[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Scott McGrath
mcgrath at fas.harvard.edu
Mon Mar 24 09:14:24 EDT 2008
Both redirects and unreachables can be used to implement a Denial of
Service attack. We allow internally for troubleshooting but disallow
both transmission to and reception from the global internet. Both to
prevent DDoS from compromised hosts and from external hosts with hostile
intent.
I really want to go back to the days when it was safe and acceptable to
run a completely open network. Right now the internet is becoming more
and more like a no-man's land.
Leonardo Gama Souza wrote:
> as for the interface stuff...
>
>
>> Per Interface Config
>>
>> no ip redirects
>> no ip unreachables
>>
>
> personally, I don't like those two. what's wrong about a router
> _sending_ icmp redirects or (even more important/useful) icmp
> unreachables?
> keep in mind those commands are not about accepting those (but, as said:
> sending them).
>
>
> [Leonardo Gama Souza] >
>
> Personally I think it's much better rate-limit 'ip unreachables' than
> block them.
> Probably Cisco doesn't change these silly defaults because they won't
> have selling points for tools such as SDM. :)
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list