[c-nsp] acess-list

lee.e.rian at census.gov lee.e.rian at census.gov
Sat Nov 1 12:46:43 EDT 2008


-----Pete Templin wrote: -----

>Peter Rathlev wrote:
>
>> The router allocates the VTY from 0 an onwards, so the first person
>> connecting gets VTY 0, next one VTY 1 and so on. There is practically no
>> security benifits in having different ACLs on different VTYs. It is
>> trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to
>> VTY 5. In my eyes: Always treat every VTY the same.
>
>What about the reverse logic, putting a tighter ACL on higher VTYs?
>I've heard of this as a safety valve: if too many connections are
>open
>to a router, the last few connections have to come from a key point.

Cisco gave us that recommendation a long time ago - allow only very limited
access to vty 4.  It came in quite handy the few times ciscoworks decided
it **really** wanted to talk so some box and opened as many connections to
it as possible ... and then kept them open :(

Lee



More information about the cisco-nsp mailing list