ACLs / Filter Lists - Best Practices

Scott Francis darkuncle at darkuncle.net
Wed Nov 28 01:00:12 UTC 2001


On Tue, Nov 27, 2001 at 03:37:18PM -0800, John McBrayne stated:
> 
> Is anyone aware of any current "best practices" related to the
> recommended set of filtering rules (Cisco ACL lists or Juniper filter
> sets) for reasons of Security, statistics collection, DoS attack
> analysis/prevention, etc.?  I'm curious to see if there are any such
> recommendations for Tier 1/Tier 2 backbone routers, peering points,
> etc., as opposed to CPE terminations or Enterprise/LAN equipment
> recommendations.
> 
> Actual config file examples would be great, if they exist.
> 
> Thanks;
> ..john

enter the RFC1918/egress filtering rants ... mmmm

on a constructive note, I don't have config files to list, but a good start
would be:
* RFC1918 space filtered
* egress filtering (space not on your network should not appear to be
originating from within your network)
* smurf prevention with no-directed-broadcast or the equivalent

There were a couple of very helpful presentations at this year's ToorCon
<http://www.toorcon.org> wrt locking down routers, with emphasis on Cisco
hardware. Take a look at http://toorcon.org/lineup/ciscosecurity/ (HTML; PS
also available) - that was the presentation on using Cisco IOS for Network
Security. There seems to be no presentation notes available for 'The Top 25
Overlooked Configurations on Routers and Switches' on the site; I have some
(rather poor and haphazard) notes I took myself that are available at
http://darkuncle.net/top25_router_configurations.txt

HTH

-- 
Scott Francis                   darkuncle@ [home:] d a r k u n c l e . n e t
UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery
GPG public key 0xCB33CCA7              illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 872 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20011127/b4a54820/attachment.sig>


More information about the NANOG mailing list