Q on external router

[Vinci Chou <vkmchou () hk super net>]

I have a question about the use of the router connecting the bastion host
to the Internet.

1. A while ago, someone is discussing (not sure in the FW list or
FW-Wizard list) the possibility of using a switch in the DMZ so that even
a machine on the DMZ is compromised, it cannot be used for sniffing
traffic on the DMZ.  However, it was also pointed out by somebody a switch
doesn't make a lot of difference.  So is it possible to do something like
-


                 web server
                     |
                     |
                     |
   Internet ----- router ----- bastion host ----- router ----- internal
net

The "web server" above could possibly be a whole ethernet segment with
other services.

Has anybody done that before ?


2. Is there any known vulnerability/report of break-in of CISCO routers
(IOS) ?  (Assuming access list is applied on the external interface to
block all traffic to the router itself including icmp)

3. What is your opinion of allowing the bastion host telnetting to the
router to do config changes ?  This question is somewhat related to Q.1,
if the sniffing problem is solved, would it be still bad ?

4. If only console access to the router is allowed, what normally do you
use for the "console" machine, can this machine be also used as a logging
machine for the router log ?


Thanks,
Vinci.