Re: Access Lists on VTY?

jamesitsolutions · ‎05-09-2010

Hi Guys,

I've been wondering lately what the security risks of not having a access list on the VTY interfaces or just a access list for SSH on the dialer interface.

My problem is as a service provider and maintaining client networks we are not always at our office on our static IP address, I thought of using options such as VPNs either direct to the client or to our office to use its IP.

So the questions are:

How big of a security risk is it not having any ACLs on the vty interfaces? (Telnet has been disabled only SSH is allowed)
What is better a ACL on the VTYs or on the dialer? (I've taken over managment of a network and had to use a console connection to gain access as the ACLs only allowed certain IPs which we did not have access to)
What do other service providers do in this situation?

Leo Laohoo · ‎05-09-2010

Good of you to think laterally. Anything can be a risk. We have ACLs (aside from disable telnet and enable SSH along with RADIUS and TACACS) is to limit what subnet can remotely access your appliances. ACLs on your Telnet/SSH works hand-in-hand with RADIUS and TACACS to make the management of your network appliance more secure.

Kent Heide · ‎05-09-2010

In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

jamesitsolutions · ‎05-09-2010

kentheide wrote:

In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

That makes sense now about the VTY ACL, somehow in my head I thought it would be better on the interface :S my bad

However what do you mean by a 'jumpstation'? do you simply mean a device that has a static IP address that all the clients routers have in their ACL and we then SSH/VPN into the 'jumpstation' to gain access to the devices we require?

Kent Heide · ‎05-09-2010

Basically yes! Different implementations i've done recently is;

- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.

This host obviously being placed in a secure management zone.

jamesitsolutions · ‎05-09-2010

kentheide wrote:

Basically yes! Different implementations i've done recently is;

- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.

This host obviously being placed in a secure management zone.

This brings up the question of syslog and its security, how can I ensure the security and protection of the data?

And on a side note, which have you found more useful linux or windows as a host? Linux comes with syslog/ssh etc by default and can run port scanners etc, however windows is such a complete desktop when combined with RDP? but then again Linux is by default much more secure.

PS. I plan to setup a firewall on the Linux box if i go that path to only allow SSH&SYSLOG in/out

Kent Heide · ‎05-09-2010

Actually my latest implementation of a CMZ (Common Management Zone) had both a linux and ms server. The Linux one for ssh from anywhere, syslog and for hosting webapps like an IP-plan and it's running rancid. The Win2k3 server is more like a toolbox for the IT-department. With all tools normally on the desktop present.