[c-nsp] ISP POP Location - Blocking Ports - Advice
joshua sahala
jejs at sahala.org
Tue Aug 3 00:46:48 EDT 2004
On (02/08/04 22:18), Church, Chuck wrote:
>
> I began blocking these ports outbound on various customer sites a couple
> years ago. Seeing as how any legitimate business use of MS networking
> over the internet will be over some encrypted means (unless the company
> is trying to go out of business :), unencrypted NetBIOS is something the
> world is probably better off without. Rate-limiting ICMP echoes have
> also been pretty helpful with some of these installations. YMMV
> however.
>
the secure ios template has some good suggestions - several i am
currently using (i was only thinking of acl's earlier):
uRPF is good - strict for downstream and/or customer ports, loose for
your transit interfaces
bogon filtering
rate-limiting icmp, syn, udp into the network (only after several
months of baselining and tuning)
filtering 'bad' icmp (stuff that doesn't really have a legit use)
http://www.cymru.com/Documents/secure-ios-template.html
/joshua
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
- Douglas Adams -
More information about the cisco-nsp
mailing list