Protecting inbound interfaces (re: Cisco exploit)
Is there a way to globally protect all inbound interfaces on a router via ACL (specifically hundreds of frame/sub-interfaces) without applying the same ACL to each individual interface? Is the "line vty" config only for telnet/ssh, etc. or is it the magic global that I'm looking for? I'd post this on inet-access but this is where the conversation is taking place. Thanks, Rick
On Fri, Jul 18, 2003 at 06:07:08AM -0700, Rick Ernst wrote:
Is there a way to globally protect all inbound interfaces on a router via ACL (specifically hundreds of frame/sub-interfaces) without applying the same ACL to each individual interface?
I believe something like this will work: no access-l 198 access-list 198 deny 53 any any log-input access-list 198 deny 55 any any log-input access-list 198 deny 77 any any log-input ! access-list 198 permit pim host xx.xx.xx.xx 224.0.0.0 31.255.255.255 ! access-list 198 deny pim any any log-input access-list 198 permit ip any any ! !end replace xx.xx.xx.xx with real ip address if you have PIM running, if you don't, remove that line.
Is the "line vty" config only for telnet/ssh, etc. or is it the magic global that I'm looking for?
No. I don't think so. -Basil @ CIFNet
Depends on the platform; if it is a Cisco GSR or 7500 (w/ sufficiently current IOS), you can look into using a Receive ACL (rACL). The Cisco advisory being sent around in the discussion of the latest vulnerability has a link to more info for Cisco rACLs - Wayne Rick Ernst wrote:
Is there a way to globally protect all inbound interfaces on a router via ACL (specifically hundreds of frame/sub-interfaces) without applying the same ACL to each individual interface?
Is the "line vty" config only for telnet/ssh, etc. or is it the magic global that I'm looking for?
I'd post this on inet-access but this is where the conversation is taking place.
Thanks, Rick
Is this true: http://www.eweek.com/article2/0,3959,1196496,00.asp **there is a working exploit for this vulnerability but that it has not been released yet.**
Something was posted to the full-disclosure list. I havent tested it yet myself but someone else said it did work. http://lists.netsys.com/pipermail/full-disclosure/2003-July/011421.html http://lists.netsys.com/pipermail/full-disclosure/2003-July/011420.html ---Mike At 09:24 AM 18/07/2003 -0400, Ken Yeo wrote:
Is this true:
http://www.eweek.com/article2/0,3959,1196496,00.asp
**there is a working exploit for this vulnerability but that it has not been released yet.**
<quote who="Ken Yeo">
Is this true:
http://www.eweek.com/article2/0,3959,1196496,00.asp
**there is a working exploit for this vulnerability but that it has not been released yet.**
No, it is not true. The exploit *has* been released: http://www.netsys.com/cgi-bin/displaynews?a=611 http://lists.netsys.com/pipermail/full-disclosure/2003-July/011421.html http://lists.netsys.com/pipermail/full-disclosure/2003-July/011420.html -davidu ---------------------------------------------------- David A. Ulevitch -- http://david.ulevitch.com http://everydns.net -+- http://communitycolo.net Campus Box 6957 + Washington University in St. Louis ----------------------------------------------------
participants (6)
-
Basil Kruglov
-
David A. Ulevitch
-
Ken Yeo
-
Mike Tancsa
-
Rick Ernst
-
Wayne