 |
 |
|
|
|
 |
 |
Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
|
|
About Us | Alerts | Education and Training | Events | FTP Archives | Improving Security | Other Resources | Reports | Survivability Research |
|
|
|
|
CERT® Coordination CenterPacket Filtering for Firewall SystemsIf your site isn't filtering certain TCP/IP packets, it may not be as secure as you think.When the CERT Coordination Center started in 1988, it was our opinion that security was the responsibility of the system and not the network. While we still believe it is important for system managers to be aware of security issues and to continue to be diligent in securing their systems, we realize that this effort will not protect your site from the exploitation of flawed protocols. The CERT staff encourages system managers, site network managers, and regional network providers to take the time to understand packet filtering issues. Because of the flaws in several TCP/IP services, a site must be able to restrict external access to these services. Sites should consider purchasing programmable routers. Network providers should offer packet filtering as a service option. Because of flaws in the protocol or chronic system administration problems, we recommend that the following services be filtered:
We have handled incidents that involved automated TFTP attempts. Many of the systems affected were using the TFTP daemon to boot other devices. Filtering TFTP connections would have protected the sites from this attack. The X windows sockets range from socket 6000 to 6000 plus the highest number of X terminals on the same host. If your site does not need to provide other services to external users, those other services should be filtered. For example, filter telnet connections when all staff members are in the office, and filter FTP connections to all systems except to public information servers. In addition to filtering specific services, we recommend that sites also filter based on the source address field of the packets to prevent IP spoofing. More information on this technique can be found in CERT advisory CA-95:01, "IP Spoofing Attacks and Hijacked Terminal Connections," available by anonymous FTP from info.cert.org:/pub/cert_advisoriesTo prevent denial of service attacks based on ICMP bombs, filter ICMP redirect and ICMP destination unreachable packets. In addition, sites should filter source routed packets. This document is available from: http://www.cert.org/tech_tips/packet_filtering.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information.
Getting security informationCERT publications and other security information are available from our web siteTo be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
|