Firewall Wizards mailing list archives
Re: Q on external router
From: Randy Witlicki <randy.witlicki () valley net>
Date: Wed, 22 Apr 1998 19:37:12 -0400
1. A while ago, someone is discussing (not sure in the FW list or FW-Wizard list) the possibility of using a switch in the DMZ so that even a machine on the DMZ is compromised, it cannot be used for sniffing traffic on the DMZ. However, it was also pointed out by somebody a switch doesn't make a lot of difference. So is it possible to do something like - web server | | | Internet ----- router ----- bastion host ----- router ----- internal net The "web server" above could possibly be a whole ethernet segment with other services. Has anybody done that before ?
The classic example is a end user site with a cisco 2514 router with 2 ethernet interfaces. The network diagram is: Internet - Serial port -- router --- Ethernet 0 to internal network ............................^---- Ethernet 1 to DMZ/webserver Note that there is usually also a firewall system between Ethernet0 and the internal network.
2. Is there any known vulnerability/report of break-in of CISCO routers (IOS) ? (Assuming access list is applied on the external interface to block all traffic to the router itself including icmp)
There are three traffic flows to a cisco router: - Data packets to the routing engine. I don't know of any "break-in"s to the router reported via this route. Older versions of the IOS are vulnerable to DenialOfService (teardrop I think). - The telnet console interface. - The SNMP interface. For these two, normally configuration common sense and access list filters will do the job.
3. What is your opinion of allowing the bastion host telnetting to the router to do config changes ? This question is somewhat related to Q.1, if the sniffing problem is solved, would it be still bad ?
Allow an a few internal network hosts to telnet to the router (controlled via access lists).
4. If only console access to the router is allowed, what normally do you use for the "console" machine, can this machine be also used as a logging machine for the router log ?
Send syslog output to a syslog host on the internal ethernet segment (this is all using the cisco 2514 dual ethernet model mentioned above). - Randy -
Current thread:
- Re: Q on external router, (continued)
- Re: Q on external router Paul D. Robertson (Apr 24)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router darrenr (Apr 24)
- Re: Q on external router Roger Marquis (Apr 24)
- Re: Q on external router tqbf (Apr 25)
- Re: Q on external router Adam Shostack (Apr 26)
- Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router tqbf (Apr 24)