Hello,
> Thanks, I also read that you could block source-routed packets there,
> also.
You should block them on the external router to protect your DMZ from
spoofing attacks.
Usually an external (in front of DMZ/firewall) and an internal (after
DMZ/firewall) filtering router will do the following (apart from routing of
course :)
external:
spoof protection
DMZ protection
internal
spoof protection
internal net protection
snoop protection from DMZ/firewall
with:
spoof protection is
block all packets with source address from inside on external interface
block all packets with source address not from inside on internal interface
block all reserved/not-routed networks
block all unusual packages like broadcast and multicast and source routed
block all oversized packages or broken packages
DMZ protection is
allow only connections to sudden ports of the DMZ/firewall hosts
internal net protection is
allow only connections to sudden/no ports of internal hosts
optionally allow all outgoing connections
snoop protection
dont let any internal->internal packets reach the DMZ/firewall
his are the general usage for those routers. Of course you can add
additional task or leave some out, depending on your local security policy.
> If I am using a cisco router, how does on go about this? or can I get a
> location for documentation.
www.cisco.com and the CD which is deliveerd with your cisco router.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
{inka .
de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes @
irc +4972573817 BE5-RIPE
(O____O) If privacy is outlawed only Outlaws have privacy
References:
|
|
