nanog mailing list archives
Re: Proper authentication model
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Tue, 11 Jan 2005 22:07:24 +0100
On 11-jan-05, at 18:48, Daniel Golding wrote:
Its terribly important that your routers' management traffic be encryptedall the way to the device.
Why "terribly important"? If this stuff runs over your own network then others aren't going to be able to sniff it without physically getting at your stuff. And if they can do that crypto won't buy you anything.
That said, being able to connect to your stuff with crypto is better than without crypto, of course.
Bastion hosts are a good thing and can be a great place to put in checks formulti-factor authentication (another must-have),
Just make sure that when half your routers are dead you can still connect to the remaining half. A single bastion host isn't good enough.
While you are at it, look at your SNMP setup. You want your SNMP managementto have the same characteristics as your vty management - strongauthentication and encryption. Cleartext community strings don't cut it, asan example.
Not for write access, anyway. For read access you can get away with being slightly less paranoid.
Also, you need a secure Out of Band management network.
True out of band management networks are very hard to build and very hard to use, and you run the risk that you can't get at your stuff because the management network is down.
Current thread:
- Proper authentication model Kim Onnel (Jan 11)
- Re: Proper authentication model Daniel Golding (Jan 11)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 12)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 12)
- Re: Proper authentication model David Gethings (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 12)
- Re: Proper authentication model Daniel Golding (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 13)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Daniel Golding (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 16)
- Re: Proper authentication model Joe Abley (Jan 11)