The PVC will likely never get to be more than one or two Mbit/sec and the
encryption is being done by the firewalls not the routers. Site A could be
as large as a DS3 someday though. I was not concerned about being hacked at
a layer less than three on the PVC; I was only concerned about the exposure
to the Internet.
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Sunday, September 19, 1999 6:29 PM
To: '[EMAIL PROTECTED]'
Cc: [EMAIL PROTECTED]
Subject: RE: Is Private Network & Internet on same FR Circuit Ok?
AFAIK There is no IOS command on normal routers (dunno about the huge stuff)
that will let you see the actual packet _body_. Even if one has exec on the
router.
As to whether you should encrypt in this situation, I guess it depends on
what your data is. If it's employee ICQ, then maybe not. If it's my medical
records or financial transactions, then maybe you should.
There do exist boxes that you can put on a frame relay line that will dump
the entire traffic. Or you can just get to the data when it passes through
copper / fibre somewhere. I guess the question is whether you trust the
security of the physical access to the data path.
Alternatively, there may be non-Cisco routers in the cloud - can anyone
speak for the other brands that are around in telcos / large ISPs? What if
one of those gets compromised?
You ask what the security risk is if you don't use encryption...what is the
downside if you do? With the hardware cards, even the baby Ciscos will ship
A Goodly Amount of data with 56-bit DES. Is your pipe so big that the
performance hit will cripple you?
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Joe Ippolito [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 20 September 1999 5:06 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Is Private Network & Internet on same FR Circuit Ok?
>
> Another scenario with a similar concern.
>
> Internet
> |
> |
> Router A-------PVC------Router B
> | |
> | |
> DMZ A----Firewall A Firewall B-----DMZ B
> | |
> | |
> Site A Site B
>
> The purpose of this configuration is to provide a third-world site (Site
B) tier-one Internet connectivity (not available locally) through a large US
site while providing intra-company connectivity between the two sites with
the same WAN connection. An advantage is that site B would retain local
access to its own self-administered DMZ. Both firewalls have routable
external addresses along with the adjacent router interface and the Internet
side of router A. The PVC between Routers A and B have only private
addresses (e.g. 192.168.x.x.) Both firewalls do IPSec VPN's with many other
sites. Is it really necessary to do DES encryption for communication
between sites A and B? What is the security risk if we do not? Is it
possible to hack a Cisco router and sniff clear data packets?
>
> Thanks
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
