Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Why not???

Reply
Thread Tools

Why not???

 
 
Johnny Bravo
Guest
Posts: n/a
 
      09-08-2004
Hi,

I work at a software company with a lot of "let's automate this step
too" attitude.

We have a project coming-up where we'll be setting-up a dozen
LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
was suggested that we should build a web UI to automate the setup
process; that is, the customer would logon to the site, fill-out some
forms, and upon submit, it (the UI) would telnet/ssh to the firewall
to create the proper group(s), access-list(s), etc.

Now, this sounds very scary to me, but I want to know what you think,
as I have some serious opposition. Also, the general idea is that
their code is perfect (yeah, right)! If you have an opinion on this -
please try to elaborate a bit,

Thanks,

Johnny
 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      09-08-2004

"Johnny Bravo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi,
>
> I work at a software company with a lot of "let's automate this step
> too" attitude.
>
> We have a project coming-up where we'll be setting-up a dozen
> LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
> was suggested that we should build a web UI to automate the setup
> process; that is, the customer would logon to the site, fill-out some
> forms, and upon submit, it (the UI) would telnet/ssh to the firewall
> to create the proper group(s), access-list(s), etc.
>
> Now, this sounds very scary to me, but I want to know what you think,
> as I have some serious opposition. Also, the general idea is that
> their code is perfect (yeah, right)! If you have an opinion on this -
> please try to elaborate a bit,
>
> Thanks,
>
> Johnny


What if a site enters information that overlaps with another site? You
could create a dos condition for either location. Also, how would the ui
access the remote pix if the vpn wasn't yet up. I could see this feasible
for the core 525. However for a dozen tunnels, the dev time would far
outweight the actual configuration time, not to mention the other risks
associated with it.


 
Reply With Quote
 
 
 
 
nobody@fletchmail.net
Guest
Posts: n/a
 
      09-08-2004
On 7 Sep 2004 20:14:36 -0700, http://www.velocityreviews.com/forums/(E-Mail Removed) (Johnny Bravo) wrote:

>Hi,
>
>I work at a software company with a lot of "let's automate this step
>too" attitude.
>
>We have a project coming-up where we'll be setting-up a dozen
>LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
>was suggested that we should build a web UI to automate the setup
>process; that is, the customer would logon to the site, fill-out some
>forms, and upon submit, it (the UI) would telnet/ssh to the firewall
>to create the proper group(s), access-list(s), etc.
>
>Now, this sounds very scary to me, but I want to know what you think,
>as I have some serious opposition. Also, the general idea is that
>their code is perfect (yeah, right)! If you have an opinion on this -
>please try to elaborate a bit,
>
>Thanks,
>
>Johnny


Would the web server be accessable from the outside? If so, how would
you prevent just anybody from logging in and setting up their own
access? If the web site is password controlled, are the names and
passwords sent in the clear?
 
Reply With Quote
 
Johnny Bravo
Guest
Posts: n/a
 
      09-09-2004
(E-Mail Removed) wrote in message news:<(E-Mail Removed)>. ..
> On 7 Sep 2004 20:14:36 -0700, (E-Mail Removed) (Johnny Bravo) wrote:
>
> >Hi,
> >
> >I work at a software company with a lot of "let's automate this step
> >too" attitude.
> >
> >We have a project coming-up where we'll be setting-up a dozen
> >LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
> >was suggested that we should build a web UI to automate the setup
> >process; that is, the customer would logon to the site, fill-out some
> >forms, and upon submit, it (the UI) would telnet/ssh to the firewall
> >to create the proper group(s), access-list(s), etc.
> >
> >Now, this sounds very scary to me, but I want to know what you think,
> >as I have some serious opposition. Also, the general idea is that
> >their code is perfect (yeah, right)! If you have an opinion on this -
> >please try to elaborate a bit,
> >
> >Thanks,
> >
> >Johnny

>
> Would the web server be accessable from the outside? If so, how would
> you prevent just anybody from logging in and setting up their own
> access? If the web site is password controlled, are the names and
> passwords sent in the clear?


Yes. HTTP (not HTTP-S). Clear-text all the way baby. And, no passwords either.

Next...
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      09-09-2004

"Johnny Bravo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> (E-Mail Removed) wrote in message
> news:<(E-Mail Removed)>. ..
>> On 7 Sep 2004 20:14:36 -0700, (E-Mail Removed) (Johnny Bravo) wrote:
>>
>> >Hi,
>> >
>> >I work at a software company with a lot of "let's automate this step
>> >too" attitude.
>> >
>> >We have a project coming-up where we'll be setting-up a dozen
>> >LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
>> >was suggested that we should build a web UI to automate the setup
>> >process; that is, the customer would logon to the site, fill-out some
>> >forms, and upon submit, it (the UI) would telnet/ssh to the firewall
>> >to create the proper group(s), access-list(s), etc.
>> >
>> >Now, this sounds very scary to me, but I want to know what you think,
>> >as I have some serious opposition. Also, the general idea is that
>> >their code is perfect (yeah, right)! If you have an opinion on this -
>> >please try to elaborate a bit,
>> >
>> >Thanks,
>> >
>> >Johnny

>>
>> Would the web server be accessable from the outside? If so, how would
>> you prevent just anybody from logging in and setting up their own
>> access? If the web site is password controlled, are the names and
>> passwords sent in the clear?

>
> Yes. HTTP (not HTTP-S). Clear-text all the way baby. And, no passwords
> either.
>
> Next...


So just why did your company purchase a firewall? So hackers could build
vpn tunnels and get farther into the network?


 
Reply With Quote
 
Johnny Bravo
Guest
Posts: n/a
 
      09-09-2004
"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message news:<41401ab3$(E-Mail Removed)>...
> "Johnny Bravo" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > (E-Mail Removed) wrote in message
> > news:<(E-Mail Removed)>. ..
> >> On 7 Sep 2004 20:14:36 -0700, (E-Mail Removed) (Johnny Bravo) wrote:
> >>
> >> >Hi,
> >> >
> >> >I work at a software company with a lot of "let's automate this step
> >> >too" attitude.
> >> >
> >> >We have a project coming-up where we'll be setting-up a dozen
> >> >LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
> >> >was suggested that we should build a web UI to automate the setup
> >> >process; that is, the customer would logon to the site, fill-out some
> >> >forms, and upon submit, it (the UI) would telnet/ssh to the firewall
> >> >to create the proper group(s), access-list(s), etc.
> >> >
> >> >Now, this sounds very scary to me, but I want to know what you think,
> >> >as I have some serious opposition. Also, the general idea is that
> >> >their code is perfect (yeah, right)! If you have an opinion on this -
> >> >please try to elaborate a bit,
> >> >
> >> >Thanks,
> >> >
> >> >Johnny
> >>
> >> Would the web server be accessable from the outside? If so, how would
> >> you prevent just anybody from logging in and setting up their own
> >> access? If the web site is password controlled, are the names and
> >> passwords sent in the clear?

> >
> > Yes. HTTP (not HTTP-S). Clear-text all the way baby. And, no passwords
> > either.
> >
> > Next...

>
> So just why did your company purchase a firewall? So hackers could build
> vpn tunnels and get farther into the network?


Of course not! I was being sarcastic. My original question was NOT HOW
the site should be protected or how and who would have access.
Besides, as far as I concerned, his questions were off-topic and
illogical (yes, I'll make available to the world! Duh!)

Just to reiterate the question: "What do you guys think about a "well
protected" site for a "privileged few" that would update the
configuration of your firewall (in my case, VPN settings on set of
PIX525s)?"

Thanks.
 
Reply With Quote
 
Johnny Bravo
Guest
Posts: n/a
 
      09-09-2004
"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message news:<413ed3d6$(E-Mail Removed)>...
> "Johnny Bravo" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Hi,
> >
> > I work at a software company with a lot of "let's automate this step
> > too" attitude.
> >
> > We have a project coming-up where we'll be setting-up a dozen
> > LAN-to-LAN VPN tunnels (maybe more in the future) to our PIX525. It
> > was suggested that we should build a web UI to automate the setup
> > process; that is, the customer would logon to the site, fill-out some
> > forms, and upon submit, it (the UI) would telnet/ssh to the firewall
> > to create the proper group(s), access-list(s), etc.
> >
> > Now, this sounds very scary to me, but I want to know what you think,
> > as I have some serious opposition. Also, the general idea is that
> > their code is perfect (yeah, right)! If you have an opinion on this -
> > please try to elaborate a bit,
> >
> > Thanks,
> >
> > Johnny

>
> What if a site enters information that overlaps with another site? You
> could create a dos condition for either location. Also, how would the ui
> access the remote pix if the vpn wasn't yet up. I could see this feasible
> for the core 525. However for a dozen tunnels, the dev time would far
> outweight the actual configuration time, not to mention the other risks
> associated with it.


PES: Thanks for the reply. The idea is to create a registry; one that
would contain information about previous setups, where it wouldn't
allow overlapping information (I would think that it would be more of
a dropdown list UI).

As far as the remote sites, they will have contractors on location to
setup the hardware. The contractor would login to the site, only to
setup the core.

And you are right; the development time does outweigh config time. It
wouldn't take much to do this in person (especially after one to two
setups).

Thanks.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why why why why why Mr. SweatyFinger ASP .Net 4 12-21-2006 01:15 PM
findcontrol("PlaceHolderPrice") why why why why why why why why why why why Mr. SweatyFinger ASP .Net 2 12-02-2006 03:46 PM
Cisco 2611 and Cisco 1721 : Why , why , why ????? sam@nospam.org Cisco 10 05-01-2005 08:49 AM
Why, why, why??? =?Utf-8?B?VGltOjouLg==?= ASP .Net 6 01-27-2005 03:35 PM
Why Why Why You HAVE NO IDEA MCSE 31 04-24-2004 06:40 PM



Advertisments