North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: external access and passwd mgmt (was Re: SSH on Cisco ...)

  • From: Sean Donelan
  • Date: Sun Apr 30 17:19:20 2000

Folks seem to be concentrating on locking down the front door.  You also
need to watch all the backdoors.  With multi-protocol equipment, there
are a lot of backdoors.  Is syslog sending plaintext information, when was
the last time you changed snmp community strings, do you have read-write
snmp or rsh/rcp access enabled, are ancilliary services like ntp, ospf and
bgp authenticated?  Have you turned off any services you aren't using such
as MOP?  If you network load your configuration, how do you know you got
your configuration?  Do you understand how arp works/doesn't work.

After securing your network, one security issue I rarely see explicitly
addressed is what do you do when your authentication stops working for
whatever reason.  Have you made plans for breaking into your own network.
Vendor backdoors should require physical access to the equipment (e.g. moving
a switch) not just knowledge of a "secret" maintenance password or special
signal over a remote control line (e.g. break).