[j-nsp] Block traceroute and Allow Ping
Jared Mauch
jared at puck.nether.net
Wed Sep 30 11:57:02 EDT 2009
Any "blind" filtering will have side-effects. Setting the bar
correctly can be difficult. It is important to regularly review
filtering policies, remove the ones that are not of value and place
new ones in. If it's just something where people pile on block-more,
MORE, MOOOOOOORRRRRRREEEEEEEEE! you will end up with a really poor
user experience. Make sure the reviews are part of a scheduled
business practice, put the guy who runs around with the tapes in
charge of nagging you.
- Jared
On Sep 30, 2009, at 11:44 AM, David Ball wrote:
> If I'm not mistaken, this year's migration to DNS servers
> supporting randomized source UDP ports (based on the Kaminsky thing)
> may throw a wrench into some notions of filtering UDP traffic across
> their network. I know we had issues with it.
>
> David
>
>
> 2009/9/30 Stefan Fouant <sfouant at gmail.com>:
>> On Wed, Sep 30, 2009 at 5:09 AM, Masood Shah
>> <masoodshah at juniper.net> wrote:
>>
>>>
>>> If you are REALLY paranoid, you can DROP all UDP traffic and then
>>> only open
>>> the ports that you have services running on. Sometimes this is
>>> easier said
>>> than done though.
>>>
>>
>> I wouldn't call this paranoia. I would call this "good security
>> posture".
>>
>> --
>> Stefan Fouant
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list