--- "Chris A. Epler" <[EMAIL PROTECTED]> wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jared Mauch wrote: > > | I'm not saying this to trash cisco, many people > there know that, > | but the important thing is insuring that the > global internet isn't > | further harmed, and as more allocations are done > the harm becomes > | greater and it hurts every single person in this > industry, providers > | and vendors alike. > > k, bit my tongue as much as I could... But I gotta > vent ;-P > > So, Cisco provides this 'AutoSecure' function and > everyone jumps all > over the static bogon list. Why? Hello? The basic > idea here is that > it gets you decent out of the box setup defaults > which you tailor after > running it, right? (NOTE: I haven't actually hit > the AUTOSECURE button > yet, just read a little about it) > Well, the problem is that the autosecure feature introduces a static element (address filtering) into a dynamic world (routing), in a way which is generally considered "set and forget." The target audience for autosecure is people who don't have their own security people on staff, thus ensuring that the filters will get out of date, and cause mysterious reachability issues (mysterious, that is, because no one will think of looking for the problem in the router...) > Whats so bad about decent secure defaults? I just > see it as a shortcut > to getting a router online, not a solution to > security. Getting a router online is giving it an IP address. Translate from geek to English: when someone who is not-so-technical hears "autosecure" the end result is something like "automatic transmission" - i.e. something which doesn't need to be played with except once every few years. > If you're > implementing a new router and setting up Bogon > filters The argument is that autosecure SHOULDN'T set up bogon filters. > you should > already know that they'll need to be updated > regularly and should > replace the access list with a refreshed one using > the autosecure > configuration as a TEMPLATE that you work off of. > If you don't know > this, then you shouldn't be in charge of said > router. Am I missing > something here??? The primary audience for the autosecure feature is people who really don't quite get routers. No, they don't have any business with enable, but do they have it? yes. ===== David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250