Re: management interface accessability (was Re: Worm / UDP1434)

["Christopher L. Morrow" <chris () UU NET>]

On Sun, 26 Jan 2003, Rob Thomas wrote:

> Hey, Chris.
>
> ] or the one that steathily permitted udp 1434 from the outside world :(
>
> Yeah.  :(
>
> This is yet another reason why I tell folks with firewalls NOT to allow
> everything from the internal (often mistakenly labelled "trusted") net
> to the external nets.

The unfortunate but required security precautions are that you really
should filter as low down in the network as possible, this allows the most
granular filtering as possible. Much of that could be accomplished with
simple router acls.

Filtering as close to the end hosts allows you to explicitly permit/deny
traffic to the services required without as many compromises on acl length
or granularity.

Note, it may require some automation of the acl deployment or management
of the acls could become 'complex' :)