North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
* [email protected] (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]: > On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote: >> If I recall correctly, Rob's Secure IOS Template touches on filtering >> known services (the BGP listener, snmp), but what are people's feelings >> on maintaining filters on all interfaces *after* loading a fixed IOS? > It shouldn't be done. transit internet providers should not > be the edges firewalls. The edge? They can filter what they > want, but you should not filter things for people that they > don't know is being filtered. I can see a few clear cases where this > is acceptable, and ms-sql was one of them. Good point. Still, transit networks' ingress routers could filter on destination addresses of nodes known not to run IP protocols 53/55/77/103 in order to protect them. I suppose most networks have a limited number of ranges they use for assigning space to loopback and point-to-point interfaces so this needn't be an extreme amount of administration. Regards, -- Niels.
|