Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

• Previous message (by thread): Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
• Next message (by thread): Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* jared at puck.Nether.net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
> On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
>> If I recall correctly, Rob's Secure IOS Template touches on filtering
>> known services (the BGP listener, snmp), but what are people's feelings
>> on maintaining filters on all interfaces *after* loading a fixed IOS?
> 	It shouldn't be done.  transit internet providers should not
> be the edges firewalls.  The edge?  They can filter what they
> want, but you should not filter things for people that they
> don't know is being filtered.  I can see a few clear cases where this
> is acceptable, and ms-sql was one of them.

Good point.  Still, transit networks' ingress routers could filter on
destination addresses of nodes known not to run IP protocols
53/55/77/103 in order to protect them.

I suppose most networks have a limited number of ranges they use for
assigning space to loopback and point-to-point interfaces so this
needn't be an extreme amount of administration.

Regards,


	-- Niels.

• Previous message (by thread): Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
• Next message (by thread): Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]