ISP port blocking practice

Jon Kibler Jon.Kibler at aset.com
Fri Oct 23 09:14:17 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Bertrand wrote:
> Jon Kibler wrote:
>> To answer that question, I would start with ingress and egress filtering by IP
>> address, protocol, etc.:
>>    1) Never allow traffic to egress any subnet unless its source IP address is
>> within that subnet range.
> 
> Sorry to nit, but shouldn't your uRPF setup take care of this (and many
> other of your list items), long before ACL?
> 
> It's absolutely great if you have your list implemented, but imho, all
> ISP's, no matter how small should investigate and implement urpf. It's
> especially fun to play with RTBH.
> 
> To be honest, the smaller you are, the easier it is to implement (ie.
> urpf strict everywhere!  :)
> 
> Steve
> 

Agree for the most part. However:

1) The overwhelming majority of routers I have audited do not have uRPF
implemented and most admins do not comprehend it, but they do comprehend
(usually) ACLs.

2) L3 switching does not always support it, leaving potential for abuse if the
network has any donut holes.

3) uRPF works best on egress but does little on outside ingress (e.g., bogons).

4) Defense in depth dictates using more than one way to detect an attack, so use
both ACLs and uRPF.

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
s: JonRKibler
e: Jon.Kibler at aset.com
e: Jon.R.Kibler at gmail.com
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrhc+gACgkQUVxQRc85QlNAgACfZgrSuZ7dC1A38oIXB3lInUOc
FnIAniWiQcVpJzp/ooh4LOHwEzPXUWo3
=dKbZ
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the NANOG mailing list