[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)
Fred Reimer
freimer at ctiusa.com
Mon Mar 24 10:15:03 EDT 2008
Have you looked into implementing control plan policing, or for 6500 SUP720
platform the hardware rate-limiters, to allow some control traffic, but
limit the bandwidth?
Thanks,
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott McGrath
Sent: Monday, March 24, 2008 9:14 AM
To: Leonardo Gama Souza
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP --
Todisable, or not to disable..)
Both redirects and unreachables can be used to implement a Denial of
Service attack. We allow internally for troubleshooting but disallow
both transmission to and reception from the global internet. Both to
prevent DDoS from compromised hosts and from external hosts with hostile
intent.
I really want to go back to the days when it was safe and acceptable to
run a completely open network. Right now the internet is becoming more
and more like a no-man's land.
Leonardo Gama Souza wrote:
> as for the interface stuff...
>
>
>> Per Interface Config
>>
>> no ip redirects
>> no ip unreachables
>>
>
> personally, I don't like those two. what's wrong about a router
> _sending_ icmp redirects or (even more important/useful) icmp
> unreachables?
> keep in mind those commands are not about accepting those (but, as said:
> sending them).
>
>
> [Leonardo Gama Souza] >
>
> Personally I think it's much better rate-limit 'ip unreachables' than
> block them.
> Probably Cisco doesn't change these silly defaults because they won't
> have selling points for tools such as SDM. :)
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080324/d16da4e6/attachment.bin
More information about the cisco-nsp
mailing list