Cisco boxes

I am reviewing security controls over the Cisco router, PIX, and IDS boxes
and have the following questions.
1. I make a recommendation that telnet should not be used. Instead, use ssh
or pdm (PIX). Does this make sense. Is telnet really so vulnerable?

2. In an IOS command list, I saw some line are marked with at the
end. Does this mean this line is marked out?

3. In the IOS command list, all the user names and passwords are marked with
. I thought at least one user name need to be there for local
console access. . .

4. In the IOS v12, do we still need to specify 'no service tcp-small-servers
' and 'no service udp-small servers'?

5. In the PIX config, are the following very critical to security?
'no http server enable';
'clear dhcpd' ;
'sysopt security fragguard', 'fragment chain 1 outside';
'ip verify reverse-path interface xxxx';

6. How is Cisco IDS 2410? Any reported vulnerable? It occurred to me that
this device cannot block any packets that meet the signature patterns. Is
this a config issue or the faults from the box? In Cisco website, it is
marked as a discontinued support item.

Would like to hear the expert comments on these questions.

Thanks.

Re: Cisco boxes

"Sherman H." wrote in
news:10o3ae7n9hsm617@corp.supernews.com:

> I am reviewing security controls over the Cisco router, PIX, and IDS
> boxes and have the following questions.
> 1. I make a recommendation that telnet should not be used. Instead,
> use ssh or pdm (PIX). Does this make sense. Is telnet really so
> vulnerable?


Grab PuTTY for Windows or whatever. It is n't so much that telent is
vulnerable but if you are remotely connecting to the PIX, telnet traffic
is unencrypted. PDM is cumbersome and slow.

>
> 2. In an IOS command list, I saw some line are marked with
> at the end. Does this mean this line is marked out?


Usually means that is in't there correct. Without a seeing a running
config it is hard to determine if it is something vital or not

> 3. In the IOS command list, all the user names and passwords are
> marked with . I thought at least one user name need to be
> there for local console access. . .

This is not good if this is in the router. You need users with different
access levels or just one user for Admin purposes only if that is the
case. With no users you can pretty much have anyone log in and make
changes




>
> 4. In the IOS v12, do we still need to specify 'no service
> tcp-small-servers ' and 'no service udp-small servers'?

Run your own port scan with Nmap or sometin like that and determine if
you need it. I am not familiar with that command myself

> 5. In the PIX config, are the following very critical to security?
> 'no http server enable';
> 'clear dhcpd' ;
> 'sysopt security fragguard', 'fragment chain 1 outside';
> 'ip verify reverse-path interface xxxx';

No Http means no outside PDM access IIRC. clear dhcpd is if you are not
running the PIX as a dhcp server. This would mean you have to assign all
addresses statically inside and/or outside. The last 2 commands apear to
be related to spoofing or something. Again, not familiar with those two.


> 6. How is Cisco IDS 2410? Any reported vulnerable? It occurred to me
> that this device cannot block any packets that meet the signature
> patterns. Is this a config issue or the faults from the box? In
> Cisco website, it is marked as a discontinued support item.


Not familiar with this device. We don't use anything like that at work

HTH a little anyway



> Would like to hear the expert comments on these questions.
>
> Thanks.
>
>
>



--
***********************************************************
Knowing the rules to the game and knowing how to play it
are two different things
***********************************************************
If at first you don't succeed, call it version 1.0
***********************************************************

Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Re: Cisco boxes

Sherman H. wrote:

> I am reviewing security controls over the Cisco router, PIX, and IDS boxes
> and have the following questions. [...]

> Would like to hear the expert comments on these questions.

If you are not able to anwser those questions yourself you obviously lack
the necessary qualification and knowledge to write such a reviev.

Hire someone who is skilled enough for the job.

Wolgang