ADTRAN Stub Routing Especificaciones descargar pdf (Pagina 193)

100

101

Command Reference Guide Global Configuration Mode Command Set

Attack Protection:

When the

ip firewall

command is enabled and access-policies are created using the

ip policy-class

command and applied to interfaces with the

access-policy

command, firewall attack protection is enabled.

The ADTRAN OS blocks traffic (matching patterns of known networking exploits) from traveling through the

device. For some of these attacks, the user may manually disable checking/blocking while other attack checks

are always on anytime the firewall is enabled.

The table (on the following pages) outlines the types of traffic discarded by the Firewall Attack Protection

Engine. Many attacks use similar invalid traffic patterns; therefore attacks other than the examples listed below

may also be blocked by the firewall. To determine if a specific attack is blocked by the ADTRAN OS firewall,

please contact ADTRAN technical support.

Invalid Traffic Pattern Manually

Enabled?

ADTRAN OS Firewall Response Common

Attacks

Larger than allowed packets No Any packets that are longer than those

defined by standards will be dropped.

Ping of Death

Fragmented IP packets that

produce errors when attempting

to reassemble

No The firewall intercepts all fragments for an IP

packet and attempts to reassemble them

before forwarding to destination. If any

problems or errors are found during

reassembly, the fragments are dropped.

SynDrop,

TearDrop,

OpenTear,

Nestea, Targa,

Newtear, Bonk,

Boink

Smurf Attack No The firewall will drop any ping responses that

are not part of an active session.

Smurf Attack

IP Spoofing No The firewall will drop any packets with a

source IP address that appears to be

spoofed. The IP route table is used to

determine if a path to the source address is

known (out of the interface from which the

packet was received). For example, if a

packet with a source IP address of

10.10.10.1 is received on interface fr 1.16

and no route to 10.10.10.1 (through interface

fr 1.16) exists in the route table, the packet is

dropped.

IP Spoofing

ICMP Control Message Floods

and Attacks

No The following types of ICMP packets are

allowed through the firewall: echo,

echo-reply, TTL expired, dest. Unreachable,

and quench. These ICMP messages are

only allowed if they appear to be in response

to a valid session. All others are discarded.

Twinge

Technology Review (Continued)

1 2 ... 188 189 190 191 192 193 194 195 196 197 198 ... 567 568

ADTRAN Stub Routing Especificaciones Pagina 193

Comentarios a estos manuales

ADTRAN Stub Routing Especificaciones Pagina 193

Comentarios a estos manuales

Relacionado con productos y manuales para Redes ADTRAN Stub Routing