At 08:09 AM 9/17/99 -0700, Cory langford wrote:
>
>If this interface on the router is you only wan interface they you will run
>the risk of loosing your private network when someone decides to take out
>the router.
[DOS details omitted]
>I would suggest the extra expense of two cct's on seperate routers, if you
>require very high reliability on your private network.
>
I would also argue that for confidentiality reasons its useful as well.
1. if a black hat compromises the external router, they have immediate access
to your internal net. Generally speaking, a router is not a security device.
Its better to have the internal router and external router separated by a
security device.
2. if the network service provider accidentally screws up, your internal
traffic may end up someplace you don't expect. (One client was having network
trouble -- poor packet throughput. Called telco, they found water in the
external junction point, and rewired. The poor tech got the physical circuits
reversed, and some other guys net was bridged onto my network, while my net
tried to route onto this foreign net.) If the circuit is associated with a
public net, this increases the chance that your private net data may end up in
public.
But none of this is especially relevant. What is it you really need? (And is
it really true that your service provider can not provide a second circuit?)
For example, if you are concerned about performance, you can improve your
relationship with the service provider to prevent a denial of service trashing
the router. If you are concerned about confidentiality, you can encrypt
links. If might even be useful to combine these, and route your private net's
WAN traffic via a QOS assured VPN between the central site and the remote site.
What does your security policy say about these risks?
What can you acquire or afford?
--woody
>At 03:20 PM 9/16/99 -0700, Roy Mendoza wrote:
>>From a security standpoint, is it acceptable to expose a router interface to
>>the Internet where the Internet and private network are on the same physical
>>circuit?
>>
>>Quick background: Our carrier cannot provide a channelized frame relay
>>circuit, so we must bring their single circuit containing our private
>>network and Internet feed to our Cisco 3640, and then inside the 3640
>>separate these two PVCs. One PVC (our private network) would go out the
>>3640's Ethernet interface to a LAN (inside) hub, while the other PVC
>>(Internet) would go out another 3640 Ethernet interface to a PIX firewall.
>>
>>While it's technically possible to do the above, I'm a bit concerned about
>>exposing any interfaces on the 3640 (core) router to the Internet and
>>thereby increasing the risk of someone attacking this core router.
>>
>>Any experienced thoughts???
>>
>>Thanks!!!
>>
>>Roy.
>>
>>
>>-
>>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>>"unsubscribe firewalls" in the body of the message.]
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
