Securing TCP/IP

The protocols that make up the backbone of the Internet were conceived in a far more innocent time, back before the days of malware, spam and denial-of-service attacks. So these days, an organization managing a large IP network should be aware of the many potential vulnerabilities in the TCP/IP stack. And despite the maturity of these protocols, there is not enough information describing the pitfalls, according to the United Kingdom government's Centre for the Protection of National Infrastructure.

To help organizations get a handle on the problem, the center has published a guide, called the 'Security Assessment of the Internet Protocol.' It is a guide to how TCP/IP works and how it could be misused by malicious hackers.

The guide has two parts. One section is dedicated to dissecting IP header fields. It explains what each field does, what security vulnerabilities can exist within that field, and what users can do to secure these holes. The second part takes a similar approach to explaining the ins and outs of various IP mechanisms, such as forwarding and addressing resolution.

Overall, the guide details a wide array of potential problems, some of which even seasoned security experts might miss. For example, most routers process a data packet's options with the routers' own processors, rather than using the individual in-line network cards. Because of this approach, it is easy to overwhelm a router by issuing a flood of option-heavy packets.

Fortunately, this problem can be easily remedied. 'Rate-limit the number of packets with IP options that are processed by the system' and 'enforce a limit on the maximum number of options to be accepted on a given Internet datagram,' the guide advises.

To download the report, go to GCN.com/1202.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above