|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: ACLs / Filter Lists - Best Practices
Chris is talking about the ISP Workshop Archives which includes the ISP Essentials whitepaper/presentations, security presentations, multihoming presentations, and other materials we use to help new generations of ISP Engineers get up to speed. It is all "Cisco" stuff, so keep that in mind. No fancy web pages - just browse the directories: http://www.cisco.com/public/cons/ The security materials are at: http://www.cisco.com/public/cons/isp/security/ ISP Essentials is at: http://www.cisco.com/public/cons/isp/documents/ > -----Original Message----- > From: [email protected] [mailto:[email protected]]On Behalf Of > Christopher L. Morrow > Sent: Tuesday, November 27, 2001 9:13 PM > To: John McBrayne > Cc: [email protected] > Subject: Re: ACLs / Filter Lists - Best Practices > > > > > On Tue, 27 Nov 2001, John McBrayne wrote: > > jm> > jm> Is anyone aware of any current "best practices" related to the > jm> recommended set of filtering rules (Cisco ACL lists or Juniper filter > jm> sets) for reasons of Security, statistics collection, DoS attack > jm> analysis/prevention, etc.? I'm curious to see if there are any such > > John, the three areas you mention above really should be treated > differently, is there something you are particularly interested in among > these? > > On a 'generic' note there is are some recommendations offered by Cisco at > thier website, I can't (of course) endorse them over anyone else, Barry > Greene (who posts at times here and should respond to this note with the > proper links from Cisco) is one of the better voices at Cisco for the > Security (atleast) topic. > > Additionally, there were some 'recommended' or 'best practices' covered at > the last NANOG: http://www.nanog.org/mtg-0110/greene.html > > That should atleast get you started on 'Security' and 'DoS' stuff... as to > statistics could you clarify this some? > > jm> recommendations for Tier 1/Tier 2 backbone routers, peering points, > jm> etc., as opposed to CPE terminations or Enterprise/LAN equipment > jm> recommendations. > jm> > > Hmm, I'm not going to recommend anything, since your network is likely > MUCH different from any one I'm working on... BUT perhaps wecan discuss > some likely scenarios?? (perhaps the other list members might have some > statistics gathering ideas/examples??) > > jm> Actual config file examples would be great, if they exist. > > >
|