[c-nsp] How secure ASR management interface is?
Charles Sprickman
spork at bway.net
Sat Apr 20 14:29:09 EDT 2019
> On Apr 20, 2019, at 9:49 AM, Alex K. <nsp.lists at gmail.com> wrote:
>
> Hello Dave,
>
> Thank you.
>
> Sure, it isn't *really* separated. After all, RPs' CPU connected to both
> (management interface and router forwarding matrix). It's really software
> imposed separation.
I’m always a bit puzzled by the design choices and how long they’ve stayed around. Back in 10.3 I got it - nobody cared about this, you just access-list everything and hope you didn’t miss some service. And now it seems essentially the same. Why the command shell wouldn’t be bound to a single IP (or a defined list of IPs) as part of the isolation is beyond me. The fact that if I have 200 interfaces configured with an IP that the shell process (and snmp, and ntp and whatever else is running) listens on those IPs is just insane.
I’m a bit of a dinosaur, so maybe in the new versions this has changed, but as of the last time I really paid attention to IOS they were still in the 90’s as far as keeping the management processes separate.
Charles
>
> בתאריך שבת, 20 באפר' 2019, 16:04, מאת Dave Cardwell <
> dave.cardwell1 at gmail.com>:
>
>>
>> On Sat, 20 Apr 2019, 12:46 Alex K., <nsp.lists at gmail.com> wrote:
>>
>>>
>>> An interesting question I got from one of my customers - how secure Cisco
>>> ASR management interface is? Meaning, how really *separate* it is.
>>>
>>>
>> Its not the vector you describe below but the linked CVE relates to the
>> separation or lack thereof (see the workaround).
>>
>>
>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list