Admittedly my question is not only subjective but your answers may also differ based on your specific network's use... but here goes:
In the past our network has just relied on the IP Firewall Feature Set of Cisco IOS. We now have a PIX 515e pair that will providing us with security, located just behind the border routers. Now that we are going to be using the PIX pair I would imagine we can safely reduce the number of ACL entries on the routers.
Web hosting and server hosting is primarily what we do - primarily http, smtp, pop3, dns and a few others is pretty much all we need. Unfortunately our current ACL has some specific entries related to clients' servers, etc, that it isn't as easy as just allowing a handful or ports and deny everything else. I think we are probably going to need to deny a handful of protcols/ip-blocks and allow everything else in (and then let the PIX pair to their work.)
What services should I explicitly block by default? What net blocks such as 10.0.0.0, 172.16.0.0, 192.168.0.0 should I block? How about Unicast Reverse Path Forwarding (we will be running BGP so I guess I'll need loose mode)? Denying our own block(s) back in.... Any other "obvious" items I should address?
I'm so used to the main external interface on these routers having a heavy ACL applied to them that it is a strange concept opening them up. I could obviously just keep my existing ACL for a while but I'd rather let the PIXs do that work. Thanks for any advice,
Why would you route the bogons to null0 if you have them denied in a ACL already? Should you do both or one or the other? The only reason I can think of is to save on latency because the packet will not be handled by the ACL and would be routed to a black whole directly in with no way out. Could there be any issues with BGP?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...