Security Design Question

angel-moon · ‎11-30-2015

Hello,

Before I say something out of turn can anyone tell me a valid reason that someone would assign a public IP address to an interface on a 6800 that is a core switch? SSH is also open from the outside to any IP address. True you have to authenticate but this still seems like a bad design to me.

All replies rated. Thanks

rvarelac · ‎11-30-2015

Hi angel-moon,

The 6800 series can run on layer 3 mode and perfom routing tasks, so I would think not only as a switch but also a router device.

Having SSH open on the outside can be consider as a security risk, the best practices included add an ACL to the VTY line, enforece the AAA polices of the authentication and use up-to-date software to avoid possible bugs or exploits that might affect your device.

If this device have a public IP on it, you can perform security scanners to check possible open ports or vulnerabilities, NMAP and KALI are very popular those days to perform the task.

Hope it helps

-Randy-

Ganesh Hariharan · ‎12-01-2015

Hello,Before I say something out of turn can anyone tell me a valid reason that someone would assign a public IP address to an interface on a 6800 that is a core switch? SSH is also open from the outside to any IP address.  True you have to authenticate but this still seems like a bad design to me.All replies rated.  Thanks

Hello ,

It all depends on your design , if 6800 core switch is acting as peer device with internet facing router then you would require to have connection with Public ip.

I would recommend not to open up SSH from Public interface , As we never follow this practice in our DC's. Rather we give access once engineer has gained via SSL VPN or remote to site VPNs.

I would also suggest to do hardening of this devices and try to have firewall in between Public internet and this switch.

Hope it Helps..

-GI

Rate if it Helpss