[44456] in North American Network Operators' Group
Re: ACLs / Filter Lists - Best Practices
daemon@ATHENA.MIT.EDU (Scott Francis)
Tue Nov 27 20:01:34 2001
Date: Tue, 27 Nov 2001 17:00:12 -0800
From: Scott Francis <darkuncle@darkuncle.net>
To: John McBrayne <mcbrayne@caspiannetworks.com>
Cc: nanog@merit.edu
Message-ID: <20011127170012.I81207@darkuncle.net>
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
John McBrayne <mcbrayne@caspiannetworks.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="kkcDP0v44wDpNmbp"
Content-Disposition: inline
In-Reply-To: <3C0423AE.BAE18582@caspiannetworks.com>
Errors-To: owner-nanog-outgoing@merit.edu
--kkcDP0v44wDpNmbp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Nov 27, 2001 at 03:37:18PM -0800, John McBrayne stated:
>=20
> Is anyone aware of any current "best practices" related to the
> recommended set of filtering rules (Cisco ACL lists or Juniper filter
> sets) for reasons of Security, statistics collection, DoS attack
> analysis/prevention, etc.? I'm curious to see if there are any such
> recommendations for Tier 1/Tier 2 backbone routers, peering points,
> etc., as opposed to CPE terminations or Enterprise/LAN equipment
> recommendations.
>=20
> Actual config file examples would be great, if they exist.
>=20
> Thanks;
> ..john
enter the RFC1918/egress filtering rants ... mmmm
on a constructive note, I don't have config files to list, but a good start
would be:
* RFC1918 space filtered
* egress filtering (space not on your network should not appear to be
originating from within your network)
* smurf prevention with no-directed-broadcast or the equivalent
There were a couple of very helpful presentations at this year's ToorCon
<http://www.toorcon.org> wrt locking down routers, with emphasis on Cisco
hardware. Take a look at http://toorcon.org/lineup/ciscosecurity/ (HTML; PS
also available) - that was the presentation on using Cisco IOS for Network
Security. There seems to be no presentation notes available for 'The Top 25
Overlooked Configurations on Routers and Switches' on the site; I have some
(rather poor and haphazard) notes I took myself that are available at
http://darkuncle.net/top25_router_configurations.txt
HTH
--=20
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
--kkcDP0v44wDpNmbp
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQIXAwUBPAQ3G4gCD7rLM8ynFANBFgf/cuKLnM5PTR8oeHR/c54jyB9na5/resES
I8xp/fkOGfKgUZ7DhyuQCZtQJAXaGseMwhLmKjHO5IePLPQoV+x1NTDAiZzYOTbi
gR4p8QqBzHPwbBaYeRQSbdYFHNHgyciAaxTSootbxe2WGNFVbap3E/F57BVDpMgr
xPOHnjmhpFMKm+58tzifwfoAFDBKV748UzL9CsY3JOwwk9dNXZE2st/mGNOYmTjM
OK5f3L8nAP+6tc9lp0XLNns7Hvue8gRfd3NE8mJ/K/iS3eKsgX/uaHo6npio8R1Z
sMaxYH+XnbVqGn/FlgU/5cHMwUxE+pjfRBT79LZQmczzYGwpb8XP4Af+I7CC5S3O
xaHyJ2ctdv3MaugGOftyf/6jEpG/xbB9DnPXgMfgLehQsrC2Ajf6sTRJ1sFSLks0
zxAn2kg7SY5bixN3TCFP4fUZVY4PJrVaT9XLGwAhW8ShXqt06FaRNgAEBGiQXjXG
IEtWAWI1EtWjnfuiVmFwNS4ALK9cr/gLAJkjpY3HiynKgHWrMeMkPNGZJV0dRRLR
xQRPOGIHuio6dXC3gJIvwBhstByKbv5HXfpjl2oX2gyssUjl4x6oKL3SSPISXZ2R
VLKznnFEth9WuMAEEpNtGoxRyfiOYq5mYo0YO/fJ5D3zWb1HpItHKW5HQCl8OR3c
wq1U5+NqGpEPWg==
=vjUm
-----END PGP SIGNATURE-----
--kkcDP0v44wDpNmbp--
