At 14:47 22/04/98 +0800, Vinci Chou wrote: ...<SNIP>... >2. Is there any known vulnerability/report of break-in of CISCO routers >(IOS) ? (Assuming access list is applied on the external interface to >block all traffic to the router itself including icmp) Have a look at http://www.cisco.com/warp/public/701/30.html and http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icssecur.htm http://www.cisco.com/warp/public/779/largeent/security/tips.html to increase the security of your configuration. >3. What is your opinion of allowing the bastion host telnetting to the >router to do config changes ? This question is somewhat related to Q.1, >if the sniffing problem is solved, would it be still bad ? May I suggest that you link the router console or aux port via a serial cable to the bastion host ? And do *not* run /bin/getty on this port ;-) >4. If only console access to the router is allowed, what normally do you >use for the "console" machine, can this machine be also used as a logging >machine for the router log ? Technically speaking yes, but may I advise you to log to a couple of internal hosts ? Just to be sure not to miss a syslog event... Another way, is to log to the console port of the router and connect a printer to this port (hoping that the log events will not come too fast...). -eric > > >Thanks, >Vinci. > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evynckeat_private Mobile: +32-75-312.458
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:32 PDT