index_34
Router Security Configuration Guide
UNCLASSIFIED
34
UNCLASSIFIED
Version 1.0g
Applying Packet Filters: Permit Only Required Protocols and Services
Carefully consider what network services will be allowed through the router
(outbound and inbound) and to the router. If possible, use the following guideline for
creating filters: those services that are not explicitly permitted are prohibited.
Make a list of the services and protocols that must cross the router, and those that the
router itself needs for its operation. Create a set of filtering rules that permit the
traffic identified on the list, and prohibits all other traffic.
In cases where only certain hosts or networks need access to particular services, add a
filtering rule that permits that service but only the specific host addresses or address
ranges. For example, the network firewall host might be the only address authorized
to initiate web connections (TCP port 80) through the router.
Applying Packet Filters: Reject Risky Protocols and Services
Sometimes, it is not possible to follow the strict security guideline discussed above.
In that case, fall back to prohibiting services that are commonly not needed, or are
known to be popular vehicles for security compromise. The following two tables
present common services to restrict because they can be used to gather information
about the protected network or they have weaknesses that can be exploited against
the protected network. The first table lists those services that should be completely
blocked at the router. Unless you have a specific operational need to support them,
the protocols listed in Table 3-1 should not be allowed across the router in either
direction.
Table 3-1: Services to Block Completely at the Router
Port (Transport)
Service
1 (TCP & UDP)
tcpmux
7
(TCP & UDP)
echo
9 (TCP & UDP)
discard
11 (TCP)
systat
13 (TCP & UDP)
daytime
15 (TCP)
netstat
19 (TCP & UDP)
chargen
37 (TCP & UDP)
time
43 (TCP)
whois
67 (UDP)
bootp
69 (UDP)
tftp
93 (TCP)
supdup
111 (TCP & UDP)
sunrpc
135 (TCP & UDP)
loc-srv
137 (TCP & UDP)
netbios-ns
138 (TCP & UDP)
netbios-dgm
139 (TCP & UDP)
netbios-ssn