Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 70

Configuring ScreenOS Devices Guide
Table 18: IP Setting Options
IP Setting Options
Block Bad IP Options
Timestamp IP Option
Detection
Security IP Option Detection
Stream IP Option Detection
Record Route IP Option
Detection
Loose Source IP Option
Detection
Strict Source IP Option
Detection
Source Route IP Option Filter
46
Your Action
Select this option to block packets with an IP datagram header that contains an incomplete
or malformed list of IP options.
Select this option to block packets in which the IP option list includes option 4 (Internet
Timestamp). The timestamp option records the time when each network device receives the
packet during its trip from the point of origin to its destination, as well as the IP address of
each network device and the transmission duration of each one. If the destination host has
been compromised, attackers can discover the network topology and addressing scheme
through which the packet passed.
Select this option for hosts to send security, compartmentation, TCC (closed user group)
parameters, and Handling Restriction Codes compatible with U.S. Department of Defense
requirements.
Select this option to block packets in which the IP option is 8 (Stream ID). Packets must use
the 16-bit SATNET stream identifier to be carried through networks that do not support the
stream concept.
Select this option to block packets in which the IP option is 7 (Record Route). Attackers might
use this option to record the series of Internet addresses through which a packet passes,
enabling them to discover network addressing schemes and topologies.
Select this option to block packets in which the IP option is 3 (Loose Source Routing). The
Loose Source Routing option enables the packet to supply routing information used by the
gateways when forwarding the packet to the destination; the gateway or host IP can use any
number of routes from other intermediate gateways to reach the next address in the route.
Select this option to block packets in which the IP option is 9 (Strict Source Routing). The
Strict Source Routing enables the packet to supply routing information used by the gateways
when forwarding the packet to the destination; the gateway or host IP must send the datagram
directly to the next address in the source route, and only through the directly connected
network indicated in the next address to reach the next gateway or host specified in the route.
Select this option to block all IP traffic that contains the Source Route option. The Source
Route option enables the IP header to contain routing information that specifies a different
source than the header source. Attackers can use the Source Route option to send a packet
with a phony source IP address; all responses to the packet are sent to the attacker's real IP
address.
Attackers can craft malicious packets (and packet fragments) that contain anomalies
designed to bypass detection mechanisms and gain targeted information about a network.
Because different operating systems (OS) respond differently to anomalous packets,
attackers can determine the OS running on a target by examining the target's response
to the packet. To protect targets in the security zone from these reconnaissance attempts,
you can configure the settings as described in Table 19 on page 47.
Copyright © 2010, Juniper Networks, Inc.