On (20/01/05 13:20), Chris A. Epler wrote:
>
> Whats so bad about decent secure defaults?
secure defaults are good...but there are other aspects of cisco ios which
would be better suited to be disabled out of the box: redirects, proxy
arp, tcp/udp small-servers, the lack of decent ssh (this is getting
better), lack of receive acls on all but the big boxen, etc...these are a
few things which would be better to have out of the box.
> If you're implementing a new router and setting up Bogon filters you
> should already know that they'll need to be updated regularly
read the beginning of this thread - people implement bogon filters
without keeping them up to date already. this is just another mechanism
to do the same thing (but on a larger scale).
> If you don't know this, then you shouldn't be in charge of said router.
> Am I missing something here???
in an ideal world, yes, this would be true; however we all know the
reality of this. there are already secure config templates available
which people follow without actually knowing the implications of. one
more 'feature' in ios will go unnoticed by most, and thus will be left
out of date...that was, i believe, jared's point.
/joshua
--
**** THIS .sig CENSORSED ****
