Re: Should nmap cause a DoS on cisco routers?

[Dan Kaminsky <dan () doxpara com>]

> DR> And many of them could be mitigated via BCPs until such time as
> DR> fixed code could be deployed, as well.
> There it is again, BCP. Is this the new "IDS" ?
Best Practices are what forms when Ops guys are given broken systems and
told to make them work.

This isn't meant in a derogatory way.  Do you like things working?  I sure
do.  If it takes rules like "don't run trivial networking scanners on the
VoIP network" to keep the phones running, well, guess what.

There is a problem that this masks issues.  Attacker's aren't exactly known
for saying, "I'd own your network, but that would violate best practices, so
I won't."  VoIP code (speaking from fairly direct experience) is
aggressively fragile, partially since it comes from a background where the
presumption was that all traffic was trusted, and partially because the
specs are so hideously turgid.

In the short run, best practices are the only way to keep this stuff
stable.  In the long run...what's that?  Just gotta get to the next
quarter...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/