[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Russell Fulton r.fulton at auckland.ac.nz
Wed Feb 2 17:12:16 GMT 2005


On Wed, 2005-02-02 at 11:28 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 02 Feb 2005 21:25:28 +1300, Russell Fulton said:
> 
> > Agreed, at the border, but we were talking about blocks within the
> > network (on the backbone interfaces of our sector switches) and between
> > vlans.  We have had 137 and friends blocked at the border since we
> > joined the Internet in 1989.
> 
> Can anybody at your site explain why a machine on the other side of campus
> is considered more trustworthy than one on another continent?

No, and I would not try :)  I have long maintained that our local
network is completely untrusted. That's why I said that I would love to
ban (or at least heavily restrict) MS network traffic on the network.

I'd be very interested to know how VT manages this and what do you use
as alternatives.

It at the UoA is federated with individual Faculties doing their own
thing in many cases.  Central IT maintains the network and business
infrastructure and provides the usual range of services (email, file
servers etc) but the Faculties are free to provide their own if they
think they can do it better or more cost effectively. 

We also have faculties that a geographically dispersed, this does not
help in managing MS networking in a sane manner. 

> 
> The usual reason given is some variant on "because if they hack into me, I know
> where to find them and beat the snot out of them".  This in fact works if
> you're discussing an attack launched at the user's request.  However, when the
> machine on the other side of campus is attacking you at the behest of somebody
> on another continent, it breaks down a bit. 

I absolutely agree.  We block at the border because we can, not because
I trust the machine on the inside more than I trust those on the
outside.

Cheers, Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050203/d299f109/smime-0002.bin


More information about the unisog mailing list