[EMAIL PROTECTED] wrote:
>
> I took a look at Chesapeake's tool (didn't actually run it).
<G>
> While it appears
> well done, if you trust the documentation it creates a significant exposure on
> your router. It uses telnet, rather than tftp, to transfers lists to the
> router (tftp is planned for a future version).
Humm. Access from both can be controlled using the access lists. Neither
encrypts the data by default. Not sure where you get "significant"
from...
> The reason for this is that each configuration command (in a "conf term"
> operation, as used by a telnet setup) is made effective as soon as it's entered.
> This can cause a number of problems; with access-lists the most obvious issue is
> that the first command is ususally "no access-list 101" (or similar). This
> means that you've just disabled all filtering for that access-list. Until the
> rest of the commands for that list are entered you may be allowing undesired
> traffic.
I guess if you are ultra-ultra paranoid, the above is true. You would
have maybe a second or two of exposure depending on how many lines are
in your access list. Of course this assumes an attacker knows exactly
when you will be dropping your guard and can sneak through a nasty
session in the allotted time. If attackers are somehow gaining this
level of knowledge about your network operations, you have bigger
problems than how you are loading your access lists. ;)
> If you're sitting at a window manually entering these commands into the router,
> this probably exposes you for several minutes.
Hummm. Why would you do this? I find it far easier to create the lists
using a text editor. This allows you to check your work to make sure
there are no screw ups. Once complete simply "paste" the commands and
you are done. As mentioned this keeps reload time at a second or two.
> If a program, such as the
> Chesapeake tool, is pumping the commands into the router, the leak may only last
> a second, but it's still there.
See comments above. ;)
> When tftp is used to transfer a configuration file the entire configuration
> update is atomic - all of the changes take effect at once. For access-lists in
> particular, this is safer.
Actually, that's not correct. TFTP will still wipe out the current
access list and then replace it. So if you want to get technical, you
still have a period of time where you are exposed. Granted we are
talking milliseconds as opposed to a full second or two, but we are
talking from an ultra-ultra paranoid perspective. ;)
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
