nanog mailing list archives
Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
From: Niels Bakker <niels=nanog () bakker net>
Date: Fri, 18 Jul 2003 23:53:42 +0200
* jared () puck Nether net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:If I recall correctly, Rob's Secure IOS Template touches on filtering known services (the BGP listener, snmp), but what are people's feelings on maintaining filters on all interfaces *after* loading a fixed IOS?It shouldn't be done. transit internet providers should not be the edges firewalls. The edge? They can filter what they want, but you should not filter things for people that they don't know is being filtered. I can see a few clear cases where this is acceptable, and ms-sql was one of them.
Good point. Still, transit networks' ingress routers could filter on destination addresses of nodes known not to run IP protocols 53/55/77/103 in order to protect them. I suppose most networks have a limited number of ranges they use for assigning space to loopback and point-to-point interfaces so this needn't be an extreme amount of administration. Regards, -- Niels.
Current thread:
- Re: Patching for Cisco vulnerability, (continued)
- Re: Patching for Cisco vulnerability Petri Helenius (Jul 18)
- Re: Patching for Cisco vulnerability Valdis . Kletnieks (Jul 18)
- Re: Patching for Cisco vulnerability Jason Frisvold (Jul 18)
- Re: Patching for Cisco vulnerability Stephen J. Wilcox (Jul 18)
- Re: Patching for Cisco vulnerability Jason Frisvold (Jul 18)
- Re: Patching for Cisco vulnerability Stephen J. Wilcox (Jul 18)
- Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Charles Sprickman (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Petri Helenius (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Curtis Maurand (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Jared Mauch (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Niels Bakker (Jul 18)
- Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) Christopher L. Morrow (Jul 18)