01-06-2008 04:54 AM - edited 03-03-2019 08:08 PM
Hi,
As per policy we have to give command transport input ssh and we had given as transport input telnet ssh.
Pls tell me the a good reason so that i can explain to Audit team.
regds
Solved! Go to Solution.
01-06-2008 05:52 AM
Hi,
Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.
Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.
Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).
This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm
Regards,
Dandy
01-06-2008 05:52 AM
Hi,
Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.
Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.
Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).
This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm
Regards,
Dandy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: