Config files?

William Herrin bill at
Wed Oct 5 23:10:05 UTC 2011

On Wed, Oct 5, 2011 at 3:16 PM, Green, Timothy
<Timothy.Green at> wrote:
> 1.  Should config files be consistent? By this I mean; does the STIG apply its baseline to the config files or elsewhere?

Hi Timothy,

STIGs are a DoD thing. They're not
particularly relevant to public Internet operations. In a few cases
they're not particularly sane. (Manually install the latest bleeding
edge version of OpenSSL whose bugs have not yet been found and whose
API is incompatible with every linked app in the OS? Really?)

> 2.  Are config file change alerts necessary for the security of network equipment?  We have just purchased the SolarWinds suite.

Depends on the configuration. If it's one that rarely changes, it's
not a bad idea. But don't saturate yourself with alerts or you'll
misinterpret or ignore the important ones.

> 3.  Should we obfuscate our Private addresses on our Network Diagram?  What is the common practice?

It depends. My personal predilection is that IP addresses belong in
configurations while explanation and structure belong on network
diagrams so I rarely reach the question of whether there's also
security value in removing the IP addresses from the pretty pictures.

> 4.  How can I get a grip on my ACLs or is it even possible?  How do you all maintain them without going insane!

Simplify. Don't overdo it. Do you really need ACLs for 100 popular
trojan horse TCP ports? The 500 outbound port whitelist? If your
security is so complex you can't understand it then it almost
certainly isn't secure. If you have a particular subsystem with
special needs, it never hurts to give it its own firewall so you can
strip the related complexity from your main firewall.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list