I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.
access-list 100 deny 53 any any
access-list 100 deny 55 any any
access-list 100 deny 77 any any
access-list 100 deny pim any any
I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".
Clearly they've just been propagated when then router and IOS get upgraded.
My question is should we remove all the old workarounds, and how often do people audit their configs?
Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet. There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.
Obviously there will be a small amount of additional processing overhead on the acl too.
All comments are welcome.