Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
Niels Bakker
niels=nanog at bakker.net
Fri Jul 18 21:53:42 UTC 2003
* jared at puck.Nether.net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
> On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
>> If I recall correctly, Rob's Secure IOS Template touches on filtering
>> known services (the BGP listener, snmp), but what are people's feelings
>> on maintaining filters on all interfaces *after* loading a fixed IOS?
> It shouldn't be done. transit internet providers should not
> be the edges firewalls. The edge? They can filter what they
> want, but you should not filter things for people that they
> don't know is being filtered. I can see a few clear cases where this
> is acceptable, and ms-sql was one of them.
Good point. Still, transit networks' ingress routers could filter on
destination addresses of nodes known not to run IP protocols
53/55/77/103 in order to protect them.
I suppose most networks have a limited number of ranges they use for
assigning space to loopback and point-to-point interfaces so this
needn't be an extreme amount of administration.
Regards,
-- Niels.
More information about the NANOG
mailing list