Best practice ACLs for a internet facing border router?

Barry Greene (bgreene) bgreene at cisco.com
Mon Jun 13 21:25:21 UTC 2005



I do not think there is a "best practice." In fact, "Operational
Entropy"(1) has a big factor with packet filtering ACLs on the
interconnect side of an SP. So you are not going to find a lot of packet
filtering on SP-SP links.

There are links and presentations you can refer to help build a iACL
(Infrastructure protecting ACL). 

Whitepaper on Infrastructure ACLs (iACLs)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_pa
per0900aecd802b8f21.shtml
(principles in this one can be converted to any packet filter)

Team CYMRU's Secure Templates:
http://www.cymru.com/Documents/secure-ios-template.html
http://www.qorbit.net/documents/junos-template.pdf

Next Gen Peering Architectures and Tools
ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/
File:
SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_
2004_c1_SE12.pdf


(1) Operational Entropy is the process of natural decay that starts the
moment the policy gets applied. OPEX resources need to be allocated to
insure the entropy does not lead to operational consequence (i.e. the
decayed policy breaks things).


> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Drew Weaver
> Sent: Monday, June 13, 2005 7:28 AM
> To: nanog at merit.edu
> Subject: Best practice ACLs for a internet facing border router?
> 
> 
> 	I'm just curious if anyone has ever published a list of 
> what is an agreed upon best practice list of ACLs for an 
> internet facing border router. I'm talking about things like 
> bogons, private Ip addresses, et cetera. If anyone is aware 
> of anything like this I'd like to see it.
> 
> Thanks,
> -Drew
>  
> 



More information about the NANOG mailing list