Best Practice - Removing Old Access-Control Lists from Bug Mitigations

Unanswered Question
Jul 28th, 2010

I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.

access-list 100 deny   53 any any
access-list 100 deny   55 any any
access-list 100 deny   77 any any
access-list 100 deny   pim any any

I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".

Clearly they've just been propagated when then router and IOS get upgraded.

My question is should we remove all the old workarounds, and how often do people audit their configs?

Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet.  There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.

Obviously there will be a small amount of additional processing overhead on the acl too.

All comments are welcome.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Thu, 07/29/2010 - 07:51

I would not worry about processing. As long as you have an ACL applied, 2-3 lines more do not practically cause any extra overhead.


You can keep the deny lines there and they will not hurt.

As for how often people audit configs it depends on the policies. I have seen 6 months as the most common time frame.

I hope it helps.

PK

Actions

This Discussion

Related Content