I took a look at Chesapeake's tool (didn't actually run it). While it appears
well done, if you trust the documentation it creates a significant exposure on
your router. It uses telnet, rather than tftp, to transfers lists to the
router (tftp is planned for a future version). Access lists should never be
updated with telnet.
The reason for this is that each configuration command (in a "conf term"
operation, as used by a telnet setup) is made effective as soon as it's entered.
This can cause a number of problems; with access-lists the most obvious issue is
that the first command is ususally "no access-list 101" (or similar). This
means that you've just disabled all filtering for that access-list. Until the
rest of the commands for that list are entered you may be allowing undesired
traffic.
If you're sitting at a window manually entering these commands into the router,
this probably exposes you for several minutes. If a program, such as the
Chesapeake tool, is pumping the commands into the router, the leak may only last
a second, but it's still there.
When tftp is used to transfer a configuration file the entire configuration
update is atomic - all of the changes take effect at once. For access-lists in
particular, this is safer.
Tony Rall
Jim McGlashan <[EMAIL PROTECTED]> on 07/01/1999 07:10:19
Try the following I use it and it works well.
Jim
http://www.ccci.com/tools/accessedit/index.html
The Chesapeake Access List Editor
Create/Get/Send IP Access-lists from/to Cisco Routers
Learning Tool for Access-Lists
Create IP Access-List with the IP Access List Wizard
An article describing how to use the ALE appeared in The Network Monitor, a
Chesapeake quarterly publication. You can
view this article by clicking here -> Access Edit Article.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
