[c-nsp] Using role-based CLI access to work around REGEX bug
Justin Shore
justin at justinshore.com
Sat Sep 15 16:13:15 EDT 2007
Has anyone done any work with Role-based CLI Access, pertaining in
particular to working around the REGEX bug? It appears that it's easier
to use the parser-view options to restrict access to certain commands
and sub-commands than 'privilege exec' options. Of course this doesn't
really help with the use of REGEXs to parse the CLI output not as part
of the base command but it's a start.
I ask this because one of my routers is also performing limited route
server functions and is accessible to a handful of people. I trust most
of these people but wouldn't be surprised to see my router reboot due to
someone checking to see if I'm still vulnerable. I noticed that both
the AT&T and Oregon IX route servers have been rebooted with bus errors
in recent days (minutes in AT&T's case).
I've been reading through this doc but haven't gotten a user defined
with the new view to automatically join that view. I also am having
trouble restricting access to certain sub-commands such as 'sh ip bgp
vpnv4' whereas 'regex' and 'quote-regex' exclude commands were accepted.
http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455b96.html
Does anyone have any suggestions for hardening a route server other than
not running it on production equipment or to use Quagga instead of a HW
router?
Thanks
Justin
More information about the cisco-nsp
mailing list