05-22-2012 12:50 AM - edited 03-07-2019 06:49 AM
Hello Experts
What is the best practise approach to control access for switches, routers, asa. I have been reading posts and mostly it says
I want to have flexibility to access devices from home using vpn, office from different floors, different sites
Appreciate some kind feedback
thanks
Samuel
05-22-2012 01:03 AM
All your points are correct
as adition to this i would suggest implement out of band access to devices.. is usually done by connection device to management network to interface dedicated only for managemet.. ASA has mgmt interface on Switches you can use routed interface on Routers spare, unused interface.. Than limit access to this interface only for terminal server what i suggest to deploy
Please consult following link for more details
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html#wp1054536
05-22-2012 01:13 AM
Hi Samuel
Its right that the ways that you have mentioned are right and comes under the best practices for enabling access control of the Network/security devices.
But the most important security and what is your requirement. Below is the explanation for each point why we prefer these as best practice
Remove Telnet and use SSH:- Telnet is not preferred as it is not secure where as SSH is more secure. In telnet your passwords are not encrypted.
Configure ACL/ Management VLAN segments: To control and limit to the authorized personal/ admin by only allowing permit of authorized IP address/Subnet.
Use AAA : AAA means (authentication, authorization and accounting ). Authentication :Who is allowed, Authorization: What is allowed Accounting :what is done.
So the best practice is to use the combination of all three ( SSH + ACL + AAA), in your case (SSH +AAA) can be used easily just the challenge will come with applying ACL as you want to access it from different location and even VPN, no fix IP address so you can either use a jump server where you may login and from their you can access the device.
Thanks & Regards
Sandeep
05-22-2012 01:34 AM
6. syslog
and write all telnet and ssh connections atempts in syslog
access-list 10 permit any log
line vty 0 4
access-class 10 in
so all telnet and ssh connections atempts will be logged
and if you do access devices from home using vpn so you dont need to remove telnet access
05-22-2012 02:04 AM
Hi
If you want to use devices over the Internet i strongly urge you to use another port than 22 for SSH.
There are alot of bots trying that port and you will get a lot of "static interference" in your logs.
.
Things that have not been mentioned before is to keep track of your configurations.
You can get alot of help with that buy fx using an EEM script.
an eem script that sends the configuration to a tftp server everytime you do log out or if you want to everytime you do a command.
Other stuff would be to shutdown all the different services that are running and you do not need.
ie hardening the devices.
There are some whitepapers from cisco that helps you out, but all cisco devices are not the same and do not do things the same way.
do a search for "hardening cisco devices" and you will find some cisco and other papers.
On some modules there are a special port that is used for management only.
One thing that I tend to do is set up what I call a spider net.
That is a separate serial network (usb/rs232) to control the devices "out of band" so even if links are down or swamped/overwhelmed i still can take full control over the devices and shut down offenders.
You can double up links with port channels and flexlinks if something happens to the cabelsystem or ports.
but that is more helping out day to day normal operations.
05-22-2012 03:31 AM
Thanks all for posting
I put a template for SSH, how to restrict ssh access to management vlan only.
can I initiate ssh session from a router to any swich/router to connect
management vlan
172.16.17.0/24
--------------------------------------------
hostname router
aaa new-model
username 123 password 123
ip domain-name CISCO.COM
crypto key generate ras
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
---------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide