[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

snmpconf Fwd: Re: external access and passwd mgmt (was Re: SSH on Cisco ...)



Thought this was timely and worth the cross post.

Building the "confidence" is the key part....they want
the functionality but fear not knowing what it might do...

Mike

>Delivered-To: nanog-outgoing@merit.edu
>Date: Sun, 30 Apr 2000 17:33:44 -0400
>From: Bennett Todd <bet@rahul.net>
>To: nanog@merit.edu
>Subject: Re: external access and passwd mgmt (was Re: SSH on Cisco ...)
>X-Mailer: Mutt 1.0i
>Sender: owner-nanog@merit.edu
>X-Loop: nanog
>
>
>Content-Type: text/plain; charset=us-ascii
>
>
>*** PGP Signature Status: unknown
>*** Signer: Unknown, Key ID = 0xCE34B136
>*** Signed: 4/30/2000 2:33:44 PM
>*** Verified: 4/30/2000 10:17:54 PM
>*** BEGIN PGP VERIFIED MESSAGE ***
>
>2000-04-30-17:16:41 Sean Donelan:
> > Folks seem to be concentrating on locking down the front door.
> > You also need to watch all the backdoors.  With multi-protocol
> > equipment, there are a lot of backdoors.
>
>Excellent point.
>
>Personally I think it's easier to balkanize than to really secure.
>So use access lists so telnet access is either entirely disabled, or
>if it's needed is restricted to the local LAN. Restrict all
>questionable services to the local LAN, making sure there's a
>bastion on that LAN, and use ingress/egress filtering wherever
>possible to break address forging between LANs.
>
>What this turns up is that it's exceptionally helpful if you can
>have a really solid bastion host on every LAN. Fortunately, that
>doesn't have to be too hard. I _still_ wish someone would make e.g.
>a PCI card with say 32 or 64 10BaseT ports on it, but a civilized
>approximation for many purposes is a nice 100Mbps port talking
>802.1Q VLANs to a switch dedicated to this purpose.
>
>But back to the wealth of possible, worrisome backdoors in modern
>multiprotocol gear, what are people doing to try and get a grip on
>config management for piles and stacks of Cisco? (my apologies if
>this thread has already been pounded to death, I just joined). Seems
>to me like a lot could be done with some simple m4 work, but so far
>a lot of the parameterizing I'd like to achieve (e.g. interfaces,
>access-list rules) has evaded me. The fantasy of course would be to
>get hip to a new thought --- a new kind of filtering you want to add
>to your access lists, or whatever --- and do it in one place, with
>the confidence that it'll take effect on every box it applies to.
>The distribution I can handle, it's the structured config management
>that's evading me.
>
>-Bennett
>
>
>*** END PGP VERIFIED MESSAGE ***