Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
Petri Helenius
pete at he.iki.fi
Fri Jul 18 20:25:34 UTC 2003
Some high-end boxes already have thing called "receive filter" which
helps this a lot. Hope we see more of that or better yet router vendors
stop processing packets they shouldn´t be processing anyway much
earlier in the code path. "Be liberal what you accept" should not apply here.
Pete
----- Original Message -----
From: "Charles Sprickman" <spork at inch.com>
To: <nanog at merit.edu>
Sent: Friday, July 18, 2003 11:20 PM
Subject: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
>
> This has me wondering if there are any BCPs that touch on the whole idea
> of filtering traffic destined to your router, or what the advisory called
> "infrastructure filtering". All in all, it seems like a good idea to
> block any direct access to router interfaces. But as some have probably
> found already, it's a big pain in the arse.
>
> If I recall correctly, Rob's Secure IOS Template touches on filtering
> known services (the BGP listener, snmp), but what are people's feelings on
> maintaining filters on all interfaces *after* loading a fixed IOS?
>
> Thanks,
>
> Charles
>
> --
> Charles Sprickman
> spork at inch.com
>
>
> On Fri, 18 Jul 2003, Irwin Lazar wrote:
>
> >
> > Just out of curiosity, are folks just applying the Cisco patch or do you go through some sort of testing/validation process to
ensure that the patch doesn't cause any other problems? Given typical change management procedures how long is taking you to get
clearance to apply the patch?
> >
> > I'm trying here to gauge the length of time before this vulnerability is closed out.
> >
> > irwin
> >
>
More information about the NANOG
mailing list