Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

201

202

203

204

205

206

207

208

209

210

Policy Overview

May 18, 2009 Page 11 of 32

SIP(ip),DIP(ip),Protocol,TOS/DSCP,Fragmentationindication,DestinationPORT,andSource

Port.

Usethesetpolicysyslogcommandtosetsyslogruleusageconfiguration.

Quality of Service in a Policy Rules Context

QualityofService(QoS)canbespecifieddirectlyinapolicyroleasstatedin“AssigningaClassof

ServicetothisRole”onpage 5.ACoScanalsobeappliedtoapolicyrule.TheCoSspecifiedatthe

policyrolelevelisthedefaultandisonlyused

ifnoruleistriggered.Therefore,ifaCoSisapplied

toboththepolicyroleandapolicyrule,theCoSspecifiedinthepolicyruletakesprecedenceover

theCoSinthepolicyroleforthetrafficclassificationcontextspecifiedinthepolicyrule.Asstated

inthe

policyrolediscussion,CoSconfigurationdetailsarebeyondthescopeofthisdocument.See

theQoSConfigurationfeatureguidelocatedathttp://secure.enterasys.com/support/manuals/fora

completediscussionofQoSconfiguration.

Blocking Non-Edge Protocols at the Edge Network Layer

EdgeclientsshouldbepreventedfromactingasserversforanumberofIPservices.Ifnon‐edgeIP

servicesaccidentlyormaliciouslyattachtotheedgeofthenetwork,theyarecapableofdisrupting

networkoperation.IPservicesshouldonlybeallowedwhereandwhenyournetworkdesign

requires.This

sectionidentifiestenIPServicesyoushouldconsiderblockingattheedgeunless

allowingthemispartofyournetworkarchitecture.See“AssigningTrafficClassificationRules”on

page 25foranexampleofhowtoconfigureasubsetoftheserecommendedIPservicestodrop

trafficattheedge.

Table 2 Non-Edge Protocols

Protocol Policy Effect

DHCP Server Protocol Every network needs DHCP. Automatically mitigate the accidental

or malicious connection of a DHCP server to the edge of your

network to prevent DoS or data integrity issues, by blocking DHCP

on the source port for this device.

DNS Server Protocol DNS is critical to network operations. Automatically protect your

name servers from malicious attack or unauthorized spoofing and

redirection, by blocking DNS on the source port for this device.

Routing Topology Protocols RIP, OSPF, and BGP topology protocols should only originate

from authorized router connection points to ensure reliable

network operations.

Router Source MAC and Router

Source IP Address

Routers and default gateways should not be moving around your

network without approved change processes being authorized.

Prevent DoS, spoofing, data integrity and other router security

issues by blocking router source MAC and router source IP

addresses at the edge.

SMTP/POP Server Protocols Prevent data theft and worm propagation by blocking SMTP at the

edge.

SNMP Protocol Only approved management stations or management data

collection points need to be speaking SNMP. Prevent

unauthorized users from using SNMP to view, read, or write

management information.

FTP and TFTP Server Protocols Ensure file transfers and firmware upgrades are only originating

from authorized file and configuration management servers.