Symantec™ Security Gateways Reference Guide - Sawmill

120 Preventing attacksAddress transformsEnable spoof protectionThe spoof protection flag governs whether or not spoof protection database entries are generated for thislogical network interface. Database entries are produced by compiling a list of user-defined networkentities associated with an interface. Once available, the database is loaded into the security gateway’sdriver, where it is used to verify that packets sourced from a defined entity are actually arriving on thecorrect interface of the security gateway.Provide recursion and expose private DNS informationThis logical network interface option alters the behavior of the security gateway’s DNS daemon,instructing it to search both the private and public DNS databases stored on the system before replying.With this flag enabled, all otherwise-private host names are available for both forward and reverse lookupsto queries on this interface. For example, a common use of this option would be to allow resolution ofinternal names and addresses by servers in the service network.Enabling this options also instructs the network interface to support external recursion. This means thatthis interface can now be used as a public DNS server. For example, if this option is enabled on a securitygateway’s external interface, any host external to the security gateway can send a DNS request to theexternal interface, and the security gateway performs the lookup and responds to the host.Suppress reset and ICMP error messagesThis flag instructs the security gateway driver to conceal its presence in response to unauthorizedcommunication attempts. To the traffic initiator, it appears as if the target host does not exist, or is offline.This happens because the driver no longer sends a reset or ICMP error notification back to the requestinghost.This feature is useful in the situations where only a handful of ports are open on the untrusted sides of thesecurity gateway. In this scenario, this feature would reduce the likelihood of detection through networkscanning, thus reducing the possibility of a directed attack. If there are a significant number of open portson the untrusted sides, the likelihood of an attacker detecting the presence of the security gatewayincreases, and minimizes the benefit of this option.Note: The effects of enabling this option are contrary to the accepted standards of polite networkcommunication. Additionally, suppressing resets and ICMP error responses can cause problems, such asinterfering with path MTU discovery or concealing the root cause of service unavailability. Carefullyreview your network topology to determine if enabling this option is warranted.Address transformsSome administrators believe that if they use reserved network addresses, specifically those defined in RFC1918, they do not have to concern themselves with hiding a host’s real IP address. On the surface, thissecurity approach seems sound. RFC 1918 addresses do not route publicly, so an attacker external to thecompany perimeter cannot direct an attack at an internal host, even if the attacker know’s that host’s IPaddress. However, some administrator’s forget to consider the attacker that breaches the perimeter andgains access to a host on the protected network. Once inside, that attacker, armed with the real IP addressesof hosts on the network, can direct intelligent attacks to compromise other systems. For example, if anattacker knows that a company Web server is at IP address 192.168.1.5, that attacker can focus the types ofattacks to Web-based attacks only and not waste time trying other types.