[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 2 18:40:40 GMT 2005


On Thu, 03 Feb 2005 06:12:16 +1300, Russell Fulton said:

> No, and I would not try :)  I have long maintained that our local
> network is completely untrusted. That's why I said that I would love to
> ban (or at least heavily restrict) MS network traffic on the network.
> 
> I'd be very interested to know how VT manages this and what do you use
> as alternatives.

Our basic model is that we just move the packets, and each host is required
to do its own due diligence on filtering packets, since we in general don't
know what's going on with a given host (and usually we don't WANT to know).
In other words, we rely on host-based firewalling/filtering rather than
router-based.  There's no way that the router can make decisions about what
packets are OK for my machine as well as I can (just the machines in my office
have different rulesets, and none of them correspond to the machines in the
next cubicle over..)

We will on occasion deploy router-based filters on a *very* temporary basis as
an abatement measure (I think we put in some rules for about 72 hours for the
Nachi attacks), and there's a *few* subnet-specific rules in place (Clark's
lurking here someplace, he can address that in more detail).  But our basic
model is that every host on the network needs to be ready to do something
appropriate with any packet, from anyplace, at any time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050202/4e4e2af8/attachment-0002.bin


More information about the unisog mailing list