[c-nsp] VTY Lines
Justin Shore
justin at justinshore.com
Tue Apr 21 23:27:16 EDT 2009
Lee wrote:
> line vty 0 3
> access-class 100 in
> line vty 4
> access-class 104 in
>
> Which means every single router fails when you put the config through RAT :(
I went round and round with a security guy who audited our gear once
over that. He made a huge stink over how we didn't have have passwords
on our VTYs, con and aux ports. He took everything RAT had to say as
gospel, as if there was no other (or better) way to address a security
issue. We use AAA on all interfaces including con0. I have TACACS+ set
up with local auth as the backup (and only one user account on the
devices which I've gone to great lengths to protect). Aux is explicitly
disabled. He just didn't get it. Sure I could add the password command
to the VTY to appease him even though it wouldn't do a damn thing with
AAA enabled. I didn't though and I used the password stink as part of
my justification that RAT really only points out common and basic
security problems and doesn't take into account any of the numerous ways
of mitigating those problems with more advanced methods. In the end the
audit was dropped. The actual problems in the audit were addressed.
Any RAT fluff was ignored. There were several other things like that
but the line passwords were the most obvious to even a non-technical person.
While my installs may not be perfect, they are far better than average.
I don't need someone second-guessing my work with a tool like RAT.
Justin
More information about the cisco-nsp
mailing list