Filter
Top Products
Performing Basic Configuration
Recommended basic security measures
APX 8000/MAX TNT/DSLTNT Physical Interface Configuration Guide Preliminary May 9, 2000 1-9
Following is an example of assigning a Telnet password:
admin> read ip-global
IP-GLOBAL read
admin> set telnet-password = SDwiw87
admin> write
IP-GLOBAL written
All users attempting to access the TAOS unit unit via Telnet are prompted for the Telnet
password. They are allowed three tries, each with a 60-second time limit, to enter the correct
password. If all three tries fail, the connection attempt times out.
Requiring acceptance of the pool address
During PPP negotiation, a caller can reject the IP address offered by the TAOS unit and present
its own IP address for consideration. For security reasons, you might want to set the
Must-Accept-Address-Assign parameter to Yes to ensure that the TAOS unit terminates such a
call:
admin> read ip-global
IP-GLOBAL read
admin>
set must-accept-address-assign = yes
admin> write
IP-GLOBAL written
If you enforce acceptance of the assigned address, the Answer-Defaults profile must enable
dynamic assignment, the caller’s configured profile must specify dynamic assignment, and the
caller’s PPP dial-in software must be configured to acquire its IP address dynamically. For
more details, see the APX 8000/MAX TNT/DSLTNT WAN, Routing and Tunneling
Configuration Guide.
Ignoring ICMP redirects
The Internet Message Control Protocol (ICMP) was designed to find the most efficient IP route
to a destination. ICMP redirect packets are one of the oldest route-discovery methods on the
Internet. They are also one of the least secure, because ICMP redirects can be counterfeited to
change the way a device routes packets. The following commands configure the TAOS unit to
ignore ICMP redirect packets:
admin> read ip-global
IP-GLOBAL read
admin>
set ignore-icmp-redirects = yes
admin> write
IP-GLOBAL written
Disabling directed broadcasts
Denial-of-service attacks known as “smurf” attacks typically use ICMP Echo Request packets
with a spoofed source address to direct packets to IP broadcast addresses. These attacks are
intended to degrade network performance, possibly to the point that the network becomes
unusable.