05-09-2010 03:09 AM - edited 02-21-2020 03:57 AM
Hi Guys,
I've been wondering lately what the security risks of not having a access list on the VTY interfaces or just a access list for SSH on the dialer interface.
My problem is as a service provider and maintaining client networks we are not always at our office on our static IP address, I thought of using options such as VPNs either direct to the client or to our office to use its IP.
So the questions are:
05-09-2010 04:15 AM
Good of you to think laterally. Anything can be a risk. We have ACLs (aside from disable telnet and enable SSH along with RADIUS and TACACS) is to limit what subnet can remotely access your appliances. ACLs on your Telnet/SSH works hand-in-hand with RADIUS and TACACS to make the management of your network appliance more secure.
05-09-2010 05:13 AM
In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.
It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl
does not go in between your traffic flows.
05-09-2010 05:22 AM
kentheide wrote:
In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.
It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl
does not go in between your traffic flows.
That makes sense now about the VTY ACL, somehow in my head I thought it would be better on the interface :S my bad
However what do you mean by a 'jumpstation'? do you simply mean a device that has a static IP address that all the clients routers have in their ACL and we then SSH/VPN into the 'jumpstation' to gain access to the devices we require?
05-09-2010 05:54 AM
Basically yes! Different implementations i've done recently is;
- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.
- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.
This host obviously being placed in a secure management zone.
05-09-2010 06:10 AM
kentheide wrote:
Basically yes! Different implementations i've done recently is;
- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.
- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.
This host obviously being placed in a secure management zone.
This brings up the question of syslog and its security, how can I ensure the security and protection of the data?
And on a side note, which have you found more useful linux or windows as a host? Linux comes with syslog/ssh etc by default and can run port scanners etc, however windows is such a complete desktop when combined with RDP? but then again Linux is by default much more secure.
PS. I plan to setup a firewall on the Linux box if i go that path to only allow SSH&SYSLOG in/out
05-09-2010 01:44 PM
Actually my latest implementation of a CMZ (Common Management Zone) had both a linux and ms server. The Linux one for ssh from anywhere, syslog and for hosting webapps like an IP-plan and it's running rancid. The Win2k3 server is more like a toolbox for the IT-department. With all tools normally on the desktop present.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide