Firewalls: Final: Ciscos and TIS "portscan"

Firewalls
(May 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Final: Ciscos and TIS "portscan"
From:	reh @ cs . UMD . EDU (Richard Huddleston)
Date:	Mon, 9 May 1994 13:48:56 -0400
To:	firewalls @ greatcircle . com

Actually, all of the hubba about undocumented listener ports on the
Cisco routers can be traced to a misleading statement in their manuals
(I've found it in the 8.2, 9.0 and 9.1 docs I personally have available).

In the 9.1 docs, Chap 13 p 27, for example:

" 
Controlling Line Access

[....]

Example 1

The following example defines an access list that permits only hosts on
network 192.89.55.0 to connect to the virtual terminal ports on the router.

	access-list 12 permit 192.89.55.0 0.0.0.255
	line 1 5
	     ^ ^
	access-class 12 in
"

Widening the range, to "line 1 6" appears to restore expected behavior.
Please disregard my earlier posting about setting up an additional access
list and class for line vty 4.  It appears unnecessary if the line range
is specified correctly. 

Of course, port 1993 is still listening.  This port is reportedly useless
unless SRB is enabled, and even then there are protections possible.  I have
been told that the manuals will be corrected in the next release.

Well, it's been a fun weekend.  Thank you, portscan. 

Richard

Indexed By Date	Previous:	more on TIS portscan and Cisco routers From: reh @ cs . UMD . EDU (Richard Huddleston)
Indexed By Date	Next:	Re: MBONE and SGI From: lear @ yeager . corp . sgi . com (Eliot Lear)
Indexed By Thread	Previous:	Re: more on TIS portscan and Cisco routers From: jim @ Tadpole . COM (Jim Thompson)
Indexed By Thread	Next:	boxx (??) for AIX security?? From: clark @ brahms . amd . com (Brad D. Clark)