On Sun, Feb 13, 2000 at 03:24:07PM -0800, Josh Bailey wrote:
In addition, I strongly recommend usage of the Ascend-Source-IP-Check RADIUS attribute in your default RADIUS reply profile. This attribute tells the NAS to enforce the netmask on the *source* address of packets coming in a switched connection. This lets you dispose of all spoofed packets from dialups without the use of a explicit, hard to maintain (and CPU expensive) filter (needs TAOS 7.x and later).
I'd also add that ISP's should turn `Remote Mgmt' to `No' on Ascend units. I've lost count of the ammount of times I've been troubleshooting ISP networks and found this still set to on. It means that any customer able to dial in with an MPP call can get direct access to the RAS via an inband management protocol. Bad Bad Bad. As for the exploits in the original message - They all seemed pretty common sense to me. Nothing that sitting on bugtraq and applying recent patches would not fix. The interesting point is, and the one that I would like comment on, is this sort of network security (anti-smurf and the like) the responsibility of the ISP or the client. How much of the burden of stopping network borne security attacks should be borne by the provider and how much by the end user of the server? ie, should ISP's filter traffic to clients based on sensible rules of should they just provide IP dialtone and leave the filtering up to the client. Comment? Dean -- ----------------------------------------------------------------------- Dean Pemberton - dp(a)lucent.com Linux User# 157870 Guy who does stuff at Lucent Technologies - Bell Labs Innovations Lvl 38, 55 Collins St, Melbourne 3000, Australia ----------------------------------------------------------------------- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog