Re: Q on external router

From: Randy Witlicki (randy.witlickiat_private)
Date: Wed Apr 22 1998 - 16:37:12 PDT

Next message: Eric Vyncke: "Re: Q on external router"

Previous message: Bennett Todd: "Re: Q on external router"
Maybe in reply to: Vinci Chou: "Q on external router"
Next in thread: Eric Vyncke: "Re: Q on external router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
>1. A while ago, someone is discussing (not sure in the FW list or
>FW-Wizard list) the possibility of using a switch in the DMZ so that even
>a machine on the DMZ is compromised, it cannot be used for sniffing
>traffic on the DMZ.  However, it was also pointed out by somebody a switch
>doesn't make a lot of difference.  So is it possible to do something like
>-
>
>
>                 web server
>                     |
>                     |
>                     |
>   Internet ----- router ----- bastion host ----- router ----- internal
>net
>
>The "web server" above could possibly be a whole ethernet segment with
>other services.
>
>Has anybody done that before ?

  The classic example is a end user site with a cisco 2514 router
with 2 ethernet interfaces. The network diagram is:

Internet - Serial port -- router --- Ethernet 0 to internal network
............................^---- Ethernet 1 to DMZ/webserver
  Note that there is usually also a firewall system between Ethernet0
and the internal network.

>2. Is there any known vulnerability/report of break-in of CISCO routers
>(IOS) ?  (Assuming access list is applied on the external interface to
>block all traffic to the router itself including icmp)

  There are three traffic flows to a cisco router:
     - Data packets to the routing engine.  I don't know of any
"break-in"s to the router  reported via this route.  Older versions of
the IOS are vulnerable to DenialOfService (teardrop I think).
     - The telnet console interface.
     - The SNMP interface.  For these two, normally configuration
common sense and access list filters will do the job.

>3. What is your opinion of allowing the bastion host telnetting to the
>router to do config changes ?  This question is somewhat related to Q.1,
>if the sniffing problem is solved, would it be still bad ?

  Allow an a few internal network hosts to telnet to the router
(controlled via access lists).

>4. If only console access to the router is allowed, what normally do you
>use for the "console" machine, can this machine be also used as a logging
>machine for the router log ?

   Send syslog output to a syslog host on the internal ethernet segment
(this is all using the cisco 2514 dual ethernet model mentioned above).

  - Randy
 -

Next message: Eric Vyncke: "Re: Q on external router"
Previous message: Bennett Todd: "Re: Q on external router"
Maybe in reply to: Vinci Chou: "Q on external router"
Next in thread: Eric Vyncke: "Re: Q on external router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:29 PDT