[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    cisco
From:       sara <sgordon () sun1 ! iusb ! edu>
Date:       1995-05-31 19:19:32
[Download RAW message or body]

Sick Puppy <sikpuppy@maestro.com>
writes:

> Router passwords should be changed frequently and this includes the 
> default maintenance passwords many routers are shipped with.

those default passwords will get ya every time...but so will
using dictionary passwords, and those pesky easily guessed foreign
words.          :) (specially ones transmitted over networks in
plain text).

not to mention, if you accidentally have one of your supposedly protected
machines 'outside' but you think its 'inside', you could end up in
all kind of strange situations :)

someone else said:

> > I have no experience with Cisco routers so I cannot make a judgement
> > myself.  I suspect that we really should be looking at some encryption
> > to secure our links through the service provider.

i have had experience with them. you know, i keep finding out that as
with many things, the main 'security problem' is the action/lack of action
of the adminstrator/users. same for routers as for everything else under
the sun (no pun intended).

paul ferguson suggests:

> > Why not just disconnect yourself from The Net altogether?  ;-)

and i agree. ive come to agree with those who say the Internet was
not designed for commerce, actually.

mostly, though, news tonite is about 'firewalls' of the original nature.
what is a 'firewall' as originally designed? something used to keep
'fire' from spreading. its not designed to keep things -other- than
fire from spreading. for instance, a firewall will not stop air,
water, or other elements from spreading.   do firewalls (now i am
speaking of the technologically type, not the dirt type :) 'see'
everything? one thing for sure, they do not see things that do not yet
exist. 

which makes for good business i suppose.

taking this approach, i think one could (if one thought long enough
and hard enough and had enough rfc's at his/her disposal) figure out
the weakness of any firewall. 


and someone else mentions SKEY

> It is worth noting that since FW-1 now supports SKey and SecureID
> you can now feel much more secure about doing in-band remote
> management of the firewall.

more secure. i think that is relative. if i dont feel secure about it
at all, then more secure is not that much more secure. and SKey does not
make me feel all that much more secure.


re: ftp/nt

> We tried all the abuses we could think of. No one in my company was able to
> get a directory list, read or put a file anywhere other than the apropriate
> directory. The only hole I can think of is a flooding attack, hence putting
> the ftp file tree on a partition by itself. If someone knows how to get
> around it, I'd like to hear about it.

i have been experimenting with this as well, and i have had the same
result as you. however, i have not done any real spoofs, try to attack
it as itself, etc., but if i get this happening, ill let you know. i dont
have a particular affinity for NT and am happy to find reasons not to use
it. as a firewall or as anything else.


-- 
/* my private and public electronic correspondence reflects my own
   views, at any given moment. specifically, they do not represent    
   the views of my University, my Government or my Employer.          */
/* Id  Type  Loadaddr      Size   B-major  C-major  Sysnum   Mod Name */

[prev in list] [next in list] [prev in thread] [next in thread]