RE: Protecting your router.

From: Wiley, Rob (WileyR@autonation.com)
Date: 07/24/02


From: "Wiley, Rob" <WileyR@autonation.com>
To: "'focus-ids@securityfocus.com '" <focus-ids@securityfocus.com>
Date: Wed, 24 Jul 2002 12:44:12 -0400

Here's an option ...Serial/FrameRelay -to-Ethernet bridge.

Tierra (sp?) Networks makes a box that terminates HDLC/FrameRelay/PPP
connections and converts the frames to ethernet. Works similar to an inverse
multiplexer (I/MUX).

---ISP----{Serial frame}--[TierraBox]---{Ethernet frame}--[Router].

You could place an inline ethernet tap before the router and plug a IDS
there. That way you are seeing packets before your ingress filters kick in.

This works for Multlink (MPP/FrameRelay for example)connections as well.

-Regards,
 Rob Wiley
---------------------------------
 Rob Wiley
 Sr.Data Communications Engineer
 AutoNation,Inc.

-----Original Message-----
From: dwhoward@cableaz.com
To: brahma@mendolink.com; focus-ids@securityfocus.com
Cc: dwhoward@cableaz.com
Sent: 7/24/2002 10:40 AM
Subject: RE: Protecting your router.

Chris,

  In my opinion, something on your net will always have to be exposed.
Generally, that's the router. Some people will say to not worry about
your
routers, only worry about your hosts, but I disagree. Security deals
with
Confidentiality, Integrity, but also Availability. If a hacker can
bring
down your router, then you are a sinking ship (I would assume) as your
data
is no longer available to your customers. While the attacks may be
negligible, you need to decide: Do I want to know who's knocking on my
proverbial (network) door? (then you need to figure out what you're
going
to do about it, but that's another email).

Here are a couple of suggestions:

Assuming Cisco, there is a FWIOS that contains LIMITED IDS
functionality.
Looks for about 59 known IDS signatures. Not what I would recommend for
your hosts, but it's a start.

http://www.enteract.com/~robt/Docs/Articles/secure-ios-template.html is
a
great write-up for hardening (again assuming a vendor type) a cisco
router.
there was also another by Brett K. and Variable out on the Phrack web
site
that I couldn't find my stored URL.

Now, would I redesign my entire configuration to have full service IDS
on
my border router? Probably not, but the above will provide due
dilligence
on your part that you have a reasonable position of security for that
device.

My $.02, you asked, I gave! :-)

Dustin Howard, CISSP
Manager, Network Engineering & Operations

Original Message:
-----------------
From: Chris brahma@mendolink.com
Date: Mon, 22 Jul 2002 19:40:42 -0700
To: focus-ids@securityfocus.com
Subject: Protecting your router.

I was just curious on how others with IDS setup on their network protect
their routers. My setup is similar to this:

T1 > Router > Firewall Appliance > IDS Appliance.

Not quite sure on any products (haven't seen any) that will take a line
right off the CSU/DSU and perform pass-through with it and still filter
the
traffic. If I am being to vague just ask what I mean! Thanks in
advance.

Thank You,

Chris D.
Network Security
Mendo Link, LLC

"An Ounce Of Prevention Is Worth A Pound Of Cure."
Om Namo Narayanaya

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .