North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Proper authentication model
- From: Iljitsch van Beijnum
- Date: Tue Jan 11 16:08:44 2005
On 11-jan-05, at 18:48, Daniel Golding wrote:
Its terribly important that your routers' management traffic be
Why "terribly important"? If this stuff runs over your own network then
others aren't going to be able to sniff it without physically getting
at your stuff. And if they can do that crypto won't buy you anything.
all the way to the device.
That said, being able to connect to your stuff with crypto is better
than without crypto, of course.
Bastion hosts are a good thing and can be a great place to put in
Just make sure that when half your routers are dead you can still
connect to the remaining half. A single bastion host isn't good enough.
multi-factor authentication (another must-have),
While you are at it, look at your SNMP setup. You want your SNMP
Not for write access, anyway. For read access you can get away with
being slightly less paranoid.
to have the same characteristics as your vty management - strong
authentication and encryption. Cleartext community strings don't cut
True out of band management networks are very hard to build and very
hard to use, and you run the risk that you can't get at your stuff
because the management network is down.
Also, you need a secure Out of Band management network.