Using Network Access Policy Rules
161
Restoring the default rules will delete all custom rules and Public LAN
Servers. If an IKE VPN Security Association has been created, a service will
need to be recreated to permit IKE negotiations.
Protocols/Services to Filter
Although the Firewall is shipped in a safe mode by default, the user can
alter the Policy Rules and potentially cause the Firewall to be vulnerable to
attacks. Therefore, before any modifications are made, the user should be
aware of which services are of most risk to the private LAN.
The following table shows the protocols that are inherently vulnerable to
abuse and should be blocked from entering or leaving the site.
Table 6
Protocol Definitions and Characteristics
Protocol Name
Port
Number
Risk
TFTP-Trivial FTP
69
This protocol can be used to boot diskless
workstations, terminal servers and routers,
and can also be used to read any file on the
system, if set up incorrectly.
X Windows
6000+
This can leak information from X window
displays including all keystrokes.
DNS-Domain Names
Service
53
The DNS service contains names of hosts
and information about hosts that could be
helpful to attackers.
RIP-Routing
Information Protocol
520
This service can be used to redirect packet
routing.
UUCP-UNIX-to-UNIX
CoPy
540
If this service is not properly configured, it
can be used for unauthorized access.
Open Windows
2000
This protocol can also leak information
about what keystrokes are depressed.
RPC-Remote Call
Procedure
111
The RPC services, including NIS and NFS,
can be used to steal system information
such as passwords and read to write files.
Rexec
Rlogin
Rsh
512
513
514
These protocols can permit unauthorized
access to accounts and commands
Other services, whether inherently
dangerous or not, should be restricted to
only those systems that need them as
shown below:
DUA1611-0AAA02.book Page 161 Thursday, August 2, 2001 4:01 PM
Содержание 3C16111 - SuperStack 3 Firewall Web Site Filter
Страница 18: ...18 DUA1611 0AAA02 book Page 18 Thursday August 2 2001 4 01 PM ...
Страница 50: ...50 DUA1611 0AAA02 book Page 50 Thursday August 2 2001 4 01 PM ...
Страница 96: ...96 CHAPTER 6 USING THE FIREWALL DIAGNOSTIC TOOLS DUA1611 0AAA02 book Page 96 Thursday August 2 2001 4 01 PM ...
Страница 122: ...122 CHAPTER 8 ADVANCED SETTINGS DUA1611 0AAA02 book Page 122 Thursday August 2 2001 4 01 PM ...
Страница 150: ...150 CHAPTER 10 CONFIGURING HIGH AVAILABILITY DUA1611 0AAA02 book Page 150 Thursday August 2 2001 4 01 PM ...
Страница 152: ...152 DUA1611 0AAA02 book Page 152 Thursday August 2 2001 4 01 PM ...
Страница 166: ...166 CHAPTER 11 ADMINISTRATION AND ADVANCED OPERATIONS DUA1611 0AAA02 book Page 166 Thursday August 2 2001 4 01 PM ...
Страница 174: ...174 DUA1611 0AAA02 book Page 174 Thursday August 2 2001 4 01 PM ...
Страница 178: ...178 CHAPTER 13 TYPES OF ATTACK AND FIREWALL DEFENCES DUA1611 0AAA02 book Page 178 Thursday August 2 2001 4 01 PM ...
Страница 190: ...190 CHAPTER 14 NETWORKING CONCEPTS DUA1611 0AAA02 book Page 190 Thursday August 2 2001 4 01 PM ...
Страница 192: ...192 DUA1611 0AAA02 book Page 192 Thursday August 2 2001 4 01 PM ...
Страница 206: ...206 APPENDIX D TECHNICAL SUPPORT DUA1611 0AAA02 book Page 206 Thursday August 2 2001 4 01 PM ...
Страница 212: ...212 INDEX DUA1611 0AAA02 book Page 212 Thursday August 2 2001 4 01 PM ...
Страница 214: ...DUA1611 0AAA02 book Page 214 Thursday August 2 2001 4 01 PM ...