[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Russell Fulton r.fulton at auckland.ac.nz
Tue Feb 1 21:48:18 GMT 2005


On Tue, 2005-02-01 at 15:26 -0600, John Kristoff wrote:
> On Tue, 1 Feb 2005 15:52:57 -0500
> "BACHAND, Dave (Info. Tech. Services)" <BachandD at easternct.edu> wrote:
> 
> > OK, you got my curiosity up.  We *DO* selectively block ICMP within the
> > LAN due to it's abuse by all manner viruses etc.  In practice, we allow
> > all protocols between the user(s) VLAN(s) and server VLAN(s).  We block
> > ICMP between user VLANs.  So far it has pretty effectively stopped RPC
> > type viruses from flying around the network.
> 
> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
> neat trick.  You must have your voodoo filters turned up to 'more magic'.

One worm (I can't remember which) used ping to find potential victims
rather than just sending an and exploit.  We blocked pings from the
backbone and this confined the worm without disrupting legit (137, 445)
traffic.  We then removed the filters when the threat subsided.

So, yes, blocking pings can stop worms spreading, but only if the  worms
are very simple minded.

Russell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050202/c1bdb93a/smime-0002.bin


More information about the unisog mailing list