¨Make sure that initial sequence numbers generated by TCP stacks are difficult to predict
–Apply latest set of security patches from OS vendor
–Used Nmap to verify predictability of ISN
¨Use ssh instead of r-commands
¨Avoid applications that use IP addresses for authentication
–Authentication should use passwords, PKI, or Kerberos or other methods that tie a session back to a user.
¨Use “anti-spoof” packet filters at border routers and firewalls
–ingress (incoming) and egress (outgoing) filters
¨Block source-routed packets on routers
–“no ip sourceroute”
¨