Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Audit

Hi,

As per policy we have to give command transport input ssh and we had given as transport input telnet ssh.

Pls tell me the a good reason so that i can explain to Audit team.

regds

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Audit

Hi,

Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.

Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.

Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).

This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm

Regards,

Dandy

1 REPLY

Re: Audit

Hi,

Command "transport input ssh" give you only ssh access. The transport is secure, but you should also filter those IP address that allowed to access the device. What I did is to make all network engineer connect to VPN before connecting to network devices - and VPN will assign static/dedicated IP per network engineer (with 'A' and 'PTR' record) so I know that who ever login with that IP address, it belongs to only one user.

Command "transport input telnet ssh" give you and option to use either ssh or telnet. Self descipline to use only ssh and use telnet if ssh is not available - you can also make it a policy to all network engineers. However, this can become a security problem - you can't be 100% sure that your network engineers will always use ssh.

Some auditors are shrewd, they may not agree with your reasoning and give you AFI (area for improvement) or worse. Unless your IOS does not support ssh, and as I mentioned above, you should filter IP address allowed to access the device. Additionally, you can assign each network engineer dedicated IP address thru VPN (as you need to authenticate them).

This link is a good reference http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/22ug/saudt.htm

Regards,

Dandy

203
Views
0
Helpful
1
Replies