[59759] in North American Network Operators' Group
Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
daemon@ATHENA.MIT.EDU (Petri Helenius)
Fri Jul 18 16:26:11 2003
From: "Petri Helenius" <pete@he.iki.fi>
To: "Charles Sprickman" <spork@inch.com>, <nanog@merit.edu>
Date: Fri, 18 Jul 2003 23:25:34 +0300
Errors-To: owner-nanog-outgoing@merit.edu
Some high-end boxes already have thing called "receive filter" which
helps this a lot. Hope we see more of that or better yet router vendors
stop processing packets they shouldn´t be processing anyway much
earlier in the code path. "Be liberal what you accept" should not apply here.
Pete
----- Original Message -----
From: "Charles Sprickman" <spork@inch.com>
To: <nanog@merit.edu>
Sent: Friday, July 18, 2003 11:20 PM
Subject: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
>
> This has me wondering if there are any BCPs that touch on the whole idea
> of filtering traffic destined to your router, or what the advisory called
> "infrastructure filtering". All in all, it seems like a good idea to
> block any direct access to router interfaces. But as some have probably
> found already, it's a big pain in the arse.
>
> If I recall correctly, Rob's Secure IOS Template touches on filtering
> known services (the BGP listener, snmp), but what are people's feelings on
> maintaining filters on all interfaces *after* loading a fixed IOS?
>
> Thanks,
>
> Charles
>
> --
> Charles Sprickman
> spork@inch.com
>
>
> On Fri, 18 Jul 2003, Irwin Lazar wrote:
>
> >
> > Just out of curiosity, are folks just applying the Cisco patch or do you go through some sort of testing/validation process to
ensure that the patch doesn't cause any other problems? Given typical change management procedures how long is taking you to get
clearance to apply the patch?
> >
> > I'm trying here to gauge the length of time before this vulnerability is closed out.
> >
> > irwin
> >
>
