Manualshelf

- LG Software Innovations Two-Way Radio User Manual

ManualsBrands321 Studios ManualsTwo-Way RadioSDM Express User's Guide OL-7141-04
41424344454647484950
Chapter 1 Cisco SDM Express
Supplementary Help
1-38
Cisco SDM Express
OL-7141-04
rules; some attacks are based on this. Disabling ICMP redirects will cause no
operational impact to the network, and it eliminates this possible method of
attack.
The configuration that will be delivered to the router to disable ICMP redirect
messages is as follows:
no ip redirects
Disable IP Proxy ARP
Cisco SDM Express disables proxy Address Resolution Protocol (ARP)
whenever possible. ARP is used by the network to convert IP addresses into MAC
addresses. Normally ARP is confined to a single LAN, but a router can act as a
proxy for ARP requests, making ARP queries available across multiple LAN
segments. Because proxy ARP breaks the LAN security barrier, use it only
between two LANs with an equal security level, and only when necessary.
The configuration that will be delivered to the router to disable proxy ARP is as
follows:
no ip proxy-arp
You can undo this fix using the Cisco SDM Security Audit feature. To learn how,
see the Security Audit online help in Cisco SDM. For more information, click
Cisco Router and Security Device Manager.
Disable IP Directed Broadcast
Cisco SDM Express disables IP directed broadcasts whenever possible. An IP
directed broadcast is a datagram sent to the broadcast address of a subnet to which
the sending machine is not directly attached. The directed broadcast is routed
through the network as a unicast packet until it arrives at the target subnet, where
it is converted into a link-layer broadcast. Because of the nature of the IP
addressing architecture, only the last router in the chain, the one that is connected
directly to the target subnet, can conclusively identify a directed broadcast.
Directed broadcasts are occasionally used for legitimate purposes, but such use is
not common outside the financial services industry.
IP directed broadcasts are used in the extremely common and popular “smurf”
Denial-of-Service attack, and they can also be used in related attacks. In a “smurf”
attack, the attacker sends ICMP echo requests from a falsified source address to a