[VPN] Cisco 3015 conentrator

Siddhartha Jain losttoy2000 at yahoo.co.uk
Fri Nov 14 06:58:02 EST 2003


Depends on whether you already have a firewall. If you
already have a firewall then I would argue to keep it
behind the firewall. One reason is DoS attacks and
second is that the network shouldn't have two parallel
points of access. 

But again, even if you did put in parallely there
would hardly be much of a security risk.

Siddhartha


 --- "Dana J. Dawson" <djdawso at qwest.com> wrote: > In
a more helpful vein, The 3000 has default filters
> on the public 
> interface that should do a reasonable job of
> restricting traffic to just 
> that used by the various VPN technologies it
> supports.  You can tighten 
> them down if you know you won't use a particular
> protocol, but you can't 
> remove the list if you want to terminate VPN's
> (though nothing stops you 
> from permitting all traffic through the filter,
> which would be a bad 
> thing to do).  However, these filters don't provide
> any DoS protection 
> to the 3000, so there would be a benefit in that
> regard in having an 
> external firewall, assuming it provided such
> protection.  I've not seen 
> any reports of a 3000 being hacked, but there was a
> vulnerability a 
> while back that could allow unintended traffic
> through the concentrator 
> but that's been fixed for a long time (I forget the
> details, but it'd be 
> easy to find on Cisco's site).  It's not a gaping
> hole in your security 
> if you don't protect with a firewall so I would
> argue that you don't 
> *need* a firewall in front of it.  The 3000 is, in
> fact, one of the 
> nicer VPN concentrators on the market in my opinion.
>  It's not perfect, 
> but nothing is.
> 
> HTH
> 
> Dana
> 
> -- 
> 
> Dana J. Dawson                     djdawso at qwest.com
> Senior Staff Engineer              CCIE #1937
> Qwest Communications               (612) 664-3364
> 600 Stinson Blvd., Suite 1S        (612) 664-4779
> (FAX)
> Minneapolis  MN  55413-2620
> 
> "Hard is where the money is."
> 
> 
> Brian Wotring wrote:
> 
> >
> > Yes, and I recommend unplugging it and burying it
> in your backyard.
> >
> > On Nov 13, 2003, at 10:30 AM, Roger Qian wrote:
> >
> >> Hi,
> >>
> >> Does Cisco 3015 concentrator need a firewall to
> protect hacking?
> >>
> >> Thanks,
> >>
> >> Roger
> >> _______________________________________________
> >> VPN mailing list
> >> VPN at lists.shmoo.com
> >> http://lists.shmoo.com/mailman/listinfo/vpn
> >
> >
> > -- 
> >     Brian Wotring ( brian at shmoo.com )
> >     PGP KeyID: 0x9674763D
> >
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> >
> 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://mail.messenger.yahoo.co.uk



More information about the VPN mailing list