Netscreen 50 Recommended Screen Settings



  • Having rectently upgraded to a netscreen 50, I notice that the default settings on the untrust screen side are minimal. I assume this is to keep the cpu from cranking up, but what are some of the recommended protections/settings on the untrust side I should be checking the box on?
    Thanks in advance.
    Jim



  • I used the guild listed below to set the Screening options on my 5GT’s:

    http://www.cymru.com/gillsr/documents/screenos-hardening-appnote.pdf



  • IP spoofing alarms basically mean a host from a particular IP was coming in on an interface in which it was not expected. In this case a packet from 192.168.0.9 is ingressing from the e3 interface. However the Netscreen expects any host from 192.168.0.9 to be ingressing from a trusted interface such as e1. Thus you get the alarm. I would run a sniffer and capture the errant packet to find out exactly why and from whom you are receiving this from the untrust side.



  • Thanks for the advice. I do have one more question. Since bringing the new NS50 up, im getting this odd system alert every 10 min or so:

    alert IP spoofing! From 192.168.0.9:55448 to 67.xx.xx.xxx:25, proto TCP (zone Untrust, int ethernet3). Occurred 1 times.

    Now this is coming from my internal workstation (0.9) to another of my servers (67.xx), which handles incoming email (and Xwall server).
    I know i could just stop screening the IP Spoof, but any ideas what could be causing this?
    Thanks.
    Jim



  • That is a difficult question. One suggestion would be to enable all screen options but also check the Generate Alarms with Dropping Packets box. This will tell the Netscreen to log all potential screen alarm attacks, but don’t drop the packet. That way you can audit what types of attacks you might be seeing on a regular basis and set your screens accordingly.

    BTW screening can actually improve your CPU utilization. Screening can drop the packet before the CPU has to process the flow. Therefore this may actually help rather than hurt performance.


 

37
Online

38.4k
Users

12.7k
Topics

44.5k
Posts