Firewall Wizards mailing list archives
Q on external router
From: Vinci Chou <vkmchou () hk super net>
Date: Wed, 22 Apr 1998 14:47:23 +0800 (HKT)
I have a question about the use of the router connecting the bastion host to the Internet. 1. A while ago, someone is discussing (not sure in the FW list or FW-Wizard list) the possibility of using a switch in the DMZ so that even a machine on the DMZ is compromised, it cannot be used for sniffing traffic on the DMZ. However, it was also pointed out by somebody a switch doesn't make a lot of difference. So is it possible to do something like - web server | | | Internet ----- router ----- bastion host ----- router ----- internal net The "web server" above could possibly be a whole ethernet segment with other services. Has anybody done that before ? 2. Is there any known vulnerability/report of break-in of CISCO routers (IOS) ? (Assuming access list is applied on the external interface to block all traffic to the router itself including icmp) 3. What is your opinion of allowing the bastion host telnetting to the router to do config changes ? This question is somewhat related to Q.1, if the sniffing problem is solved, would it be still bad ? 4. If only console access to the router is allowed, what normally do you use for the "console" machine, can this machine be also used as a logging machine for the router log ? Thanks, Vinci.
Current thread:
- Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Bernhard Schneck (Apr 22)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router Vinci Chou (Apr 22)
- RE: Q on external router Andrew J. Luca (Apr 24)
- Re: Q on external router Marcus J. Ranum (Apr 23)