--- "Chris A. Epler" <cepler@HostMySite.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jared Mauch wrote:
| I'm not saying this to trash cisco, many people there know that, | but the important thing is insuring that the global internet isn't | further harmed, and as more allocations are done the harm becomes | greater and it hurts every single person in this industry, providers | and vendors alike.
k, bit my tongue as much as I could... But I gotta vent ;-P
So, Cisco provides this 'AutoSecure' function and everyone jumps all over the static bogon list. Why? Hello? The basic idea here is that it gets you decent out of the box setup defaults which you tailor after running it, right? (NOTE: I haven't actually hit the AUTOSECURE button yet, just read a little about it)
Well, the problem is that the autosecure feature introduces a static element (address filtering) into a dynamic world (routing), in a way which is generally considered "set and forget." The target audience for autosecure is people who don't have their own security people on staff, thus ensuring that the filters will get out of date, and cause mysterious reachability issues (mysterious, that is, because no one will think of looking for the problem in the router...)
Whats so bad about decent secure defaults? I just see it as a shortcut to getting a router online, not a solution to security.
Getting a router online is giving it an IP address. Translate from geek to English: when someone who is not-so-technical hears "autosecure" the end result is something like "automatic transmission" - i.e. something which doesn't need to be played with except once every few years.
If you're implementing a new router and setting up Bogon filters
The argument is that autosecure SHOULDN'T set up bogon filters.
you should already know that they'll need to be updated regularly and should replace the access list with a refreshed one using the autosecure configuration as a TEMPLATE that you work off of. If you don't know this, then you shouldn't be in charge of said router. Am I missing something here???
The primary audience for the autosecure feature is people who really don't quite get routers. No, they don't have any business with enable, but do they have it? yes. ===== David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250