Re: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?

From: Dave Bush (hockeystatman_at_gmail.com)
Date: 11/10/05

  • Next message: Raoul Armfield: "Re: Are there any pocketable Hardware Password Vaults"
    Date: Thu, 10 Nov 2005 12:16:18 -0500
    To: security-basics@securityfocus.com
    
    

    On 11/9/05, Christopher Carpenter <ccarpenter@dswa.net> wrote:
    > Look at it the other way. You want to DENY ALL, then ALLOW SOME. Block
    > all ports and IPs, and then grant access to the ones you need.
    >
    > If you ALLOW ALL, DENY SOME you will end up fighting a losing battle
    > creating ACL after ACL.

    I concur with Chris. Cisco best practices are to always deny all and
    only allow what you absolutely need in. Won't replace a firewall, but
    will at least help.

    I'd think if you're already blocking all and only letting in what you
    need via your ACL rule set that you might need a network based IDS/IPS
    as your next step behind the router to catch / block worm / virus
    traffic.

    --
    Dave Bush <hockeystatman@gmail.com>
    There are two seasons in my world - Hockey and Construction
    

  • Next message: Raoul Armfield: "Re: Are there any pocketable Hardware Password Vaults"