be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services
to communicate only with specific peers, and protect by configuring access lists to deny packets
for the services on specific interfaces.
outside network. You can protect against spoofing by configuring input access lists at all
interfaces to pass only traffic from expected source addresses and to deny all other traffic,
but this method would probably be overkill considering that access lists are processed-
switched, which decreases the router's performance.
global configuration command. Under no circumstances should ip source-route
be used, unless Token Ring is being used.
servers and no service udp-small-servers global configuration commands.
firewall and on all your other routers. For IP, use the no ip directed-broadcast command.
Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable
directed broadcasts. Directed broadcasts can be misused to multiply the power of denial-
of-service attacks, because every denial-of-service packet sent is broadcast to every host
on a subnet.
(This is important to do if you don't already have NAT configured to prevent internal IP
addresses from being revealed.)
Windows NT servers and is considered slower than the other types of firewalls. The reason for
the slowness is that the application proxies can do more application-level filtering than the other
types. A common example of this is a Web proxy server. The application proxy is a server with
two NIC cards that acts as if it is a host attached to two networks, as shown in Figure 15-8. There
is no IP routing between the NIC cards, but rather a static configuration of IP routes.