as adition to this i would suggest implement out of band access to devices.. is usually done by connection device to management network to interface dedicated only for managemet.. ASA has mgmt interface on Switches you can use routed interface on Routers spare, unused interface.. Than limit access to this interface only for terminal server what i suggest to deploy
Its right that the ways that you have mentioned are right and comes under the best practices for enabling access control of the Network/security devices.
But the most important security and what is your requirement. Below is the explanation for each point why we prefer these as best practice
Remove Telnet and use SSH:- Telnet is not preferred as it is not secure where as SSH is more secure. In telnet your passwords are not encrypted.
Configure ACL/ Management VLAN segments: To control and limit to the authorized personal/ admin by only allowing permit of authorized IP address/Subnet.
Use AAA : AAA means (authentication, authorization and accounting ). Authentication :Who is allowed, Authorization: What is allowed Accounting :what is done.
So the best practice is to use the combination of all three ( SSH + ACL + AAA), in your case (SSH +AAA) can be used easily just the challenge will come with applying ACL as you want to access it from different location and even VPN, no fix IP address so you can either use a jump server where you may login and from their you can access the device.
If you want to use devices over the Internet i strongly urge you to use another port than 22 for SSH.
There are alot of bots trying that port and you will get a lot of "static interference" in your logs.
Things that have not been mentioned before is to keep track of your configurations.
You can get alot of help with that buy fx using an EEM script.
an eem script that sends the configuration to a tftp server everytime you do log out or if you want to everytime you do a command.
Other stuff would be to shutdown all the different services that are running and you do not need.
ie hardening the devices.
There are some whitepapers from cisco that helps you out, but all cisco devices are not the same and do not do things the same way.
do a search for "hardening cisco devices" and you will find some cisco and other papers.
On some modules there are a special port that is used for management only.
One thing that I tend to do is set up what I call a spider net.
That is a separate serial network (usb/rs232) to control the devices "out of band" so even if links are down or swamped/overwhelmed i still can take full control over the devices and shut down offenders.
You can double up links with port channels and flexlinks if something happens to the cabelsystem or ports.
but that is more helping out day to day normal operations.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...