[59819] in North American Network Operators' Group
Re: Cisco vulnerability and dangerous filtering techniques
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Tue Jul 22 14:05:20 2003
From: Jason Frisvold <friz@corp.ptd.net>
To: Allan Liska <allan@allan.org>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0307221355460.12268-100000@vbind.com>
Date: 22 Jul 2003 14:03:26 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--=-B1whl5XJB9LLX1HHIkLI
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
In our case we use some older routers as managment devices... Not
critical to the core unless there is some larger outage... Those
devices are old enough that they can't handle a newer rev of code...=20
ACL's are the only answer there..
Luckily they have very little traffic even under heavy use, so ACL's
don't hurt as much, but still something we need to be aware of..
On Tue, 2003-07-22 at 13:58, Allan Liska wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> On 22 Jul 2003, Jason Frisvold wrote:
> >=20
> > Not only the "clueless", but how about those of us who deploy older
> > routers sometime in the future with legitimate uses? What happens when
> > we "forget" that this bug exists? Now we have to go through the proces=
s
> > of adding a "don't forget the IPV4 Cisco Bug" clause to our procedures.=
.
> >=20
> >=20
>=20
> You don't need to add that clause as long as you maintain a set of=20
> baseline configurations. If you deploy all routers with the same code, o=
r=20
> as close to it as possible, then you don't have to remember individual=20
> security alerts, because as you update the code on your existing routers,=
=20
> you should be creating a new baseline that should be installed on all=20
> newly deployed routers.
>=20
>=20
> allan
> - --=20
> Allan Liska
> allan@allan.org
> http://www.allan.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
>=20
> iD8DBQE/HXtTvfQS9KzHT6ARAo+1AJ0WYoveQOYum6Fjqt2BgphxAIw2tACfRRTo
> pyJ71GMRlVYpltvuUrWsLLo=3D
> =3DhFp+
> -----END PGP SIGNATURE-----
--=20
---------------------------
Jason H. Frisvold
Backbone Engineering Supervisor
Penteledata Engineering
friz@corp.ptd.net
RedHat Engineer - RHCE # 807302349405893
Cisco Certified - CCNA # CSCO10151622
MySQL Core Certified - ID# 205982910
---------------------------
"Imagination is more important than knowledge.
Knowledge is limited. Imagination encircles
the world."
-- Albert Einstein [1879-1955]
--=-B1whl5XJB9LLX1HHIkLI
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA/HXxqRsoFMdDaiQgRAhkLAJ0avwccn/EfnnFtbPNYzKEAJf2zOwCcDFyA
BP0fOFJ8/vbiP5jekkWB/DA=
=63PW
-----END PGP SIGNATURE-----
--=-B1whl5XJB9LLX1HHIkLI--
