Ronnie, you should rotate access list numbers to prevent having to take one down to update it. lets say for your interfaces to the net that they use access list 101 inbound, reserve access list 102 for updates. Then you can take your current ACL 101 add your new rules and do a fast search and replace for the 101 and change it to 102 (the acl number in the list) paste acl 102 in to the router, then update your interface to use 102 in. This way there is zero downtime, and you have the original around in you need to switch back in a hurry. next time you need to make a change, remove list 101 and replace with the change, update interfaces to use 101 and 102 is around for backup incase something is wrong with new list. John
________________________________ From: [EMAIL PROTECTED] on behalf of Ronnie Franklin Sent: Thu 2/12/2004 11:25 PM To: [EMAIL PROTECTED] Subject: [Modus] Firewalls for ISPs We do three things here. 1. Primary line of defense is a Cisco 7000RSP as the border router with several Access-list. Access list are on the inbound circuits from the Internet, our T1s that connect to remote locations, and our ethernet ports that connect to our servers, dialup, DSL and wireless access servers. There are also a couple of access-list that are for specific viruses. 2. Secondary line of defense is that each computer at our NOC has Black Ice or Zone Alarm installed with only the ports open that need to be open for that server. If you don't have a secondary line of defense then you are open for a few seconds when you update your access-list. 3. We have Snort 2.0 installed as an IDS so we can see what else is happening such as additional ports that need blocked, users that have viruses and etc. Access-list are a real pain until you understand them and have an easy way to update them. I store the "master" access-list in .txt files on a workstation, then modify them as needed, cut and paste them to the router. The .txt file contains all the necessary commands, with the exception of username/passwords, to delete the current access-list from each interface, create the new access-list and then apply the access-list back to the proper interfaces. A modification of an access-list takes me no more that 30 seconds from start to finish. For those that want to setup an IDS using Snort, there is a book out that is called "Snort 2.0 Intrusion Detection" published by Syngress. Located at http://www.syngress.com/catalog/sg_main.cfm?pid=2440 Ronnie
<<winmail.dat>>
