North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Quarantine your infected users spreading malware

  • From: Bill Nash
  • Date: Wed Mar 01 10:36:49 2006

On Wed, 1 Mar 2006, David Nolan wrote:

Yeah, but it's not near as fun as dynamic acls updated via a script
monitoring flow logs in real-time. It's definitely easier to implement,
though.
Interesting... Thats actually basically what we were doing before, but phased out in favor of the URPF & host routes approach. We felt the URPF approach was much cleaner, and more efficient. A routing table lookup is more efficient then a acl processing, particulary if you have significant numbers of rou and solved some problems we were having. It also solved some issues we had, including keeping dynamic acls synchronized betwen two redundant routers (HSRP pairs and/or redundant border routers).
I think when he said fun, he meant 'masochistic and nerve wracking, in a vaguely entertaining because we have scripts issuing and removing ACLs from our routing core kind of way.' I've built reactive firewalls before, but even I'd be leery of a reactive ACL implementation. /32 null route injection is far far easier to manage. =)

- billn