RE: Protecting your router.

From: Wiley, Rob (WileyR@autonation.com)
Date: 07/24/02


From: "Wiley, Rob" <WileyR@autonation.com>
To: "'focus-ids@securityfocus.com '" <focus-ids@securityfocus.com>
Date: Wed, 24 Jul 2002 12:44:12 -0400

Here's an option ...Serial/FrameRelay -to-Ethernet bridge.

Tierra (sp?) Networks makes a box that terminates HDLC/FrameRelay/PPP
connections and converts the frames to ethernet. Works similar to an inverse
multiplexer (I/MUX).

---ISP----{Serial frame}--[TierraBox]---{Ethernet frame}--[Router].

You could place an inline ethernet tap before the router and plug a IDS
there. That way you are seeing packets before your ingress filters kick in.

This works for Multlink (MPP/FrameRelay for example)connections as well.

-Regards,
 Rob Wiley
---------------------------------
 Rob Wiley
 Sr.Data Communications Engineer
 AutoNation,Inc.

-----Original Message-----
From: dwhoward@cableaz.com
To: brahma@mendolink.com; focus-ids@securityfocus.com
Cc: dwhoward@cableaz.com
Sent: 7/24/2002 10:40 AM
Subject: RE: Protecting your router.

Chris,

  In my opinion, something on your net will always have to be exposed.
Generally, that's the router. Some people will say to not worry about
your
routers, only worry about your hosts, but I disagree. Security deals
with
Confidentiality, Integrity, but also Availability. If a hacker can
bring
down your router, then you are a sinking ship (I would assume) as your
data
is no longer available to your customers. While the attacks may be
negligible, you need to decide: Do I want to know who's knocking on my
proverbial (network) door? (then you need to figure out what you're
going
to do about it, but that's another email).

Here are a couple of suggestions:

Assuming Cisco, there is a FWIOS that contains LIMITED IDS
functionality.
Looks for about 59 known IDS signatures. Not what I would recommend for
your hosts, but it's a start.

http://www.enteract.com/~robt/Docs/Articles/secure-ios-template.html is
a
great write-up for hardening (again assuming a vendor type) a cisco
router.
there was also another by Brett K. and Variable out on the Phrack web
site
that I couldn't find my stored URL.

Now, would I redesign my entire configuration to have full service IDS
on
my border router? Probably not, but the above will provide due
dilligence
on your part that you have a reasonable position of security for that
device.

My $.02, you asked, I gave! :-)

Dustin Howard, CISSP
Manager, Network Engineering & Operations

Original Message:
-----------------
From: Chris brahma@mendolink.com
Date: Mon, 22 Jul 2002 19:40:42 -0700
To: focus-ids@securityfocus.com
Subject: Protecting your router.

I was just curious on how others with IDS setup on their network protect
their routers. My setup is similar to this:

T1 > Router > Firewall Appliance > IDS Appliance.

Not quite sure on any products (haven't seen any) that will take a line
right off the CSU/DSU and perform pass-through with it and still filter
the
traffic. If I am being to vague just ask what I mean! Thanks in
advance.

Thank You,

Chris D.
Network Security
Mendo Link, LLC

"An Ounce Of Prevention Is Worth A Pound Of Cure."
Om Namo Narayanaya

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



Relevant Pages

  • Re: Ethernet puzzle
    ... connect between the Zen network and the Freeola network why not use a VPN ... Get an Ethernet router such as a Vigor 2910VG. ... Connect the other WAN port to the wireless client which communicates with ...
    (uk.comp.sys.mac)
  • Re: Vista Ultimate 32 SP1: problem w/unidentified network + ICS
    ... not sure why you are resisting getting a router. ... I still get Unidentified network. ... "Barb Bowman" wrote: ... or do I have to sniff the Ethernet ...
    (microsoft.public.windows.vista.networking_sharing)
  • ~~~~~~~~~~~~~~ IP ADDRESS ~~~~~~~~~~~~~~
    ... block my ip address vista windows ... change public ip address linksys router ... setting up a network ip address ... warcraft server ip address ...
    (sci.misc)
  • Re: Using Remote Desktop From an SBS Domain
    ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
    (microsoft.public.windows.server.sbs)
  • Re: Linksys NAS200 Network Storage adapter
    ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
    (microsoft.public.windowsxp.network_web)