Quarantine your infected users spreading malware
Bill Nash
billn at odyssey.billn.net
Wed Mar 1 15:25:18 UTC 2006
On Wed, 1 Mar 2006, David Nolan wrote:
>> Yeah, but it's not near as fun as dynamic acls updated via a script
>> monitoring flow logs in real-time. It's definitely easier to implement,
>> though.
>
> Interesting... Thats actually basically what we were doing before, but
> phased out in favor of the URPF & host routes approach. We felt the URPF
> approach was much cleaner, and more efficient. A routing table lookup is
> more efficient then a acl processing, particulary if you have significant
> numbers of rou and solved some problems we were having. It also solved some
> issues we had, including keeping dynamic acls synchronized betwen two
> redundant routers (HSRP pairs and/or redundant border routers).
I think when he said fun, he meant 'masochistic and nerve wracking, in a
vaguely entertaining because we have scripts issuing and removing ACLs
from our routing core kind of way.' I've built reactive firewalls before,
but even I'd be leery of a reactive ACL implementation. /32 null route
injection is far far easier to manage. =)
- billn
More information about the NANOG
mailing list