
Page 38: ...Left running head Chapter name automatic 12 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 176: ...Left running head Chapter name automatic 150 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 260: ...Left running head Chapter name automatic 234 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 434: ...Left running head Chapter name automatic 408 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 464: ...Left running head Chapter name automatic 438 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 638: ...Left running head Chapter name automatic 612 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 940: ...Left running head Chapter name automatic 914 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 1002: ...Left running head Chapter name automatic 976 Beta Beta CLI Configuration Guide Alcatel Lucent ...
Page 1120: ...Left running head Chapter name automatic 2 Beta Beta CLI Configuration Guide Alcatel Lucent ...