Firewall Wizards mailing list archives

Re: Q on external router

From: Randy Witlicki <randy.witlicki () valley net>
Date: Wed, 22 Apr 1998 19:37:12 -0400


1. A while ago, someone is discussing (not sure in the FW list or
FW-Wizard list) the possibility of using a switch in the DMZ so that even
a machine on the DMZ is compromised, it cannot be used for sniffing
traffic on the DMZ.  However, it was also pointed out by somebody a switch
doesn't make a lot of difference.  So is it possible to do something like
-


                web server
                    |
                    |
                    |
  Internet ----- router ----- bastion host ----- router ----- internal
net

The "web server" above could possibly be a whole ethernet segment with
other services.

Has anybody done that before ?


  The classic example is a end user site with a cisco 2514 router
with 2 ethernet interfaces. The network diagram is:

Internet - Serial port -- router --- Ethernet 0 to internal network
............................^---- Ethernet 1 to DMZ/webserver
  Note that there is usually also a firewall system between Ethernet0
and the internal network.

2. Is there any known vulnerability/report of break-in of CISCO routers
(IOS) ?  (Assuming access list is applied on the external interface to
block all traffic to the router itself including icmp)


  There are three traffic flows to a cisco router:
     - Data packets to the routing engine.  I don't know of any
"break-in"s to the router  reported via this route.  Older versions of
the IOS are vulnerable to DenialOfService (teardrop I think).
     - The telnet console interface.
     - The SNMP interface.  For these two, normally configuration
common sense and access list filters will do the job.

3. What is your opinion of allowing the bastion host telnetting to the
router to do config changes ?  This question is somewhat related to Q.1,
if the sniffing problem is solved, would it be still bad ?


  Allow an a few internal network hosts to telnet to the router
(controlled via access lists).

4. If only console access to the router is allowed, what normally do you
use for the "console" machine, can this machine be also used as a logging
machine for the router log ?


   Send syslog output to a syslog host on the internal ethernet segment
(this is all using the cisco 2514 dual ethernet model mentioned above).

  - Randy
 -

Current thread:

Re: Q on external router, (continued)
- - - Re: Q on external router Paul D. Robertson (Apr 24)
    - Re: Q on external router Eric Vyncke (Apr 24)
    - Re: Q on external router tqbf (Apr 24)
    - Re: Q on external router darrenr (Apr 24)
    - Re: Q on external router Roger Marquis (Apr 24)
    - Re: Q on external router tqbf (Apr 25)
    - Re: Q on external router Adam Shostack (Apr 26)
    - Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Adam Shostack (Apr 22)
- Re: Q on external router Randy Witlicki (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router Vinci Chou (Apr 23)
  - Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router Peter Jeremy (Apr 23)
- Re: Q on external router Rodney van den Oever (Apr 24)
  - Re: Q on external router tqbf (Apr 24)
- Re: Re: Q on external router Wei Li (Apr 24)
- Re: Q on external router Rodney van den Oever (Apr 24)