05-09-2010 03:09 AM - edited 02-21-2020 03:57 AM
Hi Guys,
I've been wondering lately what the security risks of not having a access list on the VTY interfaces or just a access list for SSH on the dialer interface.
My problem is as a service provider and maintaining client networks we are not always at our office on our static IP address, I thought of using options such as VPNs either direct to the client or to our office to use its IP.
So the questions are:
05-09-2010 04:15 AM
Good of you to think laterally. Anything can be a risk. We have ACLs (aside from disable telnet and enable SSH along with RADIUS and TACACS) is to limit what subnet can remotely access your appliances. ACLs on your Telnet/SSH works hand-in-hand with RADIUS and TACACS to make the management of your network appliance more secure.
05-09-2010 05:13 AM
In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.
It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl
does not go in between your traffic flows.
05-09-2010 05:22 AM
kentheide wrote:
In a service provider situation I would recommend using a jumpstation to access your devices and allow this in your VTY ACL.
It's scalable and secure. The benefit on applying it to the ACL instead of the interface is because a VTY acl
does not go in between your traffic flows.
That makes sense now about the VTY ACL, somehow in my head I thought it would be better on the interface :S my bad
However what do you mean by a 'jumpstation'? do you simply mean a device that has a static IP address that all the clients routers have in their ACL and we then SSH/VPN into the 'jumpstation' to gain access to the devices we require?
05-09-2010 05:54 AM
Basically yes! Different implementations i've done recently is;
- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.
- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.
This host obviously being placed in a secure management zone.
05-09-2010 06:10 AM
kentheide wrote:
Basically yes! Different implementations i've done recently is;
- linux/unix box to SSH to and then run telnet/ssh to your devices. can also do stuff like syslog and rancid for configs.
- Win2k3 server running MS Terminal Services to RDP to. Can have tools like SecureCRT on it and other NMS tools like scanners etc.
This host obviously being placed in a secure management zone.
This brings up the question of syslog and its security, how can I ensure the security and protection of the data?
And on a side note, which have you found more useful linux or windows as a host? Linux comes with syslog/ssh etc by default and can run port scanners etc, however windows is such a complete desktop when combined with RDP? but then again Linux is by default much more secure.
PS. I plan to setup a firewall on the Linux box if i go that path to only allow SSH&SYSLOG in/out
05-09-2010 01:44 PM
Actually my latest implementation of a CMZ (Common Management Zone) had both a linux and ms server. The Linux one for ssh from anywhere, syslog and for hosting webapps like an IP-plan and it's running rancid. The Win2k3 server is more like a toolbox for the IT-department. With all tools normally on the desktop present.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: