Another scenario with a similar concern.
Internet
|
|
Router A-------PVC------Router B
| |
| |
DMZ A----Firewall A Firewall B-----DMZ B
| |
| |
Site A Site B
The purpose of this configuration is to provide a third-world site (Site B)
tier-one Internet connectivity (not available locally) through a large US
site while providing intra-company connectivity between the two sites with
the same WAN connection. An advantage is that site B would retain local
access to its own self-administered DMZ. Both firewalls have routable
external addresses along with the adjacent router interface and the Internet
side of router A. The PVC between Routers A and B have only private
addresses (e.g. 192.168.x.x.) Both firewalls do IPSec VPN's with many other
sites. Is it really necessary to do DES encryption for communication
between sites A and B? What is the security risk if we do not? Is it
possible to hack a Cisco router and sniff clear data packets?
Thanks
Date: Fri, 17 Sep 1999 11:13:04 -0700
From: woody weaver <[EMAIL PROTECTED]>
Subject: Re: Is Private Network & Internet on same FR Circuit Ok?
At 08:09 AM 9/17/99 -0700, Cory langford wrote:
>
>If this interface on the router is you only wan interface they you will run
>the risk of loosing your private network when someone decides to take out
>the router.
[DOS details omitted]
>I would suggest the extra expense of two cct's on seperate routers, if you
>require very high reliability on your private network.
>
I would also argue that for confidentiality reasons its useful as well.
1. if a black hat compromises the external router, they have immediate
access
to your internal net. Generally speaking, a router is not a security
device.
Its better to have the internal router and external router separated by a
security device.
2. if the network service provider accidentally screws up, your internal
traffic may end up someplace you don't expect. (One client was having
network
trouble -- poor packet throughput. Called telco, they found water in the
external junction point, and rewired. The poor tech got the physical
circuits
reversed, and some other guys net was bridged onto my network, while my net
tried to route onto this foreign net.) If the circuit is associated with a
public net, this increases the chance that your private net data may end up
in
public.
But none of this is especially relevant. What is it you really need? (And
is
it really true that your service provider can not provide a second circuit?)
For example, if you are concerned about performance, you can improve your
relationship with the service provider to prevent a denial of service
trashing
the router. If you are concerned about confidentiality, you can encrypt
links. If might even be useful to combine these, and route your private
net's
WAN traffic via a QOS assured VPN between the central site and the remote
site.
What does your security policy say about these risks?
What can you acquire or afford?
- --woody
>At 03:20 PM 9/16/99 -0700, Roy Mendoza wrote:
>>From a security standpoint, is it acceptable to expose a router interface
to
>>the Internet where the Internet and private network are on the same
physical
>>circuit?
>>
>>Quick background: Our carrier cannot provide a channelized frame relay
>>circuit, so we must bring their single circuit containing our private
>>network and Internet feed to our Cisco 3640, and then inside the 3640
>>separate these two PVCs. One PVC (our private network) would go out the
>>3640's Ethernet interface to a LAN (inside) hub, while the other PVC
>>(Internet) would go out another 3640 Ethernet interface to a PIX firewall.
>>
>>While it's technically possible to do the above, I'm a bit concerned about
>>exposing any interfaces on the 3640 (core) router to the Internet and
>>thereby increasing the risk of someone attacking this core router.
>>
>>Any experienced thoughts???
>>
>>Thanks!!!
>>
>>Roy.
>>
>>
winmail.dat
