[VPN] Cisco 3015 conentrator

Dana J. Dawson djdawso at qwest.com
Thu Nov 13 13:35:07 EST 2003 

In a more helpful vein, The 3000 has default filters on the public 
interface that should do a reasonable job of restricting traffic to just 
that used by the various VPN technologies it supports.  You can tighten 
them down if you know you won't use a particular protocol, but you can't 
remove the list if you want to terminate VPN's (though nothing stops you 
from permitting all traffic through the filter, which would be a bad 
thing to do).  However, these filters don't provide any DoS protection 
to the 3000, so there would be a benefit in that regard in having an 
external firewall, assuming it provided such protection.  I've not seen 
any reports of a 3000 being hacked, but there was a vulnerability a 
while back that could allow unintended traffic through the concentrator 
but that's been fixed for a long time (I forget the details, but it'd be 
easy to find on Cisco's site).  It's not a gaping hole in your security 
if you don't protect with a firewall so I would argue that you don't 
*need* a firewall in front of it.  The 3000 is, in fact, one of the 
nicer VPN concentrators on the market in my opinion.  It's not perfect, 
but nothing is.

HTH

Dana

-- 

Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."


Brian Wotring wrote:

>
> Yes, and I recommend unplugging it and burying it in your backyard.
>
> On Nov 13, 2003, at 10:30 AM, Roger Qian wrote:
>
>> Hi,
>>
>> Does Cisco 3015 concentrator need a firewall to protect hacking?
>>
>> Thanks,
>>
>> Roger
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/vpn
>
>
> -- 
>     Brian Wotring ( brian at shmoo.com )
>     PGP KeyID: 0x9674763D
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>

More information about the VPN mailing list