		PACKET FILTERING FOR FIREWALL SYSTEMS

If your site isn't filtering certain TCP/IP packets, it may not be as
secure as you think it is.

When the Computer Emergency Response Team (CERT) started in 1988, it
was our opinion that security was the responsibility of the system and
not the network.  While we still believe it is important for system
managers to be aware of security issues and to continue to be diligent
in securing their systems,  we realize that this effort will not
protect from the exploitation of flawed protocols.

The CERT encourages system managers, site network managers, and
regional network providers to take the time to understand packet
filtering issues.  Due to the flaws in several TCP/IP services, a site
must be able to restrict external access to these services.  Sites
should consider purchasing programmable routers. Network providers
should offer packet filtering as a service option.

Because of flaws in their protocol or chronic system administration
problems, the CERT recommends that the following services be filtered:

	DNS zone transfers - socket 53
        tftpd              - socket 69
	link               - socket 87 (commonly used by intruders)
        SunRPC & NFS       - socket 111 and 2049
	BSD UNIX "r" cmds  - sockets 512, 513, and 514
        lpd                - socket 515
        uucpd              - socket 540
        openwindows        - socket 2000
        X windows          - socket 6000+

The CERT also suggests that sites filter socket 53, which will prevent
domain name service zone transfers.  Only permit access to socket 53
from known secondary domain name servers.  This will prevent intruders
from gaining additional knowledge about the systems connected to your
local network.

The X windows sockets range from socket 6000 plus the highest number of
X terminals on the same host.

If the site does not need to provide other services to external users,
those other services should be filtered.  For example, CERT filters
telnet connections when all of its members are in the office.  We also
filter ftp connections to all systems except to cert.org, which is used
as an archive system via anonymous ftp.

We recently handled an incident that involved automated TFTP attempts. 
Many of the systems affected were using the TFTP daemon to boot X
terminals locally.  Filtering TFTP connections would have protected
these sites from this attack.
