[c-nsp] BCP for an ISPs large number of network devices authentication

Kim Onnel karim.adel at gmail.com
Sun Jan 9 06:59:58 EST 2005


Hi,

I wonder whats the BCP to apply a proper authentication policy to a
network of 40 personnels logging to like a 100 routers,

All my devices are running AAA to a Cisco Secure ACS server, so for
authorization and accounting i log that and follow it daily, and
RANCIS does the proper configs. diffing .

The problems i have in hand are:

1) Most routers doesnt have ssh with their IOS, so i need to encrypt
the traffic,
2) There is the core routers and there is the PoPs, i can put a diff.
password to every Core router, but not every PoP, NOC here logs to
these PoPs 24x7 so i need to hit a balance between encryption/security
and usability.

I have the following ideas in mind

A) Each NOC PC would double click on his/her Cisco vpn client icon on
their desktop, hit connect, and they have an IPSec tunnel established
to a Cisco 1751 router,
the vpn client will inject static routes to their PCs to take the
tunnel when connecting to any  of the network devices subnets( that
would be a tough task, to gather the ips,..)
and on the VPN concentrating router, they would telnet from there to
the devices, or just route the traffic through that router.

B) A Linux/BSD PC with ssh server running, NOC would ssh to this, and
telnet to the PoPs from there, and of course only this server is
allowed to connect to the PoPs/Core, hardening the kernel, only
allowing them to telnet, ping, traceroute, from their shell, and
heavily monitoring the server. ( and using all the extensive *nix
logging capabilities ;)

C) A Cisco router that runs ssh, everyone just ssh to it, increase the
VTYs number and they would telnet from there to the network.


I dont have that experience with S/Key or Kerberos, so i dont know the
possibilities there,

Regards


More information about the cisco-nsp mailing list