Firewall Wizards mailing list archives
Re: Q on external router
From: Eric Vyncke <evyncke () cisco com>
Date: Thu, 23 Apr 1998 09:26:47 +0200
At 14:47 22/04/98 +0800, Vinci Chou wrote: ...<SNIP>...
2. Is there any known vulnerability/report of break-in of CISCO routers (IOS) ? (Assuming access list is applied on the external interface to block all traffic to the router itself including icmp)
Have a look at http://www.cisco.com/warp/public/701/30.html and http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icssecur.htm http://www.cisco.com/warp/public/779/largeent/security/tips.html to increase the security of your configuration.
3. What is your opinion of allowing the bastion host telnetting to the router to do config changes ? This question is somewhat related to Q.1, if the sniffing problem is solved, would it be still bad ?
May I suggest that you link the router console or aux port via a serial cable to the bastion host ? And do *not* run /bin/getty on this port ;-)
4. If only console access to the router is allowed, what normally do you use for the "console" machine, can this machine be also used as a logging machine for the router log ?
Technically speaking yes, but may I advise you to log to a couple of internal hosts ? Just to be sure not to miss a syslog event... Another way, is to log to the console port of the router and connect a printer to this port (hoping that the log events will not come too fast...). -eric
Thanks, Vinci.
Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- Re: Q on external router, (continued)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router darrenr (Apr 24)
- Re: Q on external router Roger Marquis (Apr 24)
- Re: Q on external router tqbf (Apr 25)
- Re: Q on external router Adam Shostack (Apr 26)
- Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router tqbf (Apr 24)