[Techtalk] Router choices
Raven, corporate courtesan
raven at oneeyedcrow.net
Mon Jan 7 18:15:27 EST 2002
Quoth Michelle Murrain (Mon, Jan 07, 2002 at 02:45:50PM -0500):
> Cisco router - there are several possibilities, 1601 single ethernet, 1605
> dual ethernet (for DMZ). Cons: expensive (or cheaper but risky on e-bay).
> Pros: easy to set up, ISP most familiar with this, no linux box for
> router/firewall required.
Have you talked to Cisco about this? If you do get a Cisco
router, make sure that you have some sort of support contract with Cisco
in case you have hardware problems. There are also various levels of
support they offer for software and config issues. Also, make sure that
the IOS that your router comes with has all the features that you need.
If you're intending to set your router up as your external firewall,
make sure that your IOS can do layer 4 filtering, and that you'll have
enough memory to support that in your router. Cisco has a bewildering
array of versions of their IOS available, and not all versions support
all features. Make sure that you get one that's right for you. As a
business customer, I doubt you'd need MPLS or anything like that, but
you will want layer 4 features to work in your access lists (most
moderns IOS's will do that).
Access to Cisco's routers is pretty much telnet only if you want
to be reliable. They do offer some with ssh1 support, but it's buggy.
The biggest security problem you'll likely run into with Ciscos
is if you enable the router-as-http-server and use their managing
programs. There have been a good number of holes, exploits, and
programs that cause problems in this manner.
> Netopia router - R5100 - it has an 8 port hub as a part of it, and you can
> set up a DMZ by setting up two separate IP subnets, with filter sets
> inbetween so that the subnets can't see each other, and filter sets for
> each subnet for firewalling (one for exposed to internet servers, one for
> internal network). Pros: much, much cheaper, I know these products really
> well (I've used 3 different models of Netopia routers in the past - they
> have good tech support), no Linux box router/firewall required. Cons: I
> don't know how good of a firewall option it is for separate subnets and
> filter sets. Sounds like it might have some holes to me. I need to research
> it more.
See if you can get a hold of the tech people at Netopia and ask
them. Don't necessarily trust what the sales people tell you. I have
used Netopias as customer end-routers before, but never with anything
but the most basic feature set, so I don't know much about their OS
vulnerabilities. They seem to have been decently reliable IME, though.
> Sangoma S5141 card - installed in a box with 2 NICs. Pros: integrated Linux
> solution, Sangoma knows linux, all advantages of a Linux router/firewall, I
> learn more about linux. Cons: time, mostly, plus ISP TOTALLY in the dark
> about this, although Sangoma provides tech support, have heard problems
> with this setup from a different vendor who works a lot with setting up T1
> lines. Also I have found no one who knows about the interaction between
> this Cisco IAD and this Sangoma card - Sangoma didn't even have much to
> say, except assurances that it would work.
This is probably what I would go for, but I'm more of a
do-it-yourselfer, and pretty familiar with firewalls. Also, the ISP is
going to continually blame your box if there are line problems, simply
because they won't understand it. So unless you can say, "Look, we're
not even seeing carrier signal from you" or something, you may be in for
a heck of a time with support. Not a huge problem for me, but might be
if you are short on time.
Hope that helped.
"So we're prohibited from cramming, slamming, and raiding, but we have
AD&D and STD insurance?"
-- a co-worker, on the recent reams of paperwork we all got
More information about the Techtalk