[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Daniel Feenberg feenberg at nber.org
Tue Feb 1 21:47:39 GMT 2005


On Tue, 1 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:

> OK, you got my curiosity up.  We *DO* selectively block ICMP within the
> LAN due to it's abuse by all manner viruses etc.  In practice, we allow
> all protocols between the user(s) VLAN(s) and server VLAN(s).  We block
> ICMP between user VLANs.  So far it has pretty effectively stopped RPC
> type viruses from flying around the network.
> 
> We also block ICMP in from the Internet.  
> 
> How is this bad?  

It breaks Path MTU discovery, which will block access to sites with
smaller maximum packet sizes. See

http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.html

You don't have to allow all of ICMP, but you should allow this as there
are various places a few octets are taken off the maximum, and you
might not be told about all of them.

Dan Feenberg

> 
> ++++++++++++++++++++++++++++++++++++++++++++
> Dave Bachand
> Data Network Manager
> Information Technology Services
> Eastern Connecticut State University
> 83 Windham Street
> Willimantic, CT
> Tel. (860)465-5376
> ++++++++++++++++++++++++++++++++++++++++++++
> 
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Clark Gaylord
> Sent: Tuesday, February 01, 2005 1:50 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Are cisco router VLAN ACL's stateful like a PIX?
> 
> BACHAND, Dave (Info. Tech. Services) wrote:
> 
> >I suggest using a two tiered approach.  Use simple ACLs on the routers
> >for what they are good at, short, broad swipes at control.  IE- no
> ICMP,
> >access to only certain subnets, etc with short ACLs.  Then do more in
> >  
> >
> yeah, except that "no ICMP" is about the worst thing you can do.  other 
> than that, right on!
> 
> just what part of "Internet Protocol" makes you think you don't want 
> "Internet Control Message Protocol"?
> 
> [even the lame "but then they won't find me with my head in the sand" 
> arguments are vacuous nowadays.]
> 
> --ckg
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 





More information about the unisog mailing list