Firewall Wizards mailing list archives
Re: fw-1 general & VPN questions
From: Eric Vyncke <evyncke () cisco com>
Date: Tue, 21 Apr 1998 09:59:09 +0200
At 18:25 20/04/98 -0400, Marcus J. Ranum wrote:
Joseph S. D. Yao wrote:I also intend to do some "out-of-band" mgmt with a dialin modem on the serial console of the two sun boxes (yes, yes, wardialers I know). However, this is what the customer wants, and I have no say-so, so I need to simply get it set up.
...<SNIP>...
I've been pondering the secure remote management thing for a while and was trying to come up with decent solutions that are dirt cheap. Haven't tried this, but does anyone see a flaw with: - have a log-in that drops you right into PPP using CHAP - run ip_filt on the workstation to filter access via the PPP interface - let only SSH in over PPP (or whatever other services are OK)
I would personnaly prefer a plain ASCII login via a dedicated login program with `strong' authentication with S/key or any other OTP. Then a complete logging of everything the user types. We can even restrict the login program to start a restricted shell. (of course, your firewall should have a ASCII interface...). One issue is of course that you must trust the physical phone line. Confidentiality is probably not a big issue for firewall management (as long as you do not manage passwords!), hijacking is a problematic issue of course. NB: the latter paragraph also apply to your PPP/CHAP solution. NB2: instead of using CHAP with static password, I would prefer PAP (clear text passwords) with OTP.
mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- fw-1 general & VPN questions AC (Apr 20)
- Re: fw-1 general & VPN questions Joseph S. D. Yao (Apr 20)
- Re: fw-1 general & VPN questions Marcus J. Ranum (Apr 20)
- Re: fw-1 general & VPN questions AC (Apr 20)
- Re: fw-1 general & VPN questions Eric Vyncke (Apr 21)
- Re: fw-1 general & VPN questions Marcus J. Ranum (Apr 21)
- Re: fw-1 general & VPN questions Lyndon David (Apr 21)
- Re: fw-1 general & VPN questions Bennett Todd (Apr 21)
- Re: fw-1 general & VPN questions Mark Horn [ Net Ops ] (Apr 21)
- Re: fw-1 general & VPN questions Bennett Todd (Apr 21)
- Re: fw-1 general & VPN questions Marcus J. Ranum (Apr 20)
- Re: fw-1 general & VPN questions Joseph S. D. Yao (Apr 20)