03-14-2014 12:08 PM - edited 02-21-2020 05:07 AM
I have to install an ASR1001 on the internet for my company. I noticed the ASR1001 has a dedicated managment port and I was wondering if it's a security risk to have this mangment port directly connected to my LAN, so I can mange it from my desk.
I only want to manage the ASR from this port and I won't be doing any management through its public IP address. Is it possible for an attacker to compromise the router then have access to the network though this managment port?
03-14-2014 03:26 PM
It is a non-zero risk and you have to evaluate that in the context of the network (and assets on it) that you are protecting.
If you harden the router and lock down your in-band access tightly it is a very small risk.
03-20-2014 10:43 AM
As Marvin stated it is pretty low risk. That particular port belongs to a Management VRF and cannot be removed/changed from it. If you properly secure the global VRF (disable telnet,ssh, http, etc) it's darn near impossible.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: