[34862] in North American Network Operators' Group
Re: Sample CISCO Border Router Config
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Feb 21 10:38:09 2001
Message-Id: <200102211535.f1LFZki12887@foo-bar-baz.cc.vt.edu>
To: "Kenneth D. Paquette" <ken@btv.ibm.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Wed, 21 Feb 2001 09:15:53 EST."
<4.3.2.7.2.20010221091201.00b7ef00@postoffice.btv.ibm.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-683094412P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 21 Feb 2001 10:35:46 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-683094412P
Content-Type: text/plain; charset=us-ascii
On Wed, 21 Feb 2001 09:15:53 EST, "Kenneth D. Paquette" <ken@btv.ibm.com> said:
> NANOG or one of the firewall lists, but figured I would start here
> first. I believe is a link into the SANS institute, but can't find it
http://www.sans.org/dosstep/index.htm might be what you wanted?
It's not a complete list of what to do, but it's a start. I believe Phil
Benchoff (one of my co-workers) did the Cisco stuff for that. Note that
Phil is actually more fascist than that - not only do we do egress filtering
on *every* interface on *every* router, we also do *ingress* filtering as well.
If we see a packet coming in from the outside world with a source address
in one of our 2 /16s, it gets nuked. This of course relies on the fact that
we're basically a leaf site with no transit traffic, and there "should not be"
a path from an on-campus host off campus and back to another on-campus host.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-683094412P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOpPgUnAt5Vm009ewEQK6rwCgzFGwD5+/dnwY+lObGwt71r2vviQAn2ug
EYM818vQP9dFGb5QBbjiEP0T
=udlu
-----END PGP SIGNATURE-----
--==_Exmh_-683094412P--
