- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

381

382

383

384

385

386

387

388

389

390

General Security Precautions

16-4 Configuring Security on the XSR

Large ICMP Packets

This protection is triggered for ICMP packets larger than a size you can configure. Such packets

are dropped by the XSR if the protection is enabled with the

HostDoS command.

Ping of Death Attack

This protection is triggered when an ICMP packet is received with the “more fragments” bit set to

0, and ((IP offset * 8)

+ IP data length) greater than 65535. As the maximum size for an IP datagram

is 65535, this could cause a buffer overflow. The XSR always drops such packets automatically.

Spurious State Transition

Protection against spurious state transition concerns TCP packets with Syn and Fin bits set. This

type of attack occurs when an intruder attempts to stall a network port for a very long time, using

the state transition from state SYN_RCVD to CLOSE_WAIT, by sending a packet with both SYN

and FIN flags set to a host.

The host first processes the SYN flag, generates the ACK packet back, and changes its state to

SYN_RCVD. Then it processes the FIN flag, performs a transition to CLOSE_WAIT, and sends the

ACK packet back.

The attacker does not send any other packet, and the state machine of the host remains in

CLOSE_WAIT state until the keep-alive timer resets it to the CLOSED state. To protect against this

attack the XSR checks for TCP packets with both SYN and FIN flags set. With protection always

enabled, these packets are harmlessly dropped.

This feature is supported for packets destined for the XSR. Transit packets will be checked.

General Security Precautions

To ensure security on the XSR, we recommend you take these precautions:

• Limit physical access

• Avoid connecting a modem to the console port

• Download the latest security patches

• Retain secured backup copies of device configurations

• Plan all configuration changes and prepare a back-out procedure if they go wrong

• Keep track of all configuration changes made to all devices

• Create a database that tracks the OS version, description of last change, back-out procedure,

and administrative owner of all routers

• Avoid entering clear text passwords in the configuration script

• Be sure to change all default passwords

• Use strong passwords not found in the dictionary

• Change passwords when the IT staff departs

• Age passwords after 30 to 60 days

• Grant the correct privilege levels to particular users only

• Set reasonable timeouts for console and remote management sessions