North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

  • From: Petri Helenius
  • Date: Fri Jul 18 16:27:32 2003

Some high-end boxes already have thing called "receive filter" which
helps this a lot. Hope we see more of that or better yet router vendors
stop processing packets they shouldn´t be processing anyway much
earlier in the code path. "Be liberal what you accept" should not apply here.


----- Original Message ----- 
From: "Charles Sprickman" <[email protected]>
To: <[email protected]>
Sent: Friday, July 18, 2003 11:20 PM
Subject: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)

> This has me wondering if there are any BCPs that touch on the whole idea
> of filtering traffic destined to your router, or what the advisory called
> "infrastructure filtering".  All in all, it seems like a good idea to
> block any direct access to router interfaces.  But as some have probably
> found already, it's a big pain in the arse.
> If I recall correctly, Rob's Secure IOS Template touches on filtering
> known services (the BGP listener, snmp), but what are people's feelings on
> maintaining filters on all interfaces *after* loading a fixed IOS?
> Thanks,
> Charles
> --
> Charles Sprickman
> [email protected]
> On Fri, 18 Jul 2003, Irwin Lazar wrote:
> >
> > Just out of curiosity, are folks just applying the Cisco patch or do you go through some sort of testing/validation process to
ensure that the patch doesn't cause any other problems?  Given typical change management procedures how long is taking you to get
clearance to apply the patch?
> >
> > I'm trying here to gauge the length of time before this vulnerability is closed out.
> >
> > irwin
> >