[59752] in North American Network Operators' Group
Re: Patching for Cisco vulnerability
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Fri Jul 18 15:33:39 2003
From: Jason Frisvold <friz@corp.ptd.net>
To: Irwin Lazar <ILazar@burtongroup.com>
Cc: nanog@merit.edu
In-Reply-To: <93C5326FCFEA7241BB6731D44D4147BC3586FF@bgslc11.burtongroup.com>
Date: 18 Jul 2003 15:32:05 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--=-uKxdsvvZmOcda5BxTrWx
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Fri, 2003-07-18 at 14:29, Irwin Lazar wrote:
> Just out of curiosity, are folks just applying the Cisco patch or do
> you go through some sort of testing/validation process to ensure that
> the patch doesn't cause any other problems? Given typical change
> management procedures how long is taking you to get clearance to apply
> the patch?
I think a lot of providers are doing the minimum testing required
(upgrade, does it boot? can I ping?) and then rolling it out... I
guess it's more of an implicit trust type deal rather than having
routers running with an increased load because of ACL's and still having
the possibility of a vulnerable router because something was
overlooked.. =20
Going forward, if you go the ACL route, every time you add a new
interface you need to be sure to either apply the "any any" acl to it,
or add the new ip's to the "big" block by ip acl ...
> I'm trying here to gauge the length of time before this vulnerability
> is closed out.
I don't think it will ever truly go away.. there are lots of "older"
routers that won't be able to support the newer code, albeit small
routers like the 2500's, but they'll exist..
> irwin
--=20
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
--=-uKxdsvvZmOcda5BxTrWx
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/GEsxRsoFMdDaiQgRAu7EAKDZqnitPF6JOijSf0eTlYUSpjrHfwCeOafQ
DtKzLXDfBVAw9zprt0f9AM8=
=qyBA
-----END PGP SIGNATURE-----
--=-uKxdsvvZmOcda5BxTrWx--
