Security Basics mailing list archives
RE: Cisco Workaround (comment on actually using those protocols)
From: jamesworld () intelligencia com
Date: Fri, 25 Jul 2003 14:03:28 -0500
Then you would be having traffic of that type allowed in from untrusted sources. Your ACL's would be formed to only allow the explicit traffic from those explicit hosts. And rarely, would you have the traffic terminating on the interface or the IP address of the router, it'd be passed/routed along to the appropriate host(s). In those RARE exceptions where you would need to terminate them on the IP or interface of the router, again you would allow only trusted traffic using those protocols to terminate there.
And as far as the 'workaround' goes, it's fine you need to adjust it for your environment if you use those protocols of course. As far as the 'solution' goes, the solution is 100%, upgrade to the appropriate patched version.
FUD At 10:33 7/25/2003, Ghaith Nasrawi wrote:
Well, my question is; what the hell if I was using any of these protocols?? Didn't cisco think of that?? They should have suggested a more decent solution. ./Ghaith =============== Today is the tomorrow you worried about yesterday -----Original Message----- From: jamesworld () intelligencia com [mailto:jamesworld () intelligencia com] Sent: Wednesday, July 23, 2003 6:48 PM To: Alvaro Gordon-Escobar Cc: firewalls () securityfocus com; security-basics () securityfocus com Subject: Re: Cisco Workaround Alvaro, No. The protocol blocked by the access-list is protocol 53 not protocol TCP or protocol UDP port 53. If you need further info, let me know, -James At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote: >will this access list modification prevent my internal DNS server from >updates to it self from my telco's DNS server? > >access-list 101 deny 53 any any >access-list 101 deny 55 any any >access-list 101 deny 77 any any >access-list 101 deny 103 any any >!--- insert any other previously applied ACL entries here >!--- you must permit other protocols through to allow normal >!--- traffic -- previously defined permit lists will work >!--- or you may use the permit ip any any shown here >access-list 101 permit ip any any > >Thanks in advance > >~alvaro Escobar > >----------------------------------------------------------------------- ---- >----------------------------------------------------------------------- ----- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Cisco Workaround jamesworld (Jul 23)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 25)
- RE: Cisco Workaround (comment on actually using those protocols) jamesworld (Jul 28)
- RE: Cisco Workaround David Gillett (Jul 28)
- <Possible follow-ups>
- RE: Cisco Workaround Naman Latif (Jul 23)
- RE: Cisco Workaround Todd Mitchell - lists (Jul 23)
- RE: Cisco Workaround Charlie Winckless (Jul 23)
- Re: Cisco Workaround DOUGLAS GULLETT (Jul 23)
- RE: Cisco Workaround Terry Baranski (Jul 24)
- Re: Cisco Workaround Paul Kincaid (Jul 24)
- RE: Cisco Workaround Dave Gilmore (Intrusense) (Jul 24)
- Re: Cisco Workaround Kurt Seifried (Jul 24)
- RE: Cisco Workaround David Gillett (Jul 24)
(Thread continues...)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 25)