Protecting Network Resources
To protect the network resources behind the PIX firewall, you must undertake the following actions:
-
Anti-spoofing configuration You can accomplish anti-spoofing configuration with the command ip verify reverse-path on all interfaces of the PIX firewall. This means that the firewall rejects any packet that has a source address that is not expected to be on that interface. If the PIX is an Internet firewall, it should reject all packets coming from the Internet that claim to be from a private network. Similarly, it should reject all packets coming from the private network with source addresses that are not part of the private network, as anti-spoofing is not optional in either direction.
-
Prevention from DOS attack Set embryonic and maximum connection counts on static and nat statements to prevent network resources from DoS attack.