[89032] in North American Network Operators' Group
Re: Quarantine your infected users spreading malware
daemon@ATHENA.MIT.EDU (Bill Nash)
Wed Mar 1 10:35:58 2006
Date: Wed, 1 Mar 2006 10:25:18 -0500 (EST)
From: Bill Nash <billn@odyssey.billn.net>
To: David Nolan <vitroth+@cmu.edu>
Cc: nanog@merit.edu
In-Reply-To: <221700000.1141224634@thunder-mountain.net.cmu.edu>
Errors-To: owner-nanog@merit.edu
On Wed, 1 Mar 2006, David Nolan wrote:
>> Yeah, but it's not near as fun as dynamic acls updated via a script
>> monitoring flow logs in real-time. It's definitely easier to implement,
>> though.
>
> Interesting... Thats actually basically what we were doing before, but
> phased out in favor of the URPF & host routes approach. We felt the URPF
> approach was much cleaner, and more efficient. A routing table lookup is
> more efficient then a acl processing, particulary if you have significant
> numbers of rou and solved some problems we were having. It also solved some
> issues we had, including keeping dynamic acls synchronized betwen two
> redundant routers (HSRP pairs and/or redundant border routers).
I think when he said fun, he meant 'masochistic and nerve wracking, in a
vaguely entertaining because we have scripts issuing and removing ACLs
from our routing core kind of way.' I've built reactive firewalls before,
but even I'd be leery of a reactive ACL implementation. /32 null route
injection is far far easier to manage. =)
- billn