cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1024
Views
0
Helpful
6
Replies

Access Lists on VTY?

Hi Guys,

I've been wondering lately what the security risks of not having a access list on the VTY interfaces or just a access list for SSH on the dialer interface.

My problem is as a service provider and maintaining client networks we are not always at our office on our static IP address, I thought of using options such as VPNs either direct to the client or to our office to use its IP.

So the questions are:

  • How big of a security risk is it not having any ACLs on the vty interfaces? (Telnet has been disabled only SSH is allowed)
  • What is better a ACL on the VTYs or on the dialer? (I've taken over managment of a network and had to use a console connection to gain access as the ACLs only allowed certain IPs which we did not have access to)
  • What do other service providers do in this situation?
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

Good of you to think laterally.  Anything can be a risk.  We have ACLs (aside from disable telnet and enable SSH along with RADIUS and TACACS) is to limit what subnet can remotely access your appliances.   ACLs on your Telnet/SSH works hand-in-hand with RADIUS and TACACS to make the management of your network appliance more secure.                

Kent Heide
Level 1
Level 1

In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

kentheide wrote:

In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.

It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl

does not go in between your traffic flows.

That makes sense now about the VTY ACL, somehow in my head I thought it would be better on the interface :S my bad

However what do you mean by a 'jumpstation'? do you simply mean a device that has a static IP address that all the clients routers have in their ACL and we then SSH/VPN into the 'jumpstation' to gain access to the devices we require?

Basically yes! Different implementations i've done recently is;

- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.

This host obviously being placed in a secure management zone.

kentheide wrote:

Basically yes! Different implementations i've done recently is;

- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.

- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.

This host obviously being placed in a secure management zone.

This brings up the question of syslog and its security, how can I ensure the security and protection of the data?

And on a side note, which have you found more useful linux or windows as a host? Linux comes with syslog/ssh etc by default and can run port scanners etc, however windows is such a complete desktop when combined with RDP? but then again Linux is by default much more secure.

PS. I plan to setup a firewall on the Linux box if i go that path to only allow SSH&SYSLOG in/out

Actually my latest implementation of a CMZ (Common Management Zone) had both a linux and ms server. The Linux one for ssh from anywhere, syslog and for hosting webapps like an IP-plan and it's running rancid. The Win2k3 server is more like a toolbox for the IT-department. With all tools normally on the desktop present.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: