[c-nsp] How secure ASR management interface is?

Alex K. nsp.lists at gmail.com
Sun Apr 21 14:31:42 EDT 2019


Hello Charles and Adam, Thank you.

Indeed, listening by default on all interfaces, shouldn't be the default
behavior nowadays. Even before we start doing our stuff, we must begin with
locking up everything the vendor left open. All those "an unauthenticated
user can do" vectors, starts with the door being open inthe first place.
Sure, I'd too love to see vendors living up to security expectations of
2019.

That's very important, yet different question, though.

Since, after choosing management available interfaces will become the norm,
RP CPU will still have connectivity to both the management interface and
all other router interfaces (i.e. router forwarding matrix). Hence leaving
the possibility of routing between the two, open.

Theory aside, can this routing occure in the first place? With the help
say, of rogue employee?

Thank you,
Alex.

בתאריך יום א׳, 21 באפר' 2019, 14:27, מאת ‏<adamv0025 at netconsultings.com>:

> > From: Charles Sprickman <spork at bway.net>
> > Sent: Saturday, April 20, 2019 7:29 PM
> >
> >
> > > On Apr 20, 2019, at 9:49 AM, Alex K. <nsp.lists at gmail.com> wrote:
> > >
> > > Hello Dave,
> > >
> > > Thank you.
> > >
> > > Sure, it isn't *really* separated. After all, RPs' CPU connected to
> > > both (management interface and router forwarding matrix). It's really
> > > software imposed separation.
> >
> > I’m always a bit puzzled by the design choices and how long they’ve
> stayed
> > around. Back in 10.3 I got it - nobody cared about this, you just
> access-list
> > everything and hope you didn’t miss some service.  And now it seems
> > essentially the same.  Why the command shell wouldn’t be bound to a
> single
> > IP (or a defined list of IPs) as part of the isolation is beyond me. The
> fact that
> > if I have 200 interfaces configured with an IP that the shell process
> (and
> > snmp, and ntp and whatever else is running) listens on those IPs is just
> > insane.
> >
> > I’m a bit of a dinosaur, so maybe in the new versions this has changed,
> but as
> > of the last time I really paid attention to IOS they were still in the
> 90’s as far as
> > keeping the management processes separate.
> >
> >
> Yup that's beyond me too, would like to understand the thought process...
> But at least in XR you have an easy way of limiting what service listens
> on what physical interfaces. Still waiting for the rest of NOS-es to catch
> up...
>
> adam
>
>


More information about the cisco-nsp mailing list