Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

[Niels Bakker <niels=nanog () bakker net>]

* jared () puck Nether net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
> On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
> > If I recall correctly, Rob's Secure IOS Template touches on filtering
> > known services (the BGP listener, snmp), but what are people's feelings
> > on maintaining filters on all interfaces *after* loading a fixed IOS?
>       It shouldn't be done.  transit internet providers should not
> be the edges firewalls.  The edge?  They can filter what they
> want, but you should not filter things for people that they
> don't know is being filtered.  I can see a few clear cases where this
> is acceptable, and ms-sql was one of them.

Good point.  Still, transit networks' ingress routers could filter on
destination addresses of nodes known not to run IP protocols
53/55/77/103 in order to protect them.

I suppose most networks have a limited number of ranges they use for
assigning space to loopback and point-to-point interfaces so this
needn't be an extreme amount of administration.

Regards,


        -- Niels.