Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Maformed SNMP Packet log/trace

  • From: Sean Donelan
  • Date: Tue Feb 26 22:10:33 2002



On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
> A lot of those protocols have people looking at them on a regular basis,
> and they still manage to come up with obscure exploits noone else noticed
> (ex: 23mb of buffer overflows to exploit telnetd).

So what is the solution for a public network operator.  I attended
a presentation last week where a Checkpoint reseller suggested the
client needed to buy eight Checkpoint firewalls to protect a single
web server.  I was impressed, what about the undercoating and scotchguard
fabric protector.

Is it time to fall back in punt?  How would you architect a backbone if
you could do it over?

Enable BGP authentication
Enable NTP authentication (use more than GPS as a source)
Enable OSPF/ISIS authentication

Use TL1 on the Aux port for network management

Ip route null0 packets from outside containing internal-only backbone
addresses.

Is the complexity  of SSH code worth the protection?  Or is it better
never to access your routers through VTY ports, and always use an
reverse-terminal server to the console from an out-of-band management
LAN?






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.