[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove"

Gert Doering gert at greenie.muc.de
Wed Jul 15 02:18:23 EDT 2009


Hi,

On Wed, Jul 15, 2009 at 02:09:17AM +0200, Peter Rathlev wrote:
> Currently we only allow "if-authenticated" on the console port. After a
> few funny situations the past year I'm seriously considering just
> enabling it for VTYs also. I'm not exactly sure why I haven't done this
> yet, but there's something inside my head telling me that there's some
> security aspect here. I just can think of it. :-)

Well, one angle of attack could be...

 - null-route the TACACS server IP
 - instant "full" access

Of course the "null-route" command would be visible in TACACS command
accounting, so you know whom to slap :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20090715/3969c258/attachment.bin>


More information about the cisco-nsp mailing list