Cisco IOS NAT Vuln

[deanwebb]

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat

ASA not on the list of vulnerable products. This is IOS only. IOS XR, XE, and NX-OS not affected, either.

But if you *are* doing NAT with an IOS device...

[Dieselboy]

Cisco IOS G2 routers can be a router, firewall / NAT, voice server. And if you have lots of money they can also be a platform for virtualisation for servers. I haven't even mentioned that they can also be a wireless accesspoint. Oh wait I just mentioned that.

For one of my remote sites I do indeed have a 2900 router which is a firewall / nat device. Thanks for the link.

[deanwebb]

I'm here to help.

[wintermute000]

Cisco IOS G2 routers can be a router, a sh1tty firewall / NAT with no NGFW / anemic app-id features and the world's worst syntax, a sh1t voice server with possibly the worst CLI convention ever in the form of dial peers. And if you have lots of money they can also be a fairly crappy platform for virtualisation for servers.

FIFY    though the new branch NFV platform looks promising (i.e. KVM in a router sized box with a GUI for the vswitch and automagically deployed via APIC-EM, run IOSv/ASAv/WaaSv in the same branch network services box).

[Dieselboy]

Cisco IOS G2 routers can be a router, a sh1tty firewall / NAT with no NGFW / anemic app-id features and the world's worst syntax, a sh1t voice server with possibly the worst CLI convention ever in the form of dial peers. And if you have lots of money they can also be a fairly crappy platform for virtualisation for servers.

FIFY    though the new branch NFV platform looks promising (i.e. KVM in a router sized box with a GUI for the vswitch and automagically deployed via APIC-EM, run IOSv/ASAv/WaaSv in the same branch network services box).

Got a link?
I've just signed off on a Riverbed with VMware.

[wintermute000]

Yeah similar (I presume you bought Granite) except it has no vmware goodies nor the sophisticated SAN integration / remote SAN target secret sauce.
Its also 1RU max and doesn't scale up to dual 12-core Xeons etc. like Granite can, IIRC it maxes out @ 64Gb RAM and a single bog standard sky-lake Xeon E3.


The Cisco version is 1.0 and doesn't provide vmware, it's just for running appliance images, no HA or any vcentre integration etc.
Storage is basic RAID on the box.
Its basically totally vanilla single box hyperconverged for deploying virtual networking appliances, with a GUI that allows you to move the vswitch ports around easily. The sales pitch was that  you don't need vmware skills to deploy it, nor do you need to pay for vsphere licensing etc., as well as the form factor (i.e. same size as a medium sized router like a 2901) which will fit into a half rack or not blow someone's ears off in an office.

The vision is to integrate it with APIC-EM for automagic deployment of router VMs etc.

I learnt about it at a presales demo and I have no literature unfortunately, will try to track down some more concrete details on Tuesday

[Dieselboy]

No didn't get granite as it's too much of a risk to use it between Australia and Sri Lanka.
I also got the brand new w2100 units and steelcentral mobile for our remote users I just need to monitor packet loss more closely so it don't screw up the optimisations.

I'd like to see what you're talking about in detail. Did they give any idea when it was going to market?

When I was in the uk I was trying to get management to deploy 2911's for our hosted clients. We deployed 2901's anyway but they also deployed a small server about the size of a desktop PC with vmware as a local DC for fast dns and other windows-y type things. My argument is that if they're a hosted client they shouldn't have servers etc as their servers are securely between DCs! They liked my proposal however when we done the numbers it turned out to be cost prohibitive anyway.