[59767] in North American Network Operators' Group
Re: Infrastructure Filtering (was Re: Patching for Cisco vulnerability)
daemon@ATHENA.MIT.EDU (Niels Bakker)
Fri Jul 18 17:54:16 2003
Date: Fri, 18 Jul 2003 23:53:42 +0200
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20030718212447.GA23866@puck.nether.net>
Errors-To: owner-nanog-outgoing@merit.edu
* jared@puck.Nether.net (Jared Mauch) [Fri 18 Jul 2003, 23:23 CEST]:
> On Fri, Jul 18, 2003 at 04:20:37PM -0400, Charles Sprickman wrote:
>> If I recall correctly, Rob's Secure IOS Template touches on filtering
>> known services (the BGP listener, snmp), but what are people's feelings
>> on maintaining filters on all interfaces *after* loading a fixed IOS?
> It shouldn't be done. transit internet providers should not
> be the edges firewalls. The edge? They can filter what they
> want, but you should not filter things for people that they
> don't know is being filtered. I can see a few clear cases where this
> is acceptable, and ms-sql was one of them.
Good point. Still, transit networks' ingress routers could filter on
destination addresses of nodes known not to run IP protocols
53/55/77/103 in order to protect them.
I suppose most networks have a limited number of ranges they use for
assigning space to loopback and point-to-point interfaces so this
needn't be an extreme amount of administration.
Regards,
-- Niels.
