[j-nsp] Block traceroute and Allow Ping

Jared Mauch jared at puck.nether.net
Wed Sep 30 11:57:02 EDT 2009


Any "blind" filtering will have side-effects.  Setting the bar  
correctly can be difficult.  It is important to regularly review  
filtering policies, remove the ones that are not of value and place  
new ones in.  If it's just something where people pile on block-more,  
MORE, MOOOOOOORRRRRRREEEEEEEEE! you will end up with a really poor  
user experience.  Make sure the reviews are part of a scheduled  
business practice, put the guy who runs around with the tapes in  
charge of nagging you.

	- Jared

On Sep 30, 2009, at 11:44 AM, David Ball wrote:

>   If I'm not mistaken, this year's migration to DNS servers
> supporting randomized source UDP ports (based on the Kaminsky thing)
> may throw a wrench into some notions of filtering UDP traffic across
> their network.  I know we had issues with it.
>
> David
>
>
> 2009/9/30 Stefan Fouant <sfouant at gmail.com>:
>> On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah  
>> <masoodshah at juniper.net> wrote:
>>
>>>
>>> If you are REALLY paranoid, you can DROP all UDP traffic and then  
>>> only open
>>> the ports that you have services running on. Sometimes this is  
>>> easier said
>>> than done though.
>>>
>>
>> I wouldn't call this paranoia.  I would call this "good security  
>> posture".
>>
>> --
>> Stefan Fouant
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list