[VPN] Cisco 3015 conentrator
Dana J. Dawson
djdawso at qwest.com
Thu Nov 13 13:35:07 EST 2003
In a more helpful vein, The 3000 has default filters on the public
interface that should do a reasonable job of restricting traffic to just
that used by the various VPN technologies it supports. You can tighten
them down if you know you won't use a particular protocol, but you can't
remove the list if you want to terminate VPN's (though nothing stops you
from permitting all traffic through the filter, which would be a bad
thing to do). However, these filters don't provide any DoS protection
to the 3000, so there would be a benefit in that regard in having an
external firewall, assuming it provided such protection. I've not seen
any reports of a 3000 being hacked, but there was a vulnerability a
while back that could allow unintended traffic through the concentrator
but that's been fixed for a long time (I forget the details, but it'd be
easy to find on Cisco's site). It's not a gaping hole in your security
if you don't protect with a firewall so I would argue that you don't
*need* a firewall in front of it. The 3000 is, in fact, one of the
nicer VPN concentrators on the market in my opinion. It's not perfect,
but nothing is.
HTH
Dana
--
Dana J. Dawson djdawso at qwest.com
Senior Staff Engineer CCIE #1937
Qwest Communications (612) 664-3364
600 Stinson Blvd., Suite 1S (612) 664-4779 (FAX)
Minneapolis MN 55413-2620
"Hard is where the money is."
Brian Wotring wrote:
>
> Yes, and I recommend unplugging it and burying it in your backyard.
>
> On Nov 13, 2003, at 10:30 AM, Roger Qian wrote:
>
>> Hi,
>>
>> Does Cisco 3015 concentrator need a firewall to protect hacking?
>>
>> Thanks,
>>
>> Roger
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/vpn
>
>
> --
> Brian Wotring ( brian at shmoo.com )
> PGP KeyID: 0x9674763D
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>
More information about the VPN
mailing list