nanog mailing list archives

Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)


From: "Petri Helenius" <pete () he iki fi>
Date: Fri, 18 Jul 2003 23:25:34 +0300



Some high-end boxes already have thing called "receive filter" which
helps this a lot. Hope we see more of that or better yet router vendors
stop processing packets they shouldn´t be processing anyway much
earlier in the code path. "Be liberal what you accept" should not apply here.

Pete

----- Original Message ----- 
From: "Charles Sprickman" <spork () inch com>
To: <nanog () merit edu>
Sent: Friday, July 18, 2003 11:20 PM
Subject: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)



This has me wondering if there are any BCPs that touch on the whole idea
of filtering traffic destined to your router, or what the advisory called
"infrastructure filtering".  All in all, it seems like a good idea to
block any direct access to router interfaces.  But as some have probably
found already, it's a big pain in the arse.

If I recall correctly, Rob's Secure IOS Template touches on filtering
known services (the BGP listener, snmp), but what are people's feelings on
maintaining filters on all interfaces *after* loading a fixed IOS?

Thanks,

Charles

--
Charles Sprickman
spork () inch com


On Fri, 18 Jul 2003, Irwin Lazar wrote:


Just out of curiosity, are folks just applying the Cisco patch or do you go through some sort of testing/validation 
process to
ensure that the patch doesn't cause any other problems?  Given typical change management procedures how long is taking 
you to get
clearance to apply the patch?

I'm trying here to gauge the length of time before this vulnerability is closed out.

irwin




Current thread: