Configuring security on the xsr, Features, Access control lists – Enterasys Networks Security Router X-PeditionTM User Manual

XSR User’s Guide 16-1

16

Configuring Security on the XSR

This chapter describes the security options available on the XSR including the firewall feature set
and methods to protect against hacker attacks.

Features

The following security features are supported on the XSR:

•

Standard and Extended Access Control Lists (ACLs)

•

Protection against: LANd attack - Destination IP equals Source IP, ICMP echo to directed
subnet, UDP echo request to directed subnet broadcast, SYN flood, FIN attacks

•

IP packet with multicast/broadcast source address

•

Spoofed address checking

•

TCP server resource release

•

ICMP traffic filtering based on IP data length, IP offset, IP fragmentation bits including:

–

Fragmented ICMP traffic

–

Large ICMP packets

–

Ping of Death attack

•

Filter TCP traffic with SYN and FIN bits set

•

AAA services including AAA per port, interface privilege levels, PPP client of AAA,
debugging

•

Firewall feature set

Access Control Lists

Access Control Lists (ACL) impose selection criteria for certain types of packets, which when used
in conjunction with other functions restrict Layer 3 traffic on the XSR. They are configured as:

•

Standard access lists (1-99) restrict traffic based on source IP addresses

•

Extended access lists (100-199) filter traffic from source and destination IP addresses, protocol type
(ICMP, TCP, UDP, GRE, ESP, AH), port number ((TCP, UDP), and type/code (ICMP)

Note: Activating any of the above features will affect system performance.