188.8.131.52.1 Enabling and Disabling Services and Protocols
As stated above when discussing OS hardening, TURN OFF anything youre not using. This can take the form of turning off services at the server (as discussed in the previous section), or establishing filtering rules (on your routers or the servers themselves) to completely allow or disallow inbound or outbound connections to certain ports. IE, in effect, this turns the port off.
Weve said it a few times already and well say it again: if you dont absolutely require SNMP access to a network device, disable it. SNMP has a variety of security issues. If you absolutely must have it, SNMP v3 includes enhancements to authentication that make it a better network resident, so look for support for it on your devices and servers, and use it rather than v1 or v2, if possible.
Do you have a whiz-bang multi-protocol router? And do you have a network that only uses TCP/IP (as many do, these days)? If you dont need to pass IPX and AppleTalk packets through a router, turn off its ability to do so.
Not using the IMAP protocol outside your internal network? Dont allow traffic on port 143 through your firewalls and routers. Someone installed a UNIX IRC server just for test purposes to see if it enhanced internal communication, and left it running, forgotten, after the test was complete? Get rid of it. Dont need the ability for outside machines to ping your inside machines? Disable ICMP protocol packets inbound from the Internet to your internal network.
The next step in hardening a network device is to exert a finer-grained degree of control over what traffic you allow through the router. Instead of just allowing or disallowing based on type of network-layer protocol or service, you can examine a packets specific origins. That is discussed in the next section on Access Control Lists.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.