Audit

Answered Question
Jan 6th, 2008
User Badges:

Hi,


As per policy we have to give command transport input ssh and we had given as transport input telnet ssh.


Pls tell me the a good reason so that i can explain to Audit team.


regds

Correct Answer by Danilo Dy about 9 years 3 months ago

Hi,


Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.


Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.


Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).


This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm


Regards,

Dandy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Danilo Dy Sun, 01/06/2008 - 05:52
User Badges:
  • Blue, 1500 points or more

Hi,


Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.


Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.


Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).


This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm


Regards,

Dandy

Actions

This Discussion