On Thu, 20 Jan 2005 13:20:45 EST, "Chris A. Epler" said:
Whats so bad about decent secure defaults? I just see it as a shortcut to getting a router online, not a solution to security. If you're implementing a new router and setting up Bogon filters you should already know that they'll need to be updated regularly and should replace the access list with a refreshed one using the autosecure configuration as a TEMPLATE that you work off of. If you don't know this, then you shouldn't be in charge of said router. Am I missing something here???
Only thing you're missing is that "shouldn't be in charge of said router" describes a nice-to-dream-about but nonexistent state of affairs. I'll go out on a limb and say that 3/4 of the Cisco routers in production use are managed by unqualified network monkeys employed by the leaf sites. The fact that they get one interface connected to their local LAN, and the other interface connected to the fractional T-1 back to the ISP, and that packets make it from the LAN to www.google.com and back is amazing enough. Expecting them to do things like proper inbound bogon filtering and outbound 1918 egress filtering is pushing it... In other words, the only people who are likely to *use* the autosecure feature are people who (a) will Get It Wrong (either at initial config, or failure to update it regularly), (b) aren't reading this list anyhow (or any other place where they're likely to see the "Update your bogons" mantra), and (c) indeed shouldn't have "enable".