-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Bertrand wrote:
Jon Kibler wrote:
To answer that question, I would start with ingress and egress filtering by IP address, protocol, etc.: 1) Never allow traffic to egress any subnet unless its source IP address is within that subnet range.
Sorry to nit, but shouldn't your uRPF setup take care of this (and many other of your list items), long before ACL?
It's absolutely great if you have your list implemented, but imho, all ISP's, no matter how small should investigate and implement urpf. It's especially fun to play with RTBH.
To be honest, the smaller you are, the easier it is to implement (ie. urpf strict everywhere! :)
Steve
Agree for the most part. However: 1) The overwhelming majority of routers I have audited do not have uRPF implemented and most admins do not comprehend it, but they do comprehend (usually) ACLs. 2) L3 switching does not always support it, leaving potential for abuse if the network has any donut holes. 3) uRPF works best on egress but does little on outside ingress (e.g., bogons). 4) Defense in depth dictates using more than one way to detect an attack, so use both ACLs and uRPF. Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 s: 843-564-4224 s: JonRKibler e: Jon.Kibler@aset.com e: Jon.R.Kibler@gmail.com http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrhc+gACgkQUVxQRc85QlNAgACfZgrSuZ7dC1A38oIXB3lInUOc FnIAniWiQcVpJzp/ooh4LOHwEzPXUWo3 =dKbZ -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.