From: Peter Valian (valianp@southwestern.edu)
Date: Tue Jan 14 2003 - 10:23:10 CST
BTW, the SANS tool that told us to disable all those things is called
RAT (Router Audit Tool). You run it against your conf file and it makes
suggestions and tells you why you should change things.
A google search on "sans rat cisco" or some combination should find more
info. It was a free tool.
-p
Todd K. Watson wrote:
> If the router receives a non-broadcast packet destined for itself that
> uses an unknown protocol, it sends an ICMP Protocol Unreachable message
> back to the source. Similarly, if the router receives a packet that it is
> unable to deliver to the ultimate destination, because it knows of no
> route to the destination address, it sends an ICMP Host Unreachable
> message to the source. This is enabled by default on interfaces, and has
> been exploited in spoofed DOS and DDOS attacks.
>
> Cisco, SANS, and the NSA recommend disabling it, which is why we did.
>
> Todd
> --
> Todd K. Watson
> Senior System & Network Administrator
> Southwestern University, Georgetown, TX
> tkw@southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605
>
> On Mon, 13 Jan 2003, Michael King wrote:
>
>
>>since we've both got our router configs up, what's no ip unreachables do?
>>(haven't seen that one used before, figured you mush have a very good use
>>for it)
>>
>>-----Original Message-----
>>From: owner-netreg@southwestern.edu
>>[mailto:owner-netreg@southwestern.edu]On Behalf Of Todd K. Watson
>>Sent: Monday, January 13, 2003 5:48 PM
>>To: netreg@southwestern.edu
>>Subject: Re: NetReg: A few NetReg/DHCP questions
>>
>>
>>Jennifer Mehl wrote:
>> >
>>
>>>New question-- right now, for "unknown hosts" we are throwing them in a
>>>pool with the fake DNS servers, but the router, subnet and IP address
>>>are valid for the subnet -- they can get to the Internet as well as
>>>internal hosts during the short time period of the lease (5 min.) I
>>>would like to throw the "unknown" hosts into a pool where they're
>>>effectively stuck at the bogus DNS server and can't even *guess* a
>>>correct IP based on the temp. DHCP parameters. I would guess that this
>>>would be done with a private network (10, 172 or 192) but I'm not sure
>>>what else I need to do to make this work... do I need to configure a
>>>second interface on the DHCP box with a private address? What needs to
>>>be configured on the router to make this happen?
>>
>>Jennifer,
>>
>>You should be able to create private networks which can co-exist on your
>>router interfaces with the routable networks (easy if you use VLANS).
>>
>>If this is how you are setup, then just create a new ip address.
>>
>>I just saw Michael King's reply. Here's a snippet for a virtual
>>interface on our router. For each of our routable \24 network segments,
>>we create a 192.168 network to match it. This helps us keep things less
>>complicated, though we are lucky to have such a large IP space. We use
>>small ranges in the 192.168 network space for the uknown pool of
>>addresses, as well as assign static addresses to printers, network
>>equipment, etc. that does not need access from the internet.
>>
>> interface FastEthernet0.7
>> encapsulation isl 7
>> ip address 192.168.7.1 255.255.255.0 secondary
>> ip address 161.13.7.1 255.255.255.0
>> ip helper-address 192.168.1.175
>> no ip redirects
>> no ip unreachables
>> no ip directed-broadcast
>>
>>As you can see, it's very similar to Michael's. Sorry for repeating a
>>lot of what Michael said, but I was almost finished typing this so I'll
>>go ahead and send it... :-)
>>
>>Todd
>>--
>> Todd K. Watson
>> Senior System & Network Administrator
>> Southwestern University, Georgetown, TX
>> tkw@southwestern.edu || TEL:512.863.1508 || FAX:512.863.1605
>
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
-- Peter Valian Network & Systems Administrator Southwestern University Georgetown, Texas 512.863.1586 office 512.863.1605 fax --********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:38 CDT