Access Lists on VTY?

Unanswered Question
May 9th, 2010
User Badges:

Hi Guys,


I've been wondering lately what the security risks of not having a access list on the VTY interfaces or just a access list for SSH on the dialer interface.


My problem is as a service provider and maintaining client networks we are not always at our office on our static IP address, I thought of using options such as VPNs either direct to the client or to our office to use its IP.


So the questions are:


  • How big of a security risk is it not having any ACLs on the vty interfaces? (Telnet has been disabled only SSH is allowed)
  • What is better a ACL on the VTYs or on the dialer? (I've taken over managment of a network and had to use a console connection to gain access as the ACLs only allowed certain IPs which we did not have access to)
  • What do other service providers do in this situation?
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Sun, 05/09/2010 - 04:15
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Good of you to think laterally.  Anything can be a risk.  We have ACLs (aside from disable telnet and enable SSH along with RADIUS and TACACS) is to limit what subnet can remotely access your appliances.   ACLs on your Telnet/SSH works hand-in-hand with RADIUS and TACACS to make the management of your network appliance more secure.                

Kent Heide Sun, 05/09/2010 - 05:13
User Badges:

In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

jamesitsolutions Sun, 05/09/2010 - 05:22
User Badges:

kentheide wrote:


In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

That makes sense now about the VTY ACL, somehow in my head I thought it would be better on the interface :S my bad


However what do you mean by a 'jumpstation'? do you simply mean a device that has a static IP address that all the clients routers have in their ACL and we then SSH/VPN into the 'jumpstation' to gain access to the devices we require?

Kent Heide Sun, 05/09/2010 - 05:54
User Badges:

Basically yes! Different implementations i've done recently is;


- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.


This host obviously being placed in a secure management zone.

jamesitsolutions Sun, 05/09/2010 - 06:10
User Badges:

kentheide wrote:


Basically yes! Different implementations i've done recently is;


- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.


This host obviously being placed in a secure management zone.

This brings up the question of syslog and its security, how can I ensure the security and protection of the data?


And on a side note, which have you found more useful linux or windows as a host? Linux comes with syslog/ssh etc by default and can run port scanners etc, however windows is such a complete desktop when combined with RDP? but then again Linux is by default much more secure.


PS. I plan to setup a firewall on the Linux box if i go that path to only allow SSH&SYSLOG in/out

Kent Heide Sun, 05/09/2010 - 13:44
User Badges:

Actually my latest implementation of a CMZ (Common Management Zone) had both a linux and ms server. The Linux one for ssh from anywhere, syslog and for hosting webapps like an IP-plan and it's running rancid. The Win2k3 server is more like a toolbox for the IT-department. With all tools normally on the desktop present.

Actions

This Discussion