North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Best practice ACLs for a internet facing border router?
I do not think there is a "best practice." In fact, "Operational Entropy"(1) has a big factor with packet filtering ACLs on the interconnect side of an SP. So you are not going to find a lot of packet filtering on SP-SP links. There are links and presentations you can refer to help build a iACL (Infrastructure protecting ACL). Whitepaper on Infrastructure ACLs (iACLs) http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_pa per0900aecd802b8f21.shtml (principles in this one can be converted to any packet filter) Team CYMRU's Secure Templates: http://www.cymru.com/Documents/secure-ios-template.html http://www.qorbit.net/documents/junos-template.pdf Next Gen Peering Architectures and Tools ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/ File: SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_ 2004_c1_SE12.pdf (1) Operational Entropy is the process of natural decay that starts the moment the policy gets applied. OPEX resources need to be allocated to insure the entropy does not lead to operational consequence (i.e. the decayed policy breaks things). > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Drew Weaver > Sent: Monday, June 13, 2005 7:28 AM > To: [email protected] > Subject: Best practice ACLs for a internet facing border router? > > > I'm just curious if anyone has ever published a list of > what is an agreed upon best practice list of ACLs for an > internet facing border router. I'm talking about things like > bogons, private Ip addresses, et cetera. If anyone is aware > of anything like this I'd like to see it. > > Thanks, > -Drew > >