Hey guys and girls,
Now, under normal circumstances everybody would use a firewall, before their edge router connects to the internet and all drops and permits would go on the firewall.
Under regular circumstances, I do not have a firewall in place and I have 2 sets of ACL that sit on the upstream(s) interfaces. One inbound and other is outbound.
Thing is, you can make it as complicated as you want, dropping all the nitty gritty and then permitting or you could permit and drop everything else. As it stands, Cisco reads line by line and the more lines you have, more computation and higher CPU.
What I want to know from people working in ISP/SP and are also transit providers, how would you go about doing it? Keep it simple and least lines as possible or would you have 200 lines for each ACL? What is the common practice in your case and why?
I mean yes, drop bogons, drop your own IP coming in, drop DNS, BGP, NTP, uPnP, SMTP and maybe even drop ICMP and then would you go ahead and proceed to do more?
I am not even going to try and stop ddos using acl because I can't, doesn't matter what hardware I have, I can't; I don't know what a firewall could do, not going to be finding out soon.
My biggest worry after ddos is having my IP blacklisted, it's usually spam over SMTP or somebody just having watched the matrix, trying to log into the IRS dBASE too many times. Either way, whitelisting is a bitch and worse when money is required and clients don't want to pay and switch providers; No law to prosecute the sob.
Cheers
No comments:
Post a Comment