Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Content Switch as security device?

From: Duncan Sharp <drsharp () pacbell net>
Date: Wed, 29 Jan 2003 15:54:55 -0800
"Ludolph, Michel" wrote:


This afternoon I had a discussion with a collegue. He told me about a
proposed Corporate Internet connection. In stead of using a Firewall between
the DMZ and the external network, the idea was to use a Cisco Content
Switch. This would result in the following architecture: Internet -->
screening router --> Content Switch --> router --> web servers.



I would move the "Content Switch" between router and "web servers". Now the
Content switch and web servers can be isolated to a DMZ.

The CSS (Content Server Switch) is not a firewall, but it has firewall
features:

    If you use IP destination address load balancing, then all ports are
addressable.

    If you use destination port, or url content load balancing, then only the
    ports defined are opened.

    The CSS does a complete gateway connection spoof for layer 4+ connections.
    Your web servers can have RFC 1918 adresses.

    It can also be a OSPF router, but I still don't see any security passwords
for this.



This would mean that the Content Switch also acts as a sort of
proxy-firewall, justified by the fact that only defined ports are permitted.

I do not feel very comfortable with this solution. What about syn-floods and
fragmentation attacks? Furhter, a Content Switch is not designed to act as a
security device (it may listen to ports you are not aware of).



    It does do SYN flood defending. It also does anti-spoofing, by default..

    It does have several default ports open:

    22 - sshd (if you purchase this option)
    23 - telnetd
    80 - httpd
    21 - ftpd (push a updated OS, download crash file)
    8081 - XML (I think this is the one)

    There is a RS232 console port. And there is a Management Network (10bt).

    Supports local user accounts (pre 5.0), radius auth (5.0+), TACACS+ (5.03).



Has anyone come across such a solution, or have any thougths on this?



    It looks better with ver. 5.0 OS. I used 3.X to 4.01.
    Take a close look at the release notes, they are publicly avail.
    I see in ver. 5.03 you can still crash a CSS in configuration mode
(CSCdv55143).
    Stability of the OS has been a difficult goal.



Thanks,



Yours,
Duncan Sharp



Michel Ludolph
michel.ludolph () atosorigin com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: