[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove"
Gert Doering
gert at greenie.muc.de
Wed Jul 15 02:18:23 EDT 2009
Hi,
On Wed, Jul 15, 2009 at 02:09:17AM +0200, Peter Rathlev wrote:
> Currently we only allow "if-authenticated" on the console port. After a
> few funny situations the past year I'm seriously considering just
> enabling it for VTYs also. I'm not exactly sure why I haven't done this
> yet, but there's something inside my head telling me that there's some
> security aspect here. I just can think of it. :-)
Well, one angle of attack could be...
- null-route the TACACS server IP
- instant "full" access
Of course the "null-route" command would be visible in TACACS command
accounting, so you know whom to slap :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090715/3969c258/attachment.bin>
More information about the cisco-nsp
mailing list