Pauline van Winsen wrote:
>
> same reaction here. & routers can do an awful lot more than route
> these days.
I'm digging Cisco's reflexive filters. Simpler rules, maintains state
and seems to go easy on the CPU. Who needs a firewall. ;)
> e.g. most internet links will have an interface serial/ISDN etc which is
> configured as a point-to-point link, usually with an IP address assigned
> by the ISP. the only place your can perform anti-IP spoofing or
> other filtering for this IP address is on that interface on the router.
I've also seen situation where a busy firewall will start leaking
private addressing. Adding egress filters to the routers prevents these
source addresses from reaching the net.
> i see continuous hits on filters for these access-lists on links
> i have configured. typically attempts to access port 23 tcp or 161 udp
> (telnet & snmp).
I'm in the same boat. I know there are people who follow up on every
probe or poke, but quite honestly my customers see too many of them
every day for me to have time to follow up on each. I find it easier to
block out the noise from script kiddie scans and focus on the truly
interesting door rattles.
> my level of paranoia is - if a device is capable of performing packet
> filtering - implement packet filtering;
Sounds more like sound economics & security posturing rather than
paranoia. ;)
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
