I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get. One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection... Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router... I decided to go the experts... I would appreciate any helpful suggestions. Thanks... -Gerry
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the Internet. Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side. Bothe managed by Checkpoint, on a Sun Ultra5.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gerry McDonald Sent: Tuesday, September 21, 1999 9:13 AM To: nanog@merit.edu Subject:
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
Don't mean to be rude, these questions would be more appropriate for inet-access, et al. Most people on this list are national or international backbone operators. Appropriate topics concern operating backbones. On Tue, 21 Sep 1999, Roeland M.J. Meyer wrote:
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the Internet. Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side. Bothe managed by Checkpoint, on a Sun Ultra5.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gerry McDonald Sent: Tuesday, September 21, 1999 9:13 AM To: nanog@merit.edu Subject:
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
+------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting Colocation Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
So now, even the age-old "litmus test" of "how do I program my Cisco to do that?" is a bad one? At 01:09 AM 9/22/99 -0700, Mike Leber wrote:
Don't mean to be rude, these questions would be more appropriate for inet-access, et al. Most people on this list are national or international backbone operators. Appropriate topics concern operating backbones.
On Tue, 21 Sep 1999, Roeland M.J. Meyer wrote:
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the Internet. Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side. Bothe managed by Checkpoint, on a Sun Ultra5.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gerry McDonald Sent: Tuesday, September 21, 1999 9:13 AM To: nanog@merit.edu Subject:
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
+------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting Colocation Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
At 05:45 AM 9/22/99 -0700, Derek Balling wrote:
So now, even the age-old "litmus test" of "how do I program my Cisco to do that?" is a bad one?
Actually, in the case of service providers, this is exactly why the "cisco-nsp@puck.nether.net" was established. Well, it wasn't really established at that site, but that's where it migrated later. The list is available for discussion of cisco service provider specific discussions just like this one. If you want to talk about Juniper routers, on the other hand.... :-) :-) dave
At 01:09 AM 9/22/99 -0700, Mike Leber wrote:
Don't mean to be rude, these questions would be more appropriate for inet-access, et al. Most people on this list are national or international backbone operators. Appropriate topics concern operating backbones.
On Tue, 21 Sep 1999, Roeland M.J. Meyer wrote:
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the Internet. Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side. Bothe managed by Checkpoint, on a Sun Ultra5.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gerry McDonald Sent: Tuesday, September 21, 1999 9:13 AM To: nanog@merit.edu Subject:
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
+------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting Colocation Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
Actually, in the case of service providers, this is exactly why the "cisco-nsp@puck.nether.net" was established. Well, it wasn't really established at that site, but that's where it migrated later. The list is available for discussion of cisco service provider specific discussions just like this one. If you want to talk about Juniper routers, on the other hand.... :-) :-)
Then you use juniper-nsp@puck.nether.net. -snicker- --msa -- Majdi Abbas <majdi@puck.nether.net> The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. -- George Bernard Shaw
On Thu, Sep 23, 1999 at 09:16:05AM -0700, dave o'leary wrote:
At 05:45 AM 9/22/99 -0700, Derek Balling wrote:
So now, even the age-old "litmus test" of "how do I program my Cisco to do that?" is a bad one?
Actually, in the case of service providers, this is exactly why the "cisco-nsp@puck.nether.net" was established. Well, it wasn't really established at that site, but that's where it migrated later. The list is available for discussion of cisco service provider specific discussions just like this one. If you want to talk about Juniper routers, on the other hand.... :-) :-) dave
dave, i believe juniper-nsp@puck.nether.net already exists.
At 01:09 AM 9/22/99 -0700, Mike Leber wrote:
Don't mean to be rude, these questions would be more appropriate for inet-access, et al. Most people on this list are national or international backbone operators. Appropriate topics concern operating backbones.
On Tue, 21 Sep 1999, Roeland M.J. Meyer wrote:
I'm looking similarly, but T1/PRI for dial-in support and a T3 to the Internet. Got Cisco 6509 on the Internet side and Ascend MAX 6000 on the WAN side. Bothe managed by Checkpoint, on a Sun Ultra5.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Gerry McDonald Sent: Tuesday, September 21, 1999 9:13 AM To: nanog@merit.edu Subject:
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
+------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting Colocation Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
At 05:45 AM 9/22/99 -0700, Derek Balling wrote:
So now, even the age-old "litmus test" of "how do I program my Cisco to
do
that?" is a bad one?
Actually, in the case of service providers, this is exactly why the "cisco-nsp@puck.nether.net" was established. Well, it wasn't really established at that site, but that's where it migrated later. The list is available for discussion of cisco service provider specific discussions just like this one. If you want to talk about Juniper routers, on the other hand.... :-) :-)
There is a Juniper list at juniper-nsp@puck.nether.net, though it doesn't get alot of traffic... Subscriptions to: juniper-nsp-request@puck.nether.net /Sean __________________________________ Sean Butler, CCIE #3897 AT&T Global Services -- OpenNet Support Phone: 727-533-8830 Fax: 813-878-5475
Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN interfaces, and say _get away_ to the hw vendors. No doubt, it's possible to enter into IOS if you did not installed access lists on the VTY, keep working some extra services (such as router-based WWW) or so on; but it do not depend of the firewalls at all... And - if you don't need session-level firewall (with the analysing of SMTP content for example) IOS FW feature set is very effective solution. On 21 Sep 1999, Gerry McDonald wrote:
Date: 21 Sep 99 11:13:08 -0500 From: Gerry McDonald <gerry@injectronics.com> To: nanog@merit.edu
I have a question... I am currently expanding our network to accommodate a T1 to the Internet and a 512K frame connection to our WAN.. I need to purchase a router and spoke to several vendors. I have heard conflicting stories regarding the model of Cisco router I should get.
One vendor <vendor a> tells me that I should get a 2620 with 2 Wan Ports and the other vendor <vendor b> is telling me that I might compromise my security by using one router for WAN and Internet connections. Their suggesting that I get 2 routers one for my Wan and another for the Internet connection...
Vendor B is telling me that it would be possible to enter our wan without touching our firewall should someone be able to hack into our IOS on the router...
I decided to go the experts... I would appreciate any helpful suggestions.
Thanks...
-Gerry
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 t/120t5/iosfw2/iosfw2_2.htm#xtocid1359543 SMTP Messages CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies you when SMTP attacks occur. Error messages such as the following may indicate that an SMTP attack has occurred: %FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (192.168.12.3:52419) Looks like it does do that after all... IOS FW also monitors HTTP, CU-SeeMe, FTP, H.323, NetShow, r-commands, RealAudio, Sun RPC, SQL*Net, StreamWorks, TFTP, VDOLive, and generic TCP/UDP sessions in addition to SMTP. It also protects against fragment attacks, SYN attacks, ACK attacks, and bogus TCP sequence numbers. Randy: ip inspect name firewall smtp S Stephen Sprunk, K5SSS, CCIE#3723 Network Consulting Engineer Cisco NSA Dallas, Texas, USA e-mail:ssprunk@cisco.com Pager: +1 800 365-4578 Empowering the Internet Generation ----- Original Message ----- From: Alex P. Rudnev To: Gerry McDonald Cc: nanog@merit.edu Sent: Wednesday, September 22, 1999 5:37 Subject: Re: your mail Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN interfaces, and say _get away_ to the hw vendors. No doubt, it's possible to enter into IOS if you did not installed access lists on the VTY, keep working some extra services (such as router-based WWW) or so on; but it do not depend of the firewalls at all... And - if you don't need session-level firewall (with the analysing of SMTP content for example) IOS FW feature set is very effective solution. Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
I have listened to their seminar about this... As the simple L5 firewall it's not bad, through it realise the fixed set of ruls and defends your from the simple SMTP attacks only. But anyway, IOS FW is just what 90% of the customers need... On Wed, 22 Sep 1999, Stephen Sprunk wrote:
Date: Wed, 22 Sep 1999 10:38:30 -0500 From: Stephen Sprunk <ssprunk@cisco.com> To: "Alex P. Rudnev" <alex@Relcom.EU.net>, Gerry McDonald <gerry@injectronics.com> Cc: nanog@merit.edu Subject: Re: your mail
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 t/120t5/iosfw2/iosfw2_2.htm#xtocid1359543
SMTP Messages
CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies you when SMTP attacks occur. Error messages such as the following may indicate that an SMTP attack has occurred:
%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (192.168.12.3:52419)
Looks like it does do that after all...
IOS FW also monitors HTTP, CU-SeeMe, FTP, H.323, NetShow, r-commands, RealAudio, Sun RPC, SQL*Net, StreamWorks, TFTP, VDOLive, and generic TCP/UDP sessions in addition to SMTP. It also protects against fragment attacks, SYN attacks, ACK attacks, and bogus TCP sequence numbers.
Randy: ip inspect name firewall smtp
S
Stephen Sprunk, K5SSS, CCIE#3723 Network Consulting Engineer Cisco NSA Dallas, Texas, USA e-mail:ssprunk@cisco.com Pager: +1 800 365-4578 Empowering the Internet Generation
----- Original Message ----- From: Alex P. Rudnev To: Gerry McDonald Cc: nanog@merit.edu Sent: Wednesday, September 22, 1999 5:37 Subject: Re: your mail
Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN interfaces, and say _get away_ to the hw vendors.
No doubt, it's possible to enter into IOS if you did not installed access lists on the VTY, keep working some extra services (such as router-based WWW) or so on; but it do not depend of the firewalls at all... And - if you don't need session-level firewall (with the analysing of SMTP content for example) IOS FW feature set is very effective solution.
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
I'd like to say, that people usially overestimate the power of the firewalls and the necessety of the complex server-based firewalls - and underestimate the importance of the _rules_ they follow to in their labs... I saw a few cases when an expansive PIX firewall was choosen and installed, and a lot of headache created for the innocent users - and nothin was done against the macro-viruses or NT BO trojans... And it's more important to have _any_ firewall than do not have it at all. CISCO CW IOS is just such thing - even usial ACL-s allow to protect network against the usial _network scanners and exploit users_ - and FW ios with the additional protection allow you to have good L2 - L3 and sometimes L4 protection (I mean OSI levels). Through nothing (except the simple wire cutter) can protect against the crazy users inside the company... On Wed, 22 Sep 1999, Stephen Sprunk wrote:
Date: Wed, 22 Sep 1999 10:38:30 -0500 From: Stephen Sprunk <ssprunk@cisco.com> To: "Alex P. Rudnev" <alex@relcom.EU.net>, Gerry McDonald <gerry@injectronics.com> Cc: nanog@merit.edu Subject: Re: your mail
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 t/120t5/iosfw2/iosfw2_2.htm#xtocid1359543
SMTP Messages
CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies you when SMTP attacks occur. Error messages such as the following may indicate that an SMTP attack has occurred:
%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (192.168.12.3:52419)
Looks like it does do that after all...
IOS FW also monitors HTTP, CU-SeeMe, FTP, H.323, NetShow, r-commands, RealAudio, Sun RPC, SQL*Net, StreamWorks, TFTP, VDOLive, and generic TCP/UDP sessions in addition to SMTP. It also protects against fragment attacks, SYN attacks, ACK attacks, and bogus TCP sequence numbers.
Randy: ip inspect name firewall smtp
S
Stephen Sprunk, K5SSS, CCIE#3723 Network Consulting Engineer Cisco NSA Dallas, Texas, USA e-mail:ssprunk@cisco.com Pager: +1 800 365-4578 Empowering the Internet Generation
----- Original Message ----- From: Alex P. Rudnev To: Gerry McDonald Cc: nanog@merit.edu Sent: Wednesday, September 22, 1999 5:37 Subject: Re: your mail
Get IOS FireWall Feauture set, router with the 2 LAN and 2 WAN interfaces, and say _get away_ to the hw vendors.
No doubt, it's possible to enter into IOS if you did not installed access lists on the VTY, keep working some extra services (such as router-based WWW) or so on; but it do not depend of the firewalls at all... And - if you don't need session-level firewall (with the analysing of SMTP content for example) IOS FW feature set is very effective solution.
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (10)
-
Alex P. Rudnev
-
dave o'leary
-
Derek Balling
-
Gerry McDonald
-
john heasley
-
Majdi Abbas
-
Mike Leber
-
Roeland M.J. Meyer
-
Sean Butler
-
Stephen Sprunk