[28449] in North American Network Operators' Group
Re: external access and passwd mgmt (was Re: SSH on Cisco ...)
daemon@ATHENA.MIT.EDU (Bennett Todd)
Sun Apr 30 17:37:02 2000
Date: Sun, 30 Apr 2000 17:33:44 -0400
From: Bennett Todd <bet@rahul.net>
To: nanog@merit.edu
Message-ID: <20000430173344.I4416@rahul.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="FUFe+yI/t+r3nyH4"
In-Reply-To: <20000430211641.10825.cpmta@c004.sfo.cp.net>; from sean@donelan.com on Sun, Apr 30, 2000 at 02:16:41PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
--FUFe+yI/t+r3nyH4
Content-Type: text/plain; charset=us-ascii
2000-04-30-17:16:41 Sean Donelan:
> Folks seem to be concentrating on locking down the front door.
> You also need to watch all the backdoors. With multi-protocol
> equipment, there are a lot of backdoors.
Excellent point.
Personally I think it's easier to balkanize than to really secure.
So use access lists so telnet access is either entirely disabled, or
if it's needed is restricted to the local LAN. Restrict all
questionable services to the local LAN, making sure there's a
bastion on that LAN, and use ingress/egress filtering wherever
possible to break address forging between LANs.
What this turns up is that it's exceptionally helpful if you can
have a really solid bastion host on every LAN. Fortunately, that
doesn't have to be too hard. I _still_ wish someone would make e.g.
a PCI card with say 32 or 64 10BaseT ports on it, but a civilized
approximation for many purposes is a nice 100Mbps port talking
802.1Q VLANs to a switch dedicated to this purpose.
But back to the wealth of possible, worrisome backdoors in modern
multiprotocol gear, what are people doing to try and get a grip on
config management for piles and stacks of Cisco? (my apologies if
this thread has already been pounded to death, I just joined). Seems
to me like a lot could be done with some simple m4 work, but so far
a lot of the parameterizing I'd like to achieve (e.g. interfaces,
access-list rules) has evaded me. The fantasy of course would be to
get hip to a new thought --- a new kind of filtering you want to add
to your access lists, or whatever --- and do it in one place, with
the confidence that it'll take effect on every box it applies to.
The distribution I can handle, it's the structured config management
that's evading me.
-Bennett
--FUFe+yI/t+r3nyH4
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5DKa4L6KAps40sTYRAd6GAJ4zTsQ/m0AUN2+CeF3LZgt6QcRV3wCeLsQ+
TuPTbKCkUWiJW3msTb6HBmE=
=OtAP
-----END PGP SIGNATURE-----
--FUFe+yI/t+r3nyH4--
