Security Basics mailing list archives
RE: Desktop Support Access
From: JGrimshaw () ASAP com
Date: Mon, 20 Oct 2003 13:30:09 -0500
If you guys are looking to do this on the cheap, use local access authentication and create your own security levels. You can have up to 16 different security levels, from enable mode to basically nothing. You can assign (for example) just "show ip route" to level 3, for example, for your employees that are looking at route up/downs. Check out the following link for a detailed explanation and examples (I logged in to view this; if you can't see it, search for access level IOS on their website and fumble through the results) http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d1.html#1001015 and here is where you actually set up local accounts, to refer to the aforementioned security levels that you'll configure: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html If you wanted to get fancy, you could use RADIUS or TACACS in addition to, or instead of, the local database on the router. With enough effort, you could have a pretty slick set up. "Halverson, Chris" <chris.halverson () encana com> 10/17/2003 03:40 PM To 'David Nichols' <dnichols () amci com>, Thomas Graf <tgraf () swmail sw org>, security-basics () securityfocus com cc Subject RE: Desktop Support Access You are correct, the two levels are the User Exec and Privileged Exec. To enable and disable ports would require access to the interface configuration is accessible only from the privileged mode. Shut, no shut commands... If you have a smartnet account you might want to inquire at Cisco for some sort of web tools to do something like that... I don't recall seeing something like that though. Hmmmm good idea about the development for that though... Chris -----Original Message----- From: David Nichols [mailto:dnichols () amci com] Sent: Friday, October 17, 2003 11:44AM To: Thomas Graf; security-basics () securityfocus com Subject: Re: Desktop Support Access Hey Thomas (& the rest of the list)- Correct me if I'm wrong, (please!, I've gone through a CCNA course but haven't taken the test yet!) but I think the IOS only has two levels of access, one to basically monitor and the other to admin the router. If this is the case, I think you're out of luck. Does any one know of any software (simulator-like) that will only allow certain commands to be passed on to the router? If not, I'M CALLING THE PATENT OFFICE RIGHT NOW!! (just kidding) ; ) David Nichols A+, Network+ ----- Original Message (edited) ----- From: "Thomas Graf" <tgraf () swmail sw org> To: <security-basics () securityfocus com> Sent: Friday, October 17, 2003 10:22 AM Subject: Desktop Support Access
... The desktop support is requesting access to (Cisco) routers and
switches to enable/disable
ports. (...) I know that they are going to get it and it is a big
risk, but is there any way to
limit there access to just enabling/disabling ports? Thanks for all the help. Thomas Graf HW/SW Technician
--------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Desktop Support Access Thomas Graf (Oct 17)
- Re: Desktop Support Access David Nichols (Oct 17)
- Re: Desktop Support Access khayes (Oct 20)
- <Possible follow-ups>
- RE: Desktop Support Access John Canty (Oct 17)
- Re: Desktop Support Access Thomas Graf (Oct 17)
- Re: Desktop Support Access Tim Syratt (Oct 20)
- RE: Desktop Support Access Halverson, Chris (Oct 20)
- RE: Desktop Support Access JGrimshaw (Oct 20)
- Re: Desktop Support Access Ivan Coric (Oct 20)
- RE: Desktop Support Access Gross Barry D. (Oct 20)
- RE: Desktop Support Access Wilcox, Stephen (Oct 20)
- RE: Desktop Support Access Tucker, Jason (Oct 20)
- Re: Desktop Support Access David Nichols (Oct 17)