[45874] in North American Network Operators' Group
Re: Maformed SNMP Packet log/trace
daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Feb 26 22:08:59 2002
Date: Tue, 26 Feb 2002 22:08:23 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: nanog@merit.edu
In-Reply-To: <20020227001259.GQ413@overlord.e-gerbil.net>
Message-ID: <Pine.GSO.4.40.0202262143170.3716-100000@clifden.donelan.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
> A lot of those protocols have people looking at them on a regular basis,
> and they still manage to come up with obscure exploits noone else noticed
> (ex: 23mb of buffer overflows to exploit telnetd).
So what is the solution for a public network operator. I attended
a presentation last week where a Checkpoint reseller suggested the
client needed to buy eight Checkpoint firewalls to protect a single
web server. I was impressed, what about the undercoating and scotchguard
fabric protector.
Is it time to fall back in punt? How would you architect a backbone if
you could do it over?
Enable BGP authentication
Enable NTP authentication (use more than GPS as a source)
Enable OSPF/ISIS authentication
Use TL1 on the Aux port for network management
Ip route null0 packets from outside containing internal-only backbone
addresses.
Is the complexity of SSH code worth the protection? Or is it better
never to access your routers through VTY ports, and always use an
reverse-terminal server to the console from an out-of-band management
LAN?
