Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco Workaround

From: joshua sahala <jsahala () fusiontel com>
Date: Mon, 28 Jul 2003 17:50:14 -0400
which commercial internet are you using oliver?  i know of a lot of 
multicast routing going on....many of the major providers offer 
multicast services, and there are a couple of isp's that do nothing 
but multicast.
also, if i have an aggregation router with say 100 t1's terminating on 
it, those are going to be some ugly, and long access-lists, applied 
to each t1 subinterface - especially since receive acl's have only 
been ported to the 12xxx and 75xx platforms.
the only real 'fix' is to upgrade (you should still have proper 
in/outbound acls in place - but that is beyond this)

my $0.02

/joshua

On Monday 28 July 2003 17:11, Martin, Olivier wrote:

My .02 cents..

There are ways around that, such as denying packets to terminate on
routers interface from unknown addresses as there is no need for
these protocols on cisco routers exept protocol 103 used for PIM. 
As multicast routing is not used on the commercial internet, it can
safely be removed.

Olivier


-----Message d'origine-----
De : Tim Donahue [mailto:TDonahue () haynesconstruction com]
Envoyé : Friday, July 25, 2003 3:43 PM
À : 'Ghaith Nasrawi'
Cc : firewalls () securityfocus com; security-basics () securityfocus com
Objet : RE: Cisco Workaround


Hmmm.... Why don't you open up the protocols from the addresses
that you need.  Isn't this a standard firewalling technique?

Plus I believe that they said that there are new versions of IOS
that are not vulnerable to this attack, which means that you can
upgrade IOS and resolve the issute all together.

Tim Donahue


-----Original Message-----
From: Ghaith Nasrawi [mailto:libero () aucegypt edu]
Sent: Friday, July 25, 2003 11:33 AM
Cc: firewalls () securityfocus com;
security-basics () securityfocus com Subject: RE: Cisco Workaround


Well, my question is; what the hell if I was using any of
these protocols?? Didn't cisco think of that?? They should
have suggested a more decent solution.


./Ghaith
===============

Today is the tomorrow you worried about yesterday





-----Original Message-----
From: jamesworld () intelligencia com
[mailto:jamesworld () intelligencia com]

Sent: Wednesday, July 23, 2003 6:48 PM
To: Alvaro Gordon-Escobar
Cc: firewalls () securityfocus com;
security-basics () securityfocus com Subject: Re: Cisco Workaround

Alvaro,

No.  The protocol blocked by the access-list is protocol 53
not protocol

TCP or protocol UDP port 53.

If you need further info, let me know,

-James

At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote:

will this access list modification prevent my internal DNS


server from


updates to it self from my telco's DNS server?

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here access-list
101 permit ip any any

Thanks in advance

~alvaro Escobar

-------------------------------------------------------------


----------
----


-------------------------------------------------------------


----------
-----


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
----


--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: