Page 595

Firewall Design 563

Disable All Unnecessary Features on Packet-Filter Routers

CCDPs should limit the number of services on the perimeter router, as shown in Figure 15-7.
Because the perimeter router is closest to the Internet, there are design rules to follow to limit
its vulnerability:

Disable Telnet access--Deny anyone from the Internet access to this device. All access
can be done through the console port.

Turn off Cisco Discovery Protocol (CDP) broadcasts--The service provider does not
need to hear CDP broadcasts from the perimeter router. Information obtained from the
CDP broadcast packets can expose a customer's network.

Use static routing only if connected to only one service provider--Usually Border
Gateway Protocol (BGP) is needed only when there are a minimum of two connections to
the Internet.

Do not use this router as a Trivial File Transport Protocol (TFTP) server--No one
should be obtaining images from this router.

Disable the finger service with the command no service finger--If the finger service is
enabled, someone could get a list of the users on the router. The information would include
the processes running on the system, the line number, connection name, idle time, and
terminal location.

Disable IP redirects with the command no icmp redirects.

Disable IP route caching with the command no ip route-cache.

Disable source-route bridging with the command no ip source-route--Do not leave
the ability for someone to determine his route through the network.

Use the TCP Intercept tool--This tool comes with the IOS Firewall and is a CBAC
component. It protects against syn flooding and DoS attacks.

Log events to a Syslog server--This is extremely important. The events should be
monitored on a daily basis.

Block RFC 1918--Block private addresses in the source address from coming in.

Block 127.0.0.0 in the source address from coming in.

Block inside networks in the source address from coming in--No one should enter the
customer network with a source address that resides internally to the customer network.

87200333.book Page 563 Wednesday, August 22, 2001 1:41 PM