RE: Cisco IOS vulnerability

From: Octavio Novoa (ONOVOAat_private)
Date: Fri Jul 18 2003 - 13:41:28 PDT

Next message: Probe Networks: "Re: Strange DoS / new halflife server bug? (Update)"

Previous message: jlewisat_private: "Re: Cisco IOS vulnerability"
Maybe in reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've tried myself the undefinied ACL as "not of the others rule" but never
worked out. I always specify the last acl as "permit everything I do not
want to deny".

______________________________
Octavio Novoa Linares

DIVEO Telecomunicaciones del Perú
Ph. 511-4224522 Ext. 2154 Fax 511-4220064
AIM Id: onovoa 99



-----Mensaje original-----
De: Mitchell Rowton [mailto:mitchellat_private]
Enviado el: Viernes, 18 de Julio de 2003 02:24 p.m.
Para: wangwat_private; Gustavo Kruel; incidentsat_private
Asunto: Re: Cisco IOS vulnerability


I just looked this up to verify my memory, in Managing Cisco Network 
Security by Michael Wenstrom (p.713) it says that undefined access list 
equals permit any.  I'm not saying it is true...  just referencing that 
book.

But in this case a "tcp established" ACL isn't empty anyway.  Yeah, 
this should be fine.


____________________________________________________
http://www.attackprevention.com
Information Security documents, articles, and policy
> 
> My understanding of the basic way cisco ACL works are: if your ACL is 
not 
> empty, then any unmatched packet (with ACL list) will be dropped, 
like a 
> default deny all. So in your case, the supposedly attack packets all 
use 
> protocol 53, 55 etc, thus won't match anything in your ACL list, thus 
shall be 
> dropped. So for this particular attack, it shall be OK (provided the 
ACL has 
> applied to the external interface for external attacks).
> 
> Any cisco expert has any comment / confirmation on this?
> 



----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Probe Networks: "Re: Strange DoS / new halflife server bug? (Update)"
Previous message: jlewisat_private: "Re: Cisco IOS vulnerability"
Maybe in reply to: Gustavo Kruel: "Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 08:39:50 PDT