Some high-end boxes already have thing called "receive filter" which helps this a lot. Hope we see more of that or better yet router vendors stop processing packets they shouldn´t be processing anyway much earlier in the code path. "Be liberal what you accept" should not apply here.
Pete ----- Original Message ----- From: "Charles Sprickman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 18, 2003 11:20 PM Subject: Infrastructure Filtering (was Re: Patching for Cisco vulnerability) > > This has me wondering if there are any BCPs that touch on the whole idea > of filtering traffic destined to your router, or what the advisory called > "infrastructure filtering". All in all, it seems like a good idea to > block any direct access to router interfaces. But as some have probably > found already, it's a big pain in the arse. > > If I recall correctly, Rob's Secure IOS Template touches on filtering > known services (the BGP listener, snmp), but what are people's feelings on > maintaining filters on all interfaces *after* loading a fixed IOS? > > Thanks, > > Charles > > -- > Charles Sprickman > [EMAIL PROTECTED] > > > On Fri, 18 Jul 2003, Irwin Lazar wrote: > > > > > Just out of curiosity, are folks just applying the Cisco patch or do you go > > through some sort of testing/validation process to ensure that the patch doesn't cause any other problems? Given typical change management procedures how long is taking you to get clearance to apply the patch? > > > > I'm trying here to gauge the length of time before this vulnerability is closed > > out. > > > > irwin > > >
