Re: [fw-wiz] Content Switch as security device?
From: Duncan Sharp (drsharp@pacbell.net)
Date: 01/29/03
- Next message: Brian Ford: "Re: [fw-wiz] Acqusition of time"
- Previous message: dave: "RE: [fw-wiz] Acqusition of time"
- In reply to: Ludolph, Michel: "[fw-wiz] Content Switch as security device?"
- Next in thread: Ben Nagy: "Re: [fw-wiz] Content Switch as security device?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Duncan Sharp <drsharp@pacbell.net> To: "Ludolph, Michel" <Michel.Ludolph@atosorigin.com> Date: Wed Jan 29 19:29:19 2003
"Ludolph, Michel" wrote:
> This afternoon I had a discussion with a collegue. He told me about a
> proposed Corporate Internet connection. In stead of using a Firewall between
> the DMZ and the external network, the idea was to use a Cisco Content
> Switch. This would result in the following architecture: Internet -->
> screening router --> Content Switch --> router --> web servers.
>
I would move the "Content Switch" between router and "web servers". Now the
Content switch and web servers can be isolated to a DMZ.
The CSS (Content Server Switch) is not a firewall, but it has firewall
features:
If you use IP destination address load balancing, then all ports are
addressable.
If you use destination port, or url content load balancing, then only the
ports defined are opened.
The CSS does a complete gateway connection spoof for layer 4+ connections.
Your web servers can have RFC 1918 adresses.
It can also be a OSPF router, but I still don't see any security passwords
for this.
>
> This would mean that the Content Switch also acts as a sort of
> proxy-firewall, justified by the fact that only defined ports are permitted.
>
> I do not feel very comfortable with this solution. What about syn-floods and
> fragmentation attacks? Furhter, a Content Switch is not designed to act as a
> security device (it may listen to ports you are not aware of).
>
It does do SYN flood defending. It also does anti-spoofing, by default..
It does have several default ports open:
22 - sshd (if you purchase this option)
23 - telnetd
80 - httpd
21 - ftpd (push a updated OS, download crash file)
8081 - XML (I think this is the one)
There is a RS232 console port. And there is a Management Network (10bt).
Supports local user accounts (pre 5.0), radius auth (5.0+), TACACS+ (5.03).
>
> Has anyone come across such a solution, or have any thougths on this?
>
It looks better with ver. 5.0 OS. I used 3.X to 4.01.
Take a close look at the release notes, they are publicly avail.
I see in ver. 5.03 you can still crash a CSS in configuration mode
(CSCdv55143).
Stability of the OS has been a difficult goal.
>
> Thanks,
>
Yours,
Duncan Sharp
>
> Michel Ludolph
> michel.ludolph@atosorigin.com
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Brian Ford: "Re: [fw-wiz] Acqusition of time"
- Previous message: dave: "RE: [fw-wiz] Acqusition of time"
- In reply to: Ludolph, Michel: "[fw-wiz] Content Switch as security device?"
- Next in thread: Ben Nagy: "Re: [fw-wiz] Content Switch as security device?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
