On (20/01/05 13:20), Chris A. Epler wrote:
Whats so bad about decent secure defaults?
secure defaults are good...but there are other aspects of cisco ios which would be better suited to be disabled out of the box: redirects, proxy arp, tcp/udp small-servers, the lack of decent ssh (this is getting better), lack of receive acls on all but the big boxen, etc...these are a few things which would be better to have out of the box.
If you're implementing a new router and setting up Bogon filters you should already know that they'll need to be updated regularly
read the beginning of this thread - people implement bogon filters without keeping them up to date already. this is just another mechanism to do the same thing (but on a larger scale).
If you don't know this, then you shouldn't be in charge of said router. Am I missing something here???
in an ideal world, yes, this would be true; however we all know the reality of this. there are already secure config templates available which people follow without actually knowing the implications of. one more 'feature' in ios will go unnoticed by most, and thus will be left out of date...that was, i believe, jared's point. /joshua -- **** THIS .sig CENSORSED ****