nanog mailing list archives
Re: Config files?
From: William Herrin <bill () herrin us>
Date: Wed, 5 Oct 2011 19:10:05 -0400
On Wed, Oct 5, 2011 at 3:16 PM, Green, Timothy <Timothy.Green () mantech com> wrote:
1. Should config files be consistent? By this I mean; does the STIG apply its baseline to the config files or elsewhere?
Hi Timothy, STIGs are a DoD thing. http://iase.disa.mil/stigs/. They're not particularly relevant to public Internet operations. In a few cases they're not particularly sane. (Manually install the latest bleeding edge version of OpenSSL whose bugs have not yet been found and whose API is incompatible with every linked app in the OS? Really?)
2. Are config file change alerts necessary for the security of network equipment? We have just purchased the SolarWinds suite.
Depends on the configuration. If it's one that rarely changes, it's not a bad idea. But don't saturate yourself with alerts or you'll misinterpret or ignore the important ones.
3. Should we obfuscate our Private addresses on our Network Diagram? What is the common practice?
It depends. My personal predilection is that IP addresses belong in configurations while explanation and structure belong on network diagrams so I rarely reach the question of whether there's also security value in removing the IP addresses from the pretty pictures.
4. How can I get a grip on my ACLs or is it even possible? How do you all maintain them without going insane!
Simplify. Don't overdo it. Do you really need ACLs for 100 popular trojan horse TCP ports? The 500 outbound port whitelist? If your security is so complex you can't understand it then it almost certainly isn't secure. If you have a particular subsystem with special needs, it never hurts to give it its own firewall so you can strip the related complexity from your main firewall. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside com bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Facebook insecure by design, (continued)
- Re: Facebook insecure by design Michael Thomas (Oct 03)
- Re: Facebook insecure by design Valdis . Kletnieks (Oct 02)
- Re: Facebook insecure by design Jimmy Hess (Oct 02)
- Re: Facebook insecure by design Joel jaeggli (Oct 02)
- Re: Facebook insecure by design Joel jaeggli (Oct 02)
- Re: Facebook insecure by design Bill.Pilloud (Oct 04)
- OT: Social Networking, Privacy and Control Jay Ashworth (Oct 04)
- Re: OT: Social Networking, Privacy and Control Christian de Larrinaga (Oct 04)
- Re: OT: Social Networking, Privacy and Control Travis Biehn (Oct 05)
- Config files? Green, Timothy (Oct 05)
- Re: Config files? William Herrin (Oct 05)
- Re: Config files? David Swafford (Oct 08)
- Re: Config files? isabel dias (Oct 08)
- Re: Facebook insecure by design Jimmy Hess (Oct 02)
- Re: Facebook insecure by design Murtaza (Oct 19)
- Re: Facebook insecure by design steve pirk [egrep] (Oct 23)
- Re: Facebook insecure by design Jeroen Massar (Oct 23)
- Re: Facebook insecure by design Jay Ashworth (Oct 23)
- Re: Facebook insecure by design steve pirk [egrep] (Oct 23)
- Re: Facebook insecure by design Robert Bonomi (Oct 24)
- Re: Facebook insecure by design Lou Katz (Oct 24)
- Re: Facebook insecure by design steve pirk [egrep] (Oct 26)