[c-nsp] BCP for an ISPs large number of network devices authentication

Colin Whittaker colin.whittaker at heanet.ie
Sun Jan 9 08:44:03 EST 2005 

Given that you are already running ACS something like RSA secureID
tokens would be worth looking at. 
The benifits of no having to remember passwords for all the devices
almost makes it worth doing.

Option B sounds like the best plan since it avoids having to install the
VPN software the 40+ desktops. 

Regards 

Colin

On Sun, Jan 09, 2005 at 01:59:58PM +0200, Kim Onnel wrote:
> Hi,
> 
> I wonder whats the BCP to apply a proper authentication policy to a
> network of 40 personnels logging to like a 100 routers,
> 
> All my devices are running AAA to a Cisco Secure ACS server, so for
> authorization and accounting i log that and follow it daily, and
> RANCIS does the proper configs. diffing .
> 
> The problems i have in hand are:
> 
> 1) Most routers doesnt have ssh with their IOS, so i need to encrypt
> the traffic,
> 2) There is the core routers and there is the PoPs, i can put a diff.
> password to every Core router, but not every PoP, NOC here logs to
> these PoPs 24x7 so i need to hit a balance between encryption/security
> and usability.
> 
> I have the following ideas in mind
> 
> A) Each NOC PC would double click on his/her Cisco vpn client icon on
> their desktop, hit connect, and they have an IPSec tunnel established
> to a Cisco 1751 router,
> the vpn client will inject static routes to their PCs to take the
> tunnel when connecting to any  of the network devices subnets( that
> would be a tough task, to gather the ips,..)
> and on the VPN concentrating router, they would telnet from there to
> the devices, or just route the traffic through that router.
> 
> B) A Linux/BSD PC with ssh server running, NOC would ssh to this, and
> telnet to the PoPs from there, and of course only this server is
> allowed to connect to the PoPs/Core, hardening the kernel, only
> allowing them to telnet, ping, traceroute, from their shell, and
> heavily monitoring the server. ( and using all the extensive *nix
> logging capabilities ;)
> 
> C) A Cisco router that runs ssh, everyone just ssh to it, increase the
> VTYs number and they would telnet from there to the network.
> 
> 
> I dont have that experience with S/Key or Kerberos, so i dont know the
> possibilities there,
> 
> Regards
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
Colin Whittaker    colin.whittaker at heanet.ie    Tel: +353 1 6609040
HEAnet NOC         noc at heanet.ie                iNOC-DBA:  1213*752

More information about the cisco-nsp mailing list