[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Russell Fulton r.fulton at auckland.ac.nz
Wed Feb 2 19:11:46 GMT 2005


On Wed, 2005-02-02 at 13:40 -0500, Valdis.Kletnieks at vt.edu wrote:

> We will on occasion deploy router-based filters on a *very* temporary basis as
> an abatement measure (I think we put in some rules for about 72 hours for the
> Nachi attacks), and there's a *few* subnet-specific rules in place (Clark's
> lurking here someplace, he can address that in more detail).  But our basic
> model is that every host on the network needs to be ready to do something
> appropriate with any packet, from anyplace, at any time.

This corresponds fairly closely with our basic assumptions, however we
do implement filtering at the network level where doing so significantly
reduces risk with no or only minor additional costs.  We do extensive
filtering at the border (the vast majority of desktop machine are not
visible from outside) and we filter MS protocols for just about
everyone.

We strongly encourage the use of host based firewalls and have a
proactive policy on patching to make sure individual machines are
secure.  We certainly don't rely on the filtering for our security, it
is just another layer to mitigate one particular threat.

Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050203/82dc0415/smime-0002.bin


More information about the unisog mailing list