[c-nsp] BCP for an ISPs large number of network devices authentication - Kim Onnel - net.nether.puck.cisco-nsp

4 messages in net.nether.puck.cisco-nsp[c-nsp] BCP for an ISPs large number ...

From	Sent On	Attachments
Kim Onnel	Jan 9, 2005 6:59 am
Colin Whittaker	Jan 9, 2005 8:45 am
Kim Onnel	Jan 9, 2005 9:23 am
Jason Ackley	Jan 9, 2005 10:40 am

	Permalink for this message Paste this link in email or IM:
	Permalink for this thread Paste this link in email or IM:
	Atom feed for this thread Paste this URL into your reader:

Subject:	[c-nsp] BCP for an ISPs large number of network devices authentication	Actions...
From:	Kim Onnel (kari...@gmail.com)
Date:	Jan 9, 2005 9:23:56 am
List:	net.nether.puck.cisco-nsp

I am on low budget so i cant purchase anything right now,

so you're saying option B is better because its easier, i just wanna strike balance between security and usability,

i'll give some examples:

probably each NOC user has his own settings like batch files, SecureCRT scripts which auto authenticates, these all would still be valid with the IPSec, but not with the Linux ssh solution,

Another point would be that IOS is a little more secure than linux, since its less complex, but that comes with other point, less interactivity and monitoring,

I just wonder whats the common practice for ISPs with similar resources like mine, whats the trend ?

regards

On Sun, 9 Jan 2005 13:44:03 +0000, Colin Whittaker <coli...@heanet.ie> wrote:

Given that you are already running ACS something like RSA secureID tokens would be worth looking at. The benifits of no having to remember passwords for all the devices almost makes it worth doing.

Option B sounds like the best plan since it avoids having to install the VPN software the 40+ desktops.

Regards

On Sun, Jan 09, 2005 at 01:59:58PM +0200, Kim Onnel wrote:

Hi,

I wonder whats the BCP to apply a proper authentication policy to a network of 40 personnels logging to like a 100 routers,

All my devices are running AAA to a Cisco Secure ACS server, so for authorization and accounting i log that and follow it daily, and RANCIS does the proper configs. diffing .

The problems i have in hand are:

1) Most routers doesnt have ssh with their IOS, so i need to encrypt the traffic, 2) There is the core routers and there is the PoPs, i can put a diff. password to every Core router, but not every PoP, NOC here logs to these PoPs 24x7 so i need to hit a balance between encryption/security and usability.

I have the following ideas in mind

A) Each NOC PC would double click on his/her Cisco vpn client icon on their desktop, hit connect, and they have an IPSec tunnel established to a Cisco 1751 router, the vpn client will inject static routes to their PCs to take the tunnel when connecting to any of the network devices subnets( that would be a tough task, to gather the ips,..) and on the VPN concentrating router, they would telnet from there to the devices, or just route the traffic through that router.

B) A Linux/BSD PC with ssh server running, NOC would ssh to this, and telnet to the PoPs from there, and of course only this server is allowed to connect to the PoPs/Core, hardening the kernel, only allowing them to telnet, ping, traceroute, from their shell, and heavily monitoring the server. ( and using all the extensive *nix logging capabilities ;)

C) A Cisco router that runs ssh, everyone just ssh to it, increase the VTYs number and they would telnet from there to the network.

I dont have that experience with S/Key or Kerberos, so i dont know the possibilities there,

Regards

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets
	Permalink to these results Paste this link in email or IM:
	Atom feed for tracking future search results Paste this URL into your reader: