[c-nsp] How secure ASR management interface is?

Charles Sprickman spork at bway.net
Sat Apr 20 14:29:09 EDT 2019


> On Apr 20, 2019, at 9:49 AM, Alex K. <nsp.lists at gmail.com> wrote:
> 
> Hello Dave,
> 
> Thank you.
> 
> Sure, it isn't *really* separated. After all, RPs' CPU connected to both
> (management interface and router forwarding matrix). It's really software
> imposed separation.

I’m always a bit puzzled by the design choices and how long they’ve stayed around. Back in 10.3 I got it - nobody cared about this, you just access-list everything and hope you didn’t miss some service.  And now it seems essentially the same.  Why the command shell wouldn’t be bound to a single IP (or a defined list of IPs) as part of the isolation is beyond me. The fact that if I have 200 interfaces configured with an IP that the shell process (and snmp, and ntp and whatever else is running) listens on those IPs is just insane.

I’m a bit of a dinosaur, so maybe in the new versions this has changed, but as of the last time I really paid attention to IOS they were still in the 90’s as far as keeping the management processes separate.

Charles

> 
> בתאריך שבת, 20 באפר' 2019, 16:04, מאת Dave Cardwell ‏<
> dave.cardwell1 at gmail.com>:
> 
>> 
>> On Sat, 20 Apr 2019, 12:46 Alex K., <nsp.lists at gmail.com> wrote:
>> 
>>> 
>>> An interesting question I got from one of my customers - how secure Cisco
>>> ASR management interface is? Meaning, how really *separate* it is.
>>> 
>>> 
>> Its not the vector you describe below but the linked CVE relates to the
>> separation or lack thereof (see the workaround).
>> 
>> 
>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list