I have a question... I am currently expanding our network to accommodate a T1 to the
Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke
to several vendors. I have heard conflicting stories regarding the model of Cisco router I
should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other
vendor <vendor b> is telling me that I might compromise my security by using one router for
WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and
another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall
should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the
Internet.
Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side.
Bothe managed by Checkpoint, on a Sun Ultra5.
Don't mean to be rude, these questions would be more appropriate for
inet-access, et al. Most people on this list are national or
international backbone operators. Appropriate topics concern operating
backbones.
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the
Internet.
Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side.
Bothe managed by Checkpoint, on a Sun Ultra5.
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
> Gerry McDonald
> Sent: Tuesday, September 21, 1999 9:13 AM
> To: nanog@merit.edu
> Subject:
>
>
>
> I have a question... I am currently expanding our network to
> accommodate a T1 to the
> Internet and a 512K frame connection to our WAN.. I need to
> purchase a router and spoke
> to several vendors. I have heard conflicting stories
> regarding the model of Cisco router I
> should get.
>
> One vendor <vendor a> tells me that I should get a 2620 with
> 2 Wan Ports and the other
> vendor <vendor b> is telling me that I might compromise my
> security by using one router for
> WAN and Internet connections. Their suggesting that I get 2
> routers one for my Wan and
> another for the Internet connection...
>
> Vendor B is telling me that it would be possible to enter our
> wan without touching our firewall
> should someone be able to hack into our IOS on the router...
>
> I decided to go the experts... I would appreciate any helpful
> suggestions.
>
> Thanks...
>
> -Gerry
>
>
>
>
+------------------- H U R R I C A N E - E L E C T R I C -------------------+
Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN
interfaces, and say _get away_ to the hw vendors.
No doubt, it's possible to enter into IOS if you did not installed access
lists on the VTY, keep working some extra services (such as router-based
WWW) or so on; but it do not depend of the firewalls at all... And - if
you don't need session-level firewall (with the analysing of SMTP content
for example) IOS FW feature set is very effective solution.
So now, even the age-old "litmus test" of "how do I program my Cisco to do that?" is a bad one?
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t5/iosfw2/iosfw2_2.htm#xtocid1359543
SMTP Messages
CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies
you when SMTP attacks occur. Error messages such as the following may
indicate that an SMTP attack has occurred:
%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator
(192.168.12.3:52419)
Looks like it does do that after all...
IOS FW also monitors HTTP, CU-SeeMe, FTP, H.323, NetShow, r-commands,
RealAudio, Sun RPC, SQL*Net, StreamWorks, TFTP, VDOLive, and generic TCP/UDP
sessions in addition to SMTP. It also protects against fragment attacks,
SYN attacks, ACK attacks, and bogus TCP sequence numbers.
Randy: ip inspect name firewall smtp
S
Stephen Sprunk, K5SSS, CCIE#3723
Network Consulting Engineer
Cisco NSA Dallas, Texas, USA
e-mail:ssprunk@cisco.com
Pager: +1 800 365-4578
Empowering the Internet Generation
I have listened to their seminar about this... As the simple L5 firewall
it's not bad, through it realise the fixed set of ruls and defends your
from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of
the customers need...
I'd like to say, that people usially overestimate the power of the
firewalls and the necessety of the complex server-based firewalls - and
underestimate the importance of the _rules_ they follow to in their
labs... I saw a few cases when an expansive PIX firewall was choosen and
installed, and a lot of headache created for the innocent users - and
nothin was done against the macro-viruses or NT BO trojans... And it's
more important to have _any_ firewall than do not have it at all.
CISCO CW IOS is just such thing - even usial ACL-s allow to protect
network against the usial _network scanners and exploit users_ - and FW
ios with the additional protection allow you to have good L2 - L3 and
sometimes L4 protection (I mean OSI levels). Through nothing (except the
simple wire cutter) can protect against the crazy users inside the
company...
So now, even the age-old "litmus test" of "how do I program my Cisco to do that?" is a bad one?
Actually, in the case of service providers, this is exactly why the
"cisco-nsp@puck.nether.net" was established. Well, it wasn't really
established at that site, but that's where it migrated later. The list
is available for discussion of cisco service provider specific discussions
just like this one. If you want to talk about Juniper routers, on the
other hand.... 
dave
>So now, even the age-old "litmus test" of "how do I program my Cisco to do
>that?" is a bad one?
Actually, in the case of service providers, this is exactly why the
"cisco-nsp@puck.nether.net" was established. Well, it wasn't really
established at that site, but that's where it migrated later. The list
is available for discussion of cisco service provider specific discussions
just like this one. If you want to talk about Juniper routers, on the
other hand....
dave
dave, i believe juniper-nsp@puck.nether.net already exists.
>So now, even the age-old "litmus test" of "how do I program my Cisco to
do
>that?" is a bad one?
Actually, in the case of service providers, this is exactly why the
"cisco-nsp@puck.nether.net" was established. Well, it wasn't really
established at that site, but that's where it migrated later. The list
is available for discussion of cisco service provider specific discussions
just like this one. If you want to talk about Juniper routers, on the
other hand....
There is a Juniper list at juniper-nsp@puck.nether.net, though it
doesn't get alot of traffic...
Subscriptions to: juniper-nsp-request@puck.nether.net
/Sean