Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1039
Views
0
Helpful
1
Replies

Best Practice - Removing Old Access-Control Lists from Bug Mitigations

ROBERT THOMSON
Level 1
Level 1

‎07-28-2010 06:21 PM - edited ‎03-09-2019 11:06 PM

I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.

access-list 100 deny   53 any any
access-list 100 deny   55 any any
access-list 100 deny   77 any any
access-list 100 deny   pim any any

I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".

Clearly they've just been propagated when then router and IOS get upgraded.

My question is should we remove all the old workarounds, and how often do people audit their configs?

Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet.  There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.

Obviously there will be a small amount of additional processing overhead on the acl too.

All comments are welcome.

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎07-29-2010 07:51 AM

I would not worry about processing. As long as you have an ACL applied, 2-3 lines more do not practically cause any extra overhead.


You can keep the deny lines there and they will not hurt.

As for how often people audit configs it depends on the policies. I have seen 6 months as the most common time frame.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents