ACLs / Filter Lists - Best Practices

Christopher L. Morrow chris at UU.NET
Wed Nov 28 05:12:52 UTC 2001


On Tue, 27 Nov 2001, John McBrayne wrote:

jm>
jm> Is anyone aware of any current "best practices" related to the
jm> recommended set of filtering rules (Cisco ACL lists or Juniper filter
jm> sets) for reasons of Security, statistics collection, DoS attack
jm> analysis/prevention, etc.?  I'm curious to see if there are any such

John, the three areas you mention above really should be treated
differently, is there something you are particularly interested in among
these?

On a 'generic' note there is are some recommendations offered by Cisco at
thier website, I can't (of course) endorse them over anyone else, Barry
Greene (who posts at times here and should respond to this note with the
proper links from Cisco) is one of the better voices at Cisco for the
Security (atleast) topic.

Additionally, there were some 'recommended' or 'best practices' covered at
the last NANOG: http://www.nanog.org/mtg-0110/greene.html

That should atleast get you started on 'Security' and 'DoS' stuff... as to
statistics could you clarify this some?

jm> recommendations for Tier 1/Tier 2 backbone routers, peering points,
jm> etc., as opposed to CPE terminations or Enterprise/LAN equipment
jm> recommendations.
jm>

Hmm, I'm not going to recommend anything, since your network is likely
MUCH different from any one I'm working on... BUT perhaps wecan discuss
some likely scenarios?? (perhaps the other list members might have some
statistics gathering ideas/examples??)

jm> Actual config file examples would be great, if they exist.





More information about the NANOG mailing list