[c-nsp] BCP for an ISPs large number of network devices
authentication
Kim Onnel
karim.adel at gmail.com
Sun Jan 9 09:24:09 EST 2005
I am on low budget so i cant purchase anything right now,
so you're saying option B is better because its easier, i just wanna
strike balance between security and usability,
i'll give some examples:
probably each NOC user has his own settings like batch files,
SecureCRT scripts which auto authenticates, these all would still be
valid with the IPSec, but not with the Linux ssh solution,
Another point would be that IOS is a little more secure than linux,
since its less complex, but that comes with other point, less
interactivity and monitoring,
I just wonder whats the common practice for ISPs with similar
resources like mine,
whats the trend ?
regards
On Sun, 9 Jan 2005 13:44:03 +0000, Colin Whittaker
<colin.whittaker at heanet.ie> wrote:
>
> Given that you are already running ACS something like RSA secureID
> tokens would be worth looking at.
> The benifits of no having to remember passwords for all the devices
> almost makes it worth doing.
>
> Option B sounds like the best plan since it avoids having to install the
> VPN software the 40+ desktops.
>
> Regards
>
> Colin
>
> On Sun, Jan 09, 2005 at 01:59:58PM +0200, Kim Onnel wrote:
> > Hi,
> >
> > I wonder whats the BCP to apply a proper authentication policy to a
> > network of 40 personnels logging to like a 100 routers,
> >
> > All my devices are running AAA to a Cisco Secure ACS server, so for
> > authorization and accounting i log that and follow it daily, and
> > RANCIS does the proper configs. diffing .
> >
> > The problems i have in hand are:
> >
> > 1) Most routers doesnt have ssh with their IOS, so i need to encrypt
> > the traffic,
> > 2) There is the core routers and there is the PoPs, i can put a diff.
> > password to every Core router, but not every PoP, NOC here logs to
> > these PoPs 24x7 so i need to hit a balance between encryption/security
> > and usability.
> >
> > I have the following ideas in mind
> >
> > A) Each NOC PC would double click on his/her Cisco vpn client icon on
> > their desktop, hit connect, and they have an IPSec tunnel established
> > to a Cisco 1751 router,
> > the vpn client will inject static routes to their PCs to take the
> > tunnel when connecting to any of the network devices subnets( that
> > would be a tough task, to gather the ips,..)
> > and on the VPN concentrating router, they would telnet from there to
> > the devices, or just route the traffic through that router.
> >
> > B) A Linux/BSD PC with ssh server running, NOC would ssh to this, and
> > telnet to the PoPs from there, and of course only this server is
> > allowed to connect to the PoPs/Core, hardening the kernel, only
> > allowing them to telnet, ping, traceroute, from their shell, and
> > heavily monitoring the server. ( and using all the extensive *nix
> > logging capabilities ;)
> >
> > C) A Cisco router that runs ssh, everyone just ssh to it, increase the
> > VTYs number and they would telnet from there to the network.
> >
> >
> > I dont have that experience with S/Key or Kerberos, so i dont know the
> > possibilities there,
> >
> > Regards
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> --
> Colin Whittaker colin.whittaker at heanet.ie Tel: +353 1 6609040
> HEAnet NOC noc at heanet.ie iNOC-DBA: 1213*752
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list