Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
1
Replies

Audit

Go to solution
nasheer.ahmad
Level 1
Level 1

‎01-06-2008 04:54 AM - edited ‎03-03-2019 08:08 PM

Hi,

As per policy we have to give command transport input ssh and we had given as transport input telnet ssh.

Pls tell me the a good reason so that i can explain to Audit team.

regds

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎01-06-2008 05:52 AM

Hi,

Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.

Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.

Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).

This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm

Regards,

Dandy

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎01-06-2008 05:52 AM

Hi,

Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.

Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.

Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).

This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm

Regards,

Dandy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card