Cisco IOS NAT Vuln

Started by deanwebb, March 26, 2016, 09:11:58 AM

Previous topic - Next topic

deanwebb

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat

ASA not on the list of vulnerable products. This is IOS only. IOS XR, XE, and NX-OS not affected, either.

But if you *are* doing NAT with an IOS device...

:umad:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

Cisco IOS G2 routers can be a router, firewall / NAT, voice server. And if you have lots of money they can also be a platform for virtualisation for servers. I haven't even mentioned that they can also be a wireless accesspoint. Oh wait I just mentioned that.

For one of my remote sites I do indeed have a 2900 router which is a firewall / nat device. Thanks for the link.
:angry:

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#3

Quote from: Dieselboy on April 23, 2016, 01:43:53 PM
Cisco IOS G2 routers can be a router, a sh1tty firewall / NAT with no NGFW / anemic app-id features and the world's worst syntax, a sh1t voice server with possibly the worst CLI convention ever in the form of dial peers. And if you have lots of money they can also be a fairly crappy platform for virtualisation for servers.


FIFY  ;)  though the new branch NFV platform looks promising (i.e. KVM in a router sized box with a GUI for the vswitch and automagically deployed via APIC-EM, run IOSv/ASAv/WaaSv in the same branch network services box).

Dieselboy

Quote from: wintermute000 on April 23, 2016, 09:57:05 PM

Quote from: Dieselboy on April 23, 2016, 01:43:53 PM
Cisco IOS G2 routers can be a router, a sh1tty firewall / NAT with no NGFW / anemic app-id features and the world's worst syntax, a sh1t voice server with possibly the worst CLI convention ever in the form of dial peers. And if you have lots of money they can also be a fairly crappy platform for virtualisation for servers.


FIFY  ;)  though the new branch NFV platform looks promising (i.e. KVM in a router sized box with a GUI for the vswitch and automagically deployed via APIC-EM, run IOSv/ASAv/WaaSv in the same branch network services box).

Got a link?
I've just signed off on a Riverbed with VMware.

wintermute000

#5
Yeah similar (I presume you bought Granite) except it has no vmware goodies nor the sophisticated SAN integration / remote SAN target secret sauce.
Its also 1RU max and doesn't scale up to dual 12-core Xeons etc. like Granite can, IIRC it maxes out @ 64Gb RAM and a single bog standard sky-lake Xeon E3.


The Cisco version is 1.0 and doesn't provide vmware, it's just for running appliance images, no HA or any vcentre integration etc.
Storage is basic RAID on the box.
Its basically totally vanilla single box hyperconverged for deploying virtual networking appliances, with a GUI that allows you to move the vswitch ports around easily. The sales pitch was that  you don't need vmware skills to deploy it, nor do you need to pay for vsphere licensing etc., as well as the form factor (i.e. same size as a medium sized router like a 2901) which will fit into a half rack or not blow someone's ears off in an office.

The vision is to integrate it with APIC-EM for automagic deployment of router VMs etc.

I learnt about it at a presales demo and I have no literature unfortunately, will try to track down some more concrete details on Tuesday

Dieselboy

No didn't get granite as it's too much of a risk to use it between Australia and Sri Lanka.
I also got the brand new w2100 units and steelcentral mobile for our remote users :) I just need to monitor packet loss more closely so it don't screw up the optimisations.

I'd like to see what you're talking about in detail. Did they give any idea when it was going to market?

When I was in the uk I was trying to get management to deploy 2911's for our hosted clients. We deployed 2901's anyway but they also deployed a small server about the size of a desktop PC with vmware as a local DC for fast dns and other windows-y type things. My argument is that if they're a hosted client they shouldn't have servers etc as their servers are securely between DCs! They liked my proposal however when we done the numbers it turned out to be cost prohibitive anyway.