At 08:19 20/09/96 -0700, Ken Jones <kenj @
cayman .
gblhorizon .
com> wrote:
>We checked out both the CERT warning and the cisco web page. What
>they are advising is two things (in regaurd to packet filtering)
>
>1. Filter out IP spoofing for packets orignating at your site. Don't
> let your users be the bad guy.
>
Excellent advice. One minor implementation point. Most filters don't
let you write a rule that will deny all traffic that is NOT to or from
a specific address. What we do is limit all our permit rules to having our
class-C (or a subset) as source or destination as appropriate. Then any
packet with an invalid source address is blocked by default deny.
I don't know if a site failing to do this could be held liable for the
actions of a local bad guy. However as it is entirely avoidable there seems
no point in taking the risk.
Ian
|
|
