Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Hi, another one (mainly for switches) was written by a colleague of mine some time ago. It's called Bulk Switch Config Auditor and can be found at http://www.ernw.de/download/bsca_0.1.2a.zip thanks, Enno On Mon, Mar 24, 2008 at 10:42:14PM +0100, Rikard Skjelsvik wrote: Justin Shore wrote: Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Or you could use nipper http://sourceforge.net/projects/nipper ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Hi, On Sun, Mar 23, 2008 at 08:29:59PM -0700, Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps some other candidates to add here (may depend on platform/image and only to be applied after careful reconsideration ;-): no service config no ip http-secure no service dhcp no boot network no boot host no mop enabled no ip host-routing as for the interface stuff... Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). and, depending on the environment (e.g. in some IXs this can be found), you might want to add this one: no keepalive be aware this can lead to serious problems (e.g. on Gig-Ifs) when applied inappropriately ;-)) thanks, Enno -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Good info. It's always risky when people add config without knowing what it does. I usually tell people to compare a before and after diff of the config of a lab router to see what exactly autosecure did. Then I point them to the online docs to figure out what the the reason was behind each of the changes. It's a good way for folks to learn. It doesn't get much easier than go research this command to learn what it does. Then they can decide what will or will not work on their network. Everyone should have a lab, even if work won't provide one. Justin David Barak wrote: Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Monday, March 24, 2008 9:21 AM To: David Barak Cc: [EMAIL PROTECTED]; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Good info. It's always risky when people add config without knowing what it does. I usually tell people to compare a before and after diff of the config of a lab router to see what exactly autosecure did. Then I point them to the online docs to figure out what the the reason was behind each of the changes. It's a good way for folks to learn. It doesn't get much easier than go research this command to learn what it does. Then they can decide what will or will not work on their network. Everyone should have a lab, even if work won't provide one. Justin David Barak wrote: Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space. Of course, new IP space is always being allocated all the time, so those filters were quickly out of date. This might have led to some of the problems experienced by the users in 69/8. I haven#39;t looked lately, so hopefully that behavior has changed. -David Barak Justin Shore wrote: hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Enno Rey wrote: Hi, Per Interface Config no ip redirects no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). To more explicitly say what everyone was dancing around, ICMPs are classified as receive packets which can only be processed switched. This leaves a wide open avenue for resource exhaustion attacks. ICMP can be very useful for troubleshooting and diagnostics. It is also an extremely easy and effective method with which to DoS SPs. I don't agree with blocking it outright, even at the Interner borders, but I do agree that much of it can be used maliciously and that it should be controlled. Deny ICMP frags explicitly (otherwise you'll endure 2 CPU interrupts). Permit echo requests and replies to your access edges. Permit packet-too-big (for PMTU) and time-exceeded (traceroutes). Then rate-limit it down to a reasonable number. On your routing devices disable/prevent all unnecessary ICMP services and responses. Rate-limit all necessary responses to a reasonable level. Good info on how to accomplish all of this can be had in Router Security Strategies Cisco Press book and many other resources. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? I don't think autosecure exists on my platform. (7500 RSP4+) Peace... Sridhar ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Sridhar Ayengar wrote: Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Thanks to everyone for all the great info! -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Rikard Skjelsvik Sent: Monday, March 24, 2008 4:42 PM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..) Justin Shore wrote: Sridhar Ayengar wrote: Fred Reimer wrote: Exactly, autosecure is just a macro. It is always advisable to check the actual router configuration after it is completed. The engineer should make sure they understand how all of the commands implemented, and if they don't research them and make sure they know of any caveats. Is there anything similar that will allow me to take a router configuration file and interactively process it on an external system to increase security on my router? Yes. You can use RAT (Router Audit Tool). http://www.cisecurity.org/ However that still doesn't exempt the admin from knowing exactly what each and every suggested command does. RAT bitches and moans about my configs because I don't ever set VTY passwords. RAT doesn't have the ability to recognize that they are not needed in my scenario because I utilize full AAA. RAT is programmed to look for certain things and give the pre-determined output. It's still a good tool but you have to understand what it's telling you to figure out if in fact there is a problem to be addressed. As always with security, there is no silver bullet. Justin ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Or you could use nipper http://sourceforge.net/projects/nipper ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
hostname host ip domain-name domain.tld crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server There's a lot more to do. You should also look into autosecure as well as the Router Security Strategies book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: After reading this message it brought to mind the default steps I take whenever a new router is configured for our network. Here's the list of the stuff I do which I got from the hardening cisco routers book. What do you guys think? Should there be anything else? I also try to run ssh on any router that can support it. GLOBAL CONFIG no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps END GLOBAL CONFIG Per Interface Config no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef END Per Interface Config -Original Message- From: [EMAIL PROTECTED] [mailto:cisco-nsp- [EMAIL PROTECTED] On Behalf Of Eric Cables Sent: Friday, March 21, 2008 2:13 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. A recent network audit has discovered that Proxy ARP is enabled on pretty much every L3 interface in the network. As a Cisco default, this isn't surprising, since no template configs have it disabled. The question is: whether or not I should go back and disable it, or just leave it be, since it doesn't appear to be causing any problems. Any feedback would be appreciated. -- Eric Cables ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/