Security Basics mailing list archives

RE: Cisco Workaround

From: Ghaith Nasrawi <libero () aucegypt edu>
Date: Tue, 29 Jul 2003 11:01:59 +0300

Olivir has suggested here to deny packets terminating on the router. I'm just 
wondering if that  would deny traceroute commands passing through these 
routers??

As for Wesley, don't you believe that cisco should be responsible on providing 
a high quality of support to its customers since they paid $$$$$$$$$$$$$


./Ghaith
===============

Today is the tomorrow you worried about yesterday





-----Original Message-----
From: Noonan, Wesley [mailto:Wesley_Noonan () bmc com] 
Sent: Tuesday, July 29, 2003 12:27 AM
To: 'gillettdavid () fhda edu'; 'Ghaith Nasrawi'
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: RE: Cisco Workaround

I've got to agree with David here. There is no reason that Cisco, or any
other large company should be expected to provide workarounds that address
the distinct minority of their install base. They should focus on the
majority of situations. The workaround they recommended did precisely that.
I know of no one that is actually using any of the protocols listed in the
workaround. That's not to say that someone isn't, but that someone is simply
the very small minority.

If companies had to worry about stuff like that and make sure that their
solutions fit every situation without any problems, they would never manage
to develop anything.

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan () bmc com
http://www.bmc.com


-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Monday, July 28, 2003 10:40
To: 'Ghaith Nasrawi'
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: RE: Cisco Workaround

  They have.  They've been amazingly responsive about providing fixed
code versions for some frighteningly-old equipment.  The *Workaround*
is just a quick and dirty fix for those who need some time to schedule 
the code upgrade installations.

David Gillett

-----Original Message-----
From: Ghaith Nasrawi [mailto:libero () aucegypt edu]
Sent: July 25, 2003 08:33
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: RE: Cisco Workaround

Well, my question is; what the hell if I was using any of these
protocols?? Didn't cisco think of that?? They should have suggested a
more decent solution.

./Ghaith
===============

Today is the tomorrow you worried about yesterday

-----Original Message-----
From: jamesworld () intelligencia com
[mailto:jamesworld () intelligencia com]

Sent: Wednesday, July 23, 2003 6:48 PM
To: Alvaro Gordon-Escobar
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: Re: Cisco Workaround

Alvaro,

No.  The protocol blocked by the access-list is protocol 53
not protocol

TCP or protocol UDP port 53.

If you need further info, let me know,

-James

At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote:

will this access list modification prevent my internal DNS

server from

updates to it self from my telco's DNS server?

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any

Thanks in advance

~alvaro Escobar

-------------------------------------------------------------

----------
----

-------------------------------------------------------------

----------
-----


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
----


--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Cisco Workaround, (continued)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)
- RE: Cisco Workaround Tim Donahue (Jul 28)
  - RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
  - Re: Cisco Workaround joshua sahala (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 29)
  - Re: Cisco Workaround stephane nasdrovisky (Jul 29)
    - Re: Cisco Workaround Jac (Jul 30)
    - RE: Cisco Workaround Todd Mitchell - lists (Jul 30)
    - Re: Cisco Workaround James Fields (Jul 30)
    - Re: Cisco Workaround Jac (Jul 31)
    - RE: Cisco Workaround Adam Overlin (Jul 31)
    - RE: Cisco Workaround Paul Benedek (Jul 31)
  - RE: Cisco Workaround James Fields (Jul 29)
- RE: Cisco Workaround Dozal, Tim (Jul 30)
- RE: Cisco Workaround Adam Overlin (Jul 31)

(Thread continues...)