North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: management interface accessability (was Re: Worm / UDP1434)

  • From: Christopher L. Morrow
  • Date: Sun Jan 26 16:43:53 2003


On Sun, 26 Jan 2003, Rob Thomas wrote:

>
> Hey, Chris.
>
> ] or the one that steathily permitted udp 1434 from the outside world :(
>
> Yeah.  :(
>
> This is yet another reason why I tell folks with firewalls NOT to allow
> everything from the internal (often mistakenly labelled "trusted") net
> to the external nets.

The unfortunate but required security precautions are that you really
should filter as low down in the network as possible, this allows the most
granular filtering as possible. Much of that could be accomplished with
simple router acls.

Filtering as close to the end hosts allows you to explicitly permit/deny
traffic to the services required without as many compromises on acl length
or granularity.

Note, it may require some automation of the acl deployment or management
of the acls could become 'complex' :)