Best practices for ingress filtering

By now, we should be able to articulate some best practices for ingress filtering. The default behavior of pfSense is to block all ports, and we want to take advantage of that. Inevitably, we are going to have to open some ports, but even then we want our rules to be as restrictive as possible. The best practices for ingress filtering, at least according to the IETF, are outlined in the following documents:

  • Defeating DoS attacks, in particular, ones that employ IP spoofing: https://tools.ietf.org/html/bcp38.
  • Different strategies for ensuring that packets come from the origin they claim to come from, with particular attention to multi-homed networks (networks that have multiple points of access to the public internet): https://tools.ietf.org/html/bcp84.

These documents are not particularly long, but here are the most relevant points contained in them:

  • Traffic that employs IP-spoofing should be blocked, and only packets that have valid source addresses should be allowed. That means, at a minimum, packets with known fallacious addresses (for example, all private addresses, such as 1.2.3.4 and 0.0.0.1) should be rejected.
  • If we allow remote-access users, automatic filtering should be employed on those users. If a user is connecting through an ISP, then only the IP address assigned by that ISP should be allowed.
  • DHCP and BOOTP both involve communicating with clients who have not yet been assigned an IP address and who do not know the IP addresses of the server from which they want to receive an IP address. Therefore, they use 0.0.0.0 as the source address, and the broadcast address (255.255.255.255) as the destination address. Therefore, if DHCP and/or BOOTP is being used, those addresses must be allowed.
  • BCP84 is targeting ISPs and system admins running edge routers, and discusses was for using reverse path-forwarding (RPF) to defeat DDoS attacks. Basically, it is proposed that if a packet doesn't come from the best path between the source and the destination (a possible sign the source is being spoofed), the packet should be rejected.

Here are some additional best practices for ingress filtering:

  • Block TCP packets in which the SYN and the FIN flag are both set to 1. These flags should never be set to 1 on the same packet, and if they are, there’s a good chance the packet is part of a SYN flood attack.
  • Block legacy ports not being used–for example, Telnet (23) and NetBIOS (135 to 139).
  • Block Trivial File Transfer Protocol (TFTP) on port 69.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.138.113.188