Re: fw-1 general & VPN questions

[Eric Vyncke <evyncke () cisco com>]

At 18:25 20/04/98 -0400, Marcus J. Ranum wrote:
> Joseph S. D. Yao wrote:
> > > I also intend to do some "out-of-band" mgmt with a dialin
> > > modem on the serial console of the two sun boxes (yes, yes,
> > > wardialers I know). However, this is what the customer wants,
> > > and I have no say-so, so I need to simply get it set up.

...<SNIP>...

> I've been pondering the secure remote management thing for a while
> and was trying to come up with decent solutions that are dirt cheap.
> Haven't tried this, but does anyone see a flaw with:
>  - have a log-in that drops you right into PPP using CHAP
>  - run ip_filt on the workstation to filter access via the PPP interface
>  - let only SSH in over PPP (or whatever other services are OK)

I would personnaly prefer a plain ASCII login via a dedicated
login program with `strong' authentication with S/key or any
other OTP. Then a complete logging of everything the user types.
We can even restrict the login program to start a restricted shell.
(of course, your firewall should have a ASCII interface...).

One issue is of course that you must trust the physical phone
line. Confidentiality is probably not a big issue for firewall
management (as long as you do not manage passwords!), hijacking
is a problematic issue of course.

NB: the latter paragraph also apply to your PPP/CHAP solution.

NB2: instead of using CHAP with static password, I would prefer
PAP (clear text passwords) with OTP.

> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458