Re: Q on external router

[Eric Vyncke <evyncke () cisco com>]

At 14:47 22/04/98 +0800, Vinci Chou wrote:
...<SNIP>...

> 2. Is there any known vulnerability/report of break-in of CISCO routers
> (IOS) ?  (Assuming access list is applied on the external interface to
> block all traffic to the router itself including icmp)

Have a look at http://www.cisco.com/warp/public/701/30.html and 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icssecur.htm
http://www.cisco.com/warp/public/779/largeent/security/tips.html
to increase the security of your configuration.

> 3. What is your opinion of allowing the bastion host telnetting to the
> router to do config changes ?  This question is somewhat related to Q.1,
> if the sniffing problem is solved, would it be still bad ?

May I suggest that you link the router console or aux port via a serial
cable to the bastion host ? And do *not* run /bin/getty on this
port ;-) 

> 4. If only console access to the router is allowed, what normally do you
> use for the "console" machine, can this machine be also used as a logging
> machine for the router log ?

Technically speaking yes, but may I advise you to log to a couple
of internal hosts ? Just to be sure not to miss a syslog event...

Another way, is to log to the console port of the router and connect
a printer to this port (hoping that the log events will not come
too fast...).

-eric

> Thanks,
> Vinci.
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458