Technical Details - Security
Overview
| Item | Description |
|---|---|
| Firewall | Comprehensive stateful firewall to prevent cracker attacks. A variety of filtering and protection techniques are employed. Dynamically updates in accordance with features enabled and configuration changes. |
| Configuration | Onboard firmware has been configured to prevent unauthorised intrusion and Denial of Service attacks. |
| Pass-through Services | The NetBox can act as a application-level intermediary for protocols such as SMTP, DNS, POP3 and HTTP proxy. This provides an extra layer of protection for servers running on the internal network as well as providing improved reliability. |
| Regular Updates | The NetBox firmware is regularly upgraded with the latest security updates to protect against new security threats. These updates are performed free-of-charge (for the first 12 months) as part of the NetBox support package. |
| Regular Testing | The NetBox is regularly tested against the tools that are used by crackers themselves. This helps ensure that the NetBox offers the highest level of security. |
Firewall Specifications
| Feature | Description |
|---|---|
| Ingress & Egress filtering | Provides anti-IP spoofing protection from the Internet and prevents IP spoofing attacks originating from inside the local network. |
| Stateful Inspection |
TCP, UDP and ICMP packets are all inspected to ensure they are valid
for the current link 'state'. TCP inspection includes 'TCP Window Tracking'. |
| Application layer protection | By default, HTTP, POP3, SMTP, DNS and FTP have application layer protection. |
| Reverse path source filtering | Provides additional anti-IP spoofing protection . |
| Packet defragmentation | All IP packets routed through the NetBox are defragmented before being passed on, foiling a large number of attacks that can affect weaker systems inside your network. |
| SYN cookies | SYN cookie techniques are used to minimise the impact of SYN flood attacks. |
| ICMP rate limiting | ICMP rate limiting is employed to minimise ICMP based attacks such as “flood pinging”. |
| ICMP broadcast rejection | Broadcast ICMP packets are rejected to minimise the effect of “bounce” attacks. |
| Netbios blocking | All Windows Netbios traffic is blocked to/from the Internet. |
| Private address blocking | Packets from private address ranges are blocked if they originate from inappropriate network interfaces. |
Additional Security Features
| Feature | Description |
|---|---|
| Connection time-outs | Outbound NAT-based connections are subject to time-outs to minimise the window of opportunity for attacks from remote sites. |
| TCP/IP stack tuning | The NetBoxes TCP/IP stack has been tuned to minimise the effect of and speed recovery from Denial-of-Service attacks. |
| Service limiting | Exposed services on the NetBox have been intentionally limited to minimise the damage that can be caused by Denial-Of-Service attacks. |
| Administration channel encryption | The administration channel used during software upgrades is protected by 768-bit encryption. |