[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ability to withstand well known attacks

To: "Smith, Donald" <Donald.Smith@qwest.com>
Subject: RE: Ability to withstand well known attacks
From: Dan Hollis <goemon@anime.net>
Date: Tue, 22 Jul 2003 12:47:30 -0700 (PDT)
Cc: opsec@ops.ietf.org
In-reply-to: <2D00AD0E4D36D411BD300008C786E4240D558FD5@Denntex021.qwest.net>

On Tue, 22 Jul 2003, Smith, Donald wrote:
> Limiting what systems can communicate directly with your router via acl's 
> also helps.
> I personally think this last method is the best method as it also protects
> against other yet to be discovered attacks. 
> If you can only ssh to my routers from a few "trusted" networks
> then an new ssh vulnerability is mitigated (not eliminated but the threat is
> lessened).

ACLs often have undesirable and significantly negative performance impact.

syncookies have none...

> Are any of the router vendors implementing syncookies?

unfortunately it seems not.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]

Follow-Ups:
- Re: Ability to withstand well known attacks
  - From: Neal Ziring <nziring@thecouch.ncsc.mil>

References:
- RE: Ability to withstand well known attacks
  - From: "Smith, Donald" <Donald.Smith@qwest.com>

Prev by Date: Re: Ability to withstand well known attacks
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: RE: Ability to withstand well known attacks
Next by thread: Re: Ability to withstand well known attacks
Index(es):
- Date
- Thread