North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Best practice ACLs for a internet facing border router?

  • From: Barry Greene (bgreene)
  • Date: Mon Jun 13 17:27:31 2005

I do not think there is a "best practice." In fact, "Operational
Entropy"(1) has a big factor with packet filtering ACLs on the
interconnect side of an SP. So you are not going to find a lot of packet
filtering on SP-SP links.

There are links and presentations you can refer to help build a iACL
(Infrastructure protecting ACL). 

Whitepaper on Infrastructure ACLs (iACLs)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_pa
per0900aecd802b8f21.shtml
(principles in this one can be converted to any packet filter)

Team CYMRU's Secure Templates:
http://www.cymru.com/Documents/secure-ios-template.html
http://www.qorbit.net/documents/junos-template.pdf

Next Gen Peering Architectures and Tools
ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/
File:
SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_
2004_c1_SE12.pdf


(1) Operational Entropy is the process of natural decay that starts the
moment the policy gets applied. OPEX resources need to be allocated to
insure the entropy does not lead to operational consequence (i.e. the
decayed policy breaks things).


> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of Drew Weaver
> Sent: Monday, June 13, 2005 7:28 AM
> To: [email protected]
> Subject: Best practice ACLs for a internet facing border router?
> 
> 
> 	I'm just curious if anyone has ever published a list of 
> what is an agreed upon best practice list of ACLs for an 
> internet facing border router. I'm talking about things like 
> bogons, private Ip addresses, et cetera. If anyone is aware 
> of anything like this I'd like to see it.
> 
> Thanks,
> -Drew
>  
>