nanog mailing list archives
Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
From: Jared Mauch <jared () puck Nether net>
Date: Fri, 18 Jul 2003 17:24:47 -0400
On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
This has me wondering if there are any BCPs that touch on the whole idea of filtering traffic destined to your router, or what the advisory called "infrastructure filtering". All in all, it seems like a good idea to block any direct access to router interfaces. But as some have probably found already, it's a big pain in the arse. If I recall correctly, Rob's Secure IOS Template touches on filtering known services (the BGP listener, snmp), but what are people's feelings on maintaining filters on all interfaces *after* loading a fixed IOS?
It shouldn't be done. transit internet providers should not be the edges firewalls. The edge? They can filter what they want, but you should not filter things for people that they don't know is being filtered. I can see a few clear cases where this is acceptable, and ms-sql was one of them. Something that might be of interest and of possible value for something like this in the future would be this: draft-marques-idr-flow-spec-00.txt Take a look at it. It would allow access-list/firewall-filters to be able to be deployed across your network in the matter of a few minutes instead of having to login to every router. Plus you could count the packets too via snmp. (well, assuming that works right ;-) ) - Jared
On Fri, 18 Jul 2003, Irwin Lazar wrote:Just out of curiosity, are folks just applying the Cisco patch or do you go through some sort of testing/validation process to ensure that the patch doesn't cause any other problems? Given typical change management procedures how long is taking you to get clearance to apply the patch? I'm trying here to gauge the length of time before this vulnerability is closed out. irwin
-- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: Patching for Cisco vulnerability, (continued)
- Re: Patching for Cisco vulnerability Larry Rosenman (Jul 18)
- Re: Patching for Cisco vulnerability Petri Helenius (Jul 18)
- Re: Patching for Cisco vulnerability Valdis . Kletnieks (Jul 18)
- Re: Patching for Cisco vulnerability Jason Frisvold (Jul 18)
- Re: Patching for Cisco vulnerability Stephen J. Wilcox (Jul 18)
- Re: Patching for Cisco vulnerability Jason Frisvold (Jul 18)
- Re: Patching for Cisco vulnerability Stephen J. Wilcox (Jul 18)
- Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Charles Sprickman (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Petri Helenius (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Curtis Maurand (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Jared Mauch (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)