Band Web Hosting Security Requirements Band Hosting

RFC 3871           Operational Security Requirements      September 2004

   Justification.

      This allows remote devices receiving connections or transmissions

      to use source filtering as one means of authentication.  For

      example, if SNMP traps were configured to use a known loopback

      address as their source, the SNMP workstation receiving the traps

      (or a firewall in front of it) could be configured to receive SNMP

      packets only from that address.

   Examples.

      The operator may allocate a distinct block of addresses from which

      all loopbacks are numbered.   NTP and syslog can be configured to

      use those loopback addresses as source, while SNMP and BGP may be

      configured to use specific physical interface addresses.  This

      would facilitate filtering based on source address as one way of

      rejecting unauthorized attempts to connect to peers/servers.

   Warnings.

      Care should be taken to assure that the addresses chosen are

      routable between the sending and receiving devices, (e.g., setting

      SSH to use a loopback address of 10.1.1.1 which is not routed

      between a router and all intended destinations could cause

      problems).

      Note that some protocols, such as SCTP [RFC3309], can use more

      than one IP address as the endpoint of a single connection.

      Also note that [RFC3631] lists address based authentication as an

      "insecurity mechanism".  Address based authentication should be

      replaced or augmented by other mechanisms wherever possible.

2.5.5.  Support Automatic Anti spoofing for Single Homed Networks

   Requirement.

      The device MUST provide a means to designate particular interfaces

      as servicing "single homed networks" (see Section 1.8) and MUST

      provide an option to automatically drop "spoofed packets" (Section

      1.8) received on such interfaces where application of the current

      forwarding table would not route return traffic back through the

      same interface.  This option MUST work in the presence of dynamic

      routing and dynamically assigned addresses.

Jones                        Informational                     [Page 32]





Unlimited Web Hosting





  
    
      
        Home :: RegularHostingPlan :: 
          DatabaseHostingPlan :: 
          JavaHostingPlan :: 
          CompareOurPlans :: AboutUs - 
          Our Network :: 
          Testimonials 
          WhyChooseTotalRoute.net :: 
          MoneyBackQuarantee :: 
          SupportOnline :: FAQ :: 
          ControlPanel :: 
          24/7TechSupport :: 
          ContactUs :: 
          Order 
          TransferYourSite :: 
          Sitemap :: 
            TermsOfService
      Band Web Hosting 
    
  
  
    Our partners:Jsp Web   Hosting 
      Unlimited Web Hosting 
      Cheapest Web   Hosting  Java Web Hosting 
      Web   Templates 
      Best Web Templates 
      Web Design   Templates 
      Interland Web Hosting 
      Cheap Web Hosting  
      Java Web Hosting   
      Tomcat Web Hosting 
      Quality Web   Hosting 
    Best Web Hosting  Mac Web   Hosting
  
  
    TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.