North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cisco says attacks are due to operational practices
- From: Mark Milhollan
- Date: Mon Feb 14 11:02:37 2000
[Who knew, when I began what started as private response, that I'd find
a soapbox? This is not so much directed at Tom personally, but at the
recurring attitude that he has, all unbeknownst to himself, reiterated
just as I got my second wind.]
Tom Beeson <firstname.lastname@example.org> wrote:
>We wrote an in-house perl script to take a Cisco router configuration and
>build inbound and outbound filters. These filters are then applied to the
>serial interface that connects to our network and toward the Internet.
You aren't performing the filtering Farnsworth was talking about, you
are helping others to do it. You are "stopping spoofed packets from
leaving THEIR networks," not your own. Hoping that the configurations
you deliver remain in place so that you "are filtering."
For those customers that you provide a managed solution, where they do
not have access to the configuration, this might be an acceptable
substitute. I don't think so, but its arguably closer since the router
is, effectively, part of your network. If it weren't for the physical
access at their end I'd call it square, right away.
For those customers that manage their own its a different story. Your
suggestions are likely to be followed, until the first network event
after the rules are installed, at which point they will be removed as
suspect, then never restored since no "difference" was seen, or (worse)
their router "worked" better. Since *you* aren't filtering you find out
about this either through routine checks (which is another can of worms)
or *after* something nasty happens. Most likely it won't be Earth-
shattering, but it will *happen* -- spilt milk.
You need filters in your edges, even internal ones, because YOU might be
cracked, or because your customers are and the oh-so-careful filters you
constructed have been removed, or because some edge customer makes a
They need filters in their edges, even their internal ones, because you
might be cracked, or because they might be and your oh-so-careful
filters have been removed, or because some NOC technician makes a
mistake (or made one, a month or six ago).
Mutual assurance is not a bad thing.
Bite the bullet. Protect *your* edges *yourself*. This does raise the
cost of providing service, since you'll have to buy more router than you
*currently* expect for a given situation.