[44470] in North American Network Operators' Group
RE: ACLs / Filter Lists - Best Practices
daemon@ATHENA.MIT.EDU (Barry Raveendran Greene)
Wed Nov 28 10:32:07 2001
From: "Barry Raveendran Greene" <bgreene@cisco.com>
To: "Christopher L. Morrow" <chris@UU.NET>,
"John McBrayne" <mcbrayne@caspiannetworks.com>
Cc: <nanog@merit.edu>
Date: Wed, 28 Nov 2001 07:30:03 -0800
Message-ID: <LNEHJBNJAPFNLEGJHCPECEMADFAA.bgreene@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <Pine.GSO.4.33.0111280505020.15667-100000@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
Chris is talking about the ISP Workshop Archives which includes the ISP
Essentials whitepaper/presentations, security presentations, multihoming
presentations, and other materials we use to help new generations of ISP
Engineers get up to speed. It is all "Cisco" stuff, so keep that in mind. No
fancy web pages - just browse the directories:
http://www.cisco.com/public/cons/
The security materials are at:
http://www.cisco.com/public/cons/isp/security/
ISP Essentials is at:
http://www.cisco.com/public/cons/isp/documents/
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Christopher L. Morrow
> Sent: Tuesday, November 27, 2001 9:13 PM
> To: John McBrayne
> Cc: nanog@merit.edu
> Subject: Re: ACLs / Filter Lists - Best Practices
>
>
>
>
> On Tue, 27 Nov 2001, John McBrayne wrote:
>
> jm>
> jm> Is anyone aware of any current "best practices" related to the
> jm> recommended set of filtering rules (Cisco ACL lists or Juniper filter
> jm> sets) for reasons of Security, statistics collection, DoS attack
> jm> analysis/prevention, etc.? I'm curious to see if there are any such
>
> John, the three areas you mention above really should be treated
> differently, is there something you are particularly interested in among
> these?
>
> On a 'generic' note there is are some recommendations offered by Cisco at
> thier website, I can't (of course) endorse them over anyone else, Barry
> Greene (who posts at times here and should respond to this note with the
> proper links from Cisco) is one of the better voices at Cisco for the
> Security (atleast) topic.
>
> Additionally, there were some 'recommended' or 'best practices' covered at
> the last NANOG: http://www.nanog.org/mtg-0110/greene.html
>
> That should atleast get you started on 'Security' and 'DoS' stuff... as to
> statistics could you clarify this some?
>
> jm> recommendations for Tier 1/Tier 2 backbone routers, peering points,
> jm> etc., as opposed to CPE terminations or Enterprise/LAN equipment
> jm> recommendations.
> jm>
>
> Hmm, I'm not going to recommend anything, since your network is likely
> MUCH different from any one I'm working on... BUT perhaps wecan discuss
> some likely scenarios?? (perhaps the other list members might have some
> statistics gathering ideas/examples??)
>
> jm> Actual config file examples would be great, if they exist.
>
>
>
