OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Q on external router

Re: Q on external router

Eric Vyncke (evynckecisco.com)
Thu, 23 Apr 1998 09:26:47 +0200

At 14:47 22/04/98 +0800, Vinci Chou wrote:
...<SNIP>...

>2. Is there any known vulnerability/report of break-in of CISCO routers
>(IOS) ? (Assuming access list is applied on the external interface to
>block all traffic to the router itself including icmp)

Have a look at http://www.cisco.com/warp/public/701/30.html and
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icssecur.htm
http://www.cisco.com/warp/public/779/largeent/security/tips.html
to increase the security of your configuration.

>3. What is your opinion of allowing the bastion host telnetting to the
>router to do config changes ? This question is somewhat related to Q.1,
>if the sniffing problem is solved, would it be still bad ?

May I suggest that you link the router console or aux port via a serial
cable to the bastion host ? And do *not* run /bin/getty on this
port ;-)

>4. If only console access to the router is allowed, what normally do you
>use for the "console" machine, can this machine be also used as a logging
>machine for the router log ?

Technically speaking yes, but may I advise you to log to a couple
of internal hosts ? Just to be sure not to miss a syslog event...

Another way, is to log to the console port of the router and connect
a printer to this port (hoping that the log events will not come
too fast...).

-eric

>
>
>Thanks,
>Vinci.
>
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evynckecisco.com Mobile: +32-75-312.458

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:48 CDT