IANA's ephemeral port range seems to be more of a suggestion than a standard, so I'm curious about how folks might craft input control-plane filters on their network gear in light of that.
If it doesn't already, you can't force gear you don't control (ie: EBGP neighbours) to behave.
So, do you make your ephemeral range as wide as possible, ie: 1023 - 65535?
Or, assuming the following:
term SERVER { from { source-prefix-list { AP:BGP:VRF:V4; } destination-prefix-list { AP:PHY:GLOBAL:V4; } protocol tcp; destination-port bgp; } then { count ACCEPT:BGP-VRF:SERVER; accept; } } term CLIENT { from { source-prefix-list { AP:BGP:VRF:V4; } destination-prefix-list { AP:PHY:GLOBAL:V4; } protocol tcp; source-port bgp; tcp-established; } then { count ACCEPT:BGP-VRF:CLIENT; accept; } } term DISCARD { from { protocol tcp; port bgp; } then { count DISCARD:BGP-VRF:UNKNOWN; log; discard; } }
What's the security implication of not filtering ephemerals at all?
No comments:
Post a Comment