Educause Security Discussion mailing list archives
Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 1 May 2007 08:14:11 -0400
On Mon, 30 Apr 2007 10:38:11 EDT, Clifford Collins said:
Doesn't this assume that our routers are configured correctly and that there are no bugs in the vendor's routing code that would allow exploitation? I don't want to appear overly paranoid but, as the "security guy" I'm expected to deal with an imperfect world.
If your routers aren't properly configured to route the subnets of 10/8 that you're actually using, security is the least of your problems. :)
I would rather find a way to actively route all traffic from the unassigned subnets to something I can use to detect the presence of rogue devices.
Sane routing protocols do a longest-match. So you just inject all your *proper* 10.1.1/24 and 10.1.2/24 and other actual subnets - and then inject a route for 10/8 that lists your Snort sensor as "next-hop" :)
Attachment:
_bin
Description:
Current thread:
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Buz Dale (Apr 30)
- <Possible follow-ups>
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Glenn Forbes Fleming Larratt (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 30)
- Re: 10-space is L..A..R..G..E (was Re: Large edu's doing NAT campus wide? Valdis Kletnieks (May 01)