[unisog] Are cisco router VLAN ACL's stateful like a PIX?
r.fulton at auckland.ac.nz
Tue Feb 1 21:48:18 GMT 2005
On Tue, 2005-02-01 at 15:26 -0600, John Kristoff wrote:
> On Tue, 1 Feb 2005 15:52:57 -0500
> "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu> wrote:
> > OK, you got my curiosity up. We *DO* selectively block ICMP within the
> > LAN due to it's abuse by all manner viruses etc. In practice, we allow
> > all protocols between the user(s) VLAN(s) and server VLAN(s). We block
> > ICMP between user VLANs. So far it has pretty effectively stopped RPC
> > type viruses from flying around the network.
> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
> neat trick. You must have your voodoo filters turned up to 'more magic'.
One worm (I can't remember which) used ping to find potential victims
rather than just sending an and exploit. We blocked pings from the
backbone and this confined the worm without disrupting legit (137, 445)
traffic. We then removed the filters when the threat subsided.
So, yes, blocking pings can stop worms spreading, but only if the worms
are very simple minded.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050202/c1bdb93a/smime-0002.bin
More information about the unisog