[c-nsp] network audit was: VTY Lines

Lee ler762 at gmail.com
Thu Apr 23 13:21:17 EDT 2009 

On 4/21/09, Justin Shore <justin at justinshore.com> wrote:
> Lee wrote:
>> line vty 0 3
>>  access-class 100 in
>> line vty 4
>>  access-class 104 in
>>
>> Which means every single router fails when you put the config through RAT
>> :(
>
> I went round and round with a security guy who audited our gear once
> over that.  He made a huge stink over how we didn't have have passwords
> on our VTYs, con and aux ports.  He took everything RAT had to say as
> gospel, as if there was no other (or better) way to address a security
> issue.   <.. snip ..>  He just didn't get it.

I'd love to make it a requirement that network auditors have to
actually know something about networking.

We've got a service support contract w/ Cisco that includes a network
audit; those are useful.  What our security office is doing now...
well, it is forcing me to take a detailed look at all the configs, so
it's not a complete waste of time.

>  ...  I used the password stink as part of
> my justification that RAT really only points out common and basic
> security problems and doesn't take into account any of the numerous ways
> of mitigating those problems with more advanced methods.  In the end the
> audit was dropped.

Dropping an audit has never been an option where I've worked.
Preventing an audit from turning into nothing more than a bureaucratic
paper-shuffling exercise is the best I can hope for.

 <.. snip ..>
> While my installs may not be perfect, they are far better than average.
>   I don't need someone second-guessing my work with a tool like RAT.

s/need someone/need a clueless someone/ and I'd agree.  I've been in a
few meetings where the auditor wasn't able to justify their findings
with anything better than claiming "it's a best practice".

I just looked at http://checklists.nist.gov/ncp.cfm?repository again
and the only accepted Cisco IOS benchmark that has an automated tool
is CIS.  That they were able to get their tool accepted by the USG is
impressive.  That they haven't updated it since it's release is
regrettable.

Regards,
Lee

More information about the cisco-nsp mailing list