Network Computingwww.networkcomputing.com

	Issue TOC Print full article Print this page Download as PDF E-Mail this URL Discuss this article Flame the author     In this article Introduction Give 'Em an Inch ... Control the Things You Can Resources Full Disclosure Works Reduce the Danger

Before you start throwing stones at neighbors with vulnerable networks, take a good look at your own network. Traffic flows are two-way streets and screwed-up configurations affect systems near and far. It takes a village to raze a network.

In some cases, you may have to get your service provider to make configuration changes for you. It's worth the hassle--the more relatively minor misconfigurations get fixed, the better off everyone will be. In no particular order, here's a checklist to get you started:

• Filter outbound traffic: If the firewall is blocking only inbound traffic, you're using only half its capabilities. Start identifying necessary outbound traffic and disallowing everything else. Doing so makes getting data through the firewall more difficult.

• Filter your egress: Your organization should know what subnets are hosted on the network. Allowing only traffic originating from those subnets to traverse the border router or firewall prevents traffic with spoofed source addresses from passing. Enable antispoofing at the router.

• Disable directed broadcasts: Directed broadcasts are a side effect of networking. Send an ICMP Echo Request to a network broadcast address, and all available hosts will respond. There is little need to allow directed broadcasts--or any from from foreign networks. Disable directed broadcasts at the router.

E-Poll Results click to enlarge

• Implement tiered defenses: If you have one border router between your network and the world, what happens if it is compromised? Examine your traffic flows and design your network to restrict flows even if components fail.