[unisog] Are cisco router VLAN ACL's stateful like a PIX?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Tue Feb 1 20:52:57 GMT 2005


OK, you got my curiosity up.  We *DO* selectively block ICMP within the
LAN due to it's abuse by all manner viruses etc.  In practice, we allow
all protocols between the user(s) VLAN(s) and server VLAN(s).  We block
ICMP between user VLANs.  So far it has pretty effectively stopped RPC
type viruses from flying around the network.

We also block ICMP in from the Internet.  

How is this bad?  

++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Clark Gaylord
Sent: Tuesday, February 01, 2005 1:50 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Are cisco router VLAN ACL's stateful like a PIX?

BACHAND, Dave (Info. Tech. Services) wrote:

>I suggest using a two tiered approach.  Use simple ACLs on the routers
>for what they are good at, short, broad swipes at control.  IE- no
ICMP,
>access to only certain subnets, etc with short ACLs.  Then do more in
>  
>
yeah, except that "no ICMP" is about the worst thing you can do.  other 
than that, right on!

just what part of "Internet Protocol" makes you think you don't want 
"Internet Control Message Protocol"?

[even the lame "but then they won't find me with my head in the sand" 
arguments are vacuous nowadays.]

--ckg
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list