Security Basics mailing list archives

Re: Desktop Support Access

From: khayes () eastbay com
Date: Fri, 17 Oct 2003 16:35:25 -0500


I really don't think you can do it at the IOS level but you may be able to
do it using something like Cisco Works.  CW allows different level users
and you may be able to dictate which commands they can issue through
CiscoView.  This would keep them off the CLI and it also gives them a nice
easy to use GUI.  My biggest fear would be someone screwing up a command
and doing more than just manipulating ports.

On some versions of IOS I know you can have different user accounts created
to permit login.  Each of the accounts can have their own passwords.  It
may be worth it if the logs pick up on which account committed the changes.

Big suggestion though... keep daily copies of your logs.  If someone
accidental screws over a config recovery would be as simple as replacing it
with last nights known good config.  Worst case scenario, go back a few
days.

Don't forget to make it a requirement that they document ANYTHING they
change and give you notice of the change.

Ken Hayes
Network Administrator
Eastbay / Footlocker.com
Wausau, WI Offices
(715) 261-9573
khayes () eastbay com



                                                                                                                        
             
                                                                                                                        
             
                                                                                                                        
             
                                                                                                                        
             
                                       To:     "Thomas Graf" <tgraf () swmail sw org>, <security-basics () 
securityfocus com>              
                                       cc:                                                                              
             
              "David Nichols"          Subject:  Re: Desktop Support Access                                             
             
              <dnichols () amci com>                                                                                    
                
                                                                                                                        
             
              10/17/2003 12:44 PM                                                                                       
             
                                                                                                                        
             




Hey Thomas (& the rest of the list)-

Correct me if I'm wrong, (please!, I've gone through a CCNA course but
haven't taken the test yet!) but I think the IOS only has two levels of
access, one to basically monitor and the other to admin the router.  If
this
is the case, I think you're out of luck.  Does any one know of any software
(simulator-like) that will only allow certain commands to be passed on to
the router?  If not, I'M CALLING THE PATENT OFFICE RIGHT NOW!! (just
kidding)  ; )

David Nichols
A+, Network+

----- Original Message (edited) -----
From: "Thomas Graf" <tgraf () swmail sw org>
To: <security-basics () securityfocus com>
Sent: Friday, October 17, 2003 10:22 AM
Subject: Desktop Support Access

... The desktop support is requesting access to (Cisco) routers and

switches to enable/disable

ports.  (...)   I know that they are going to get it and it is a big

risk,
but is there any way to

limit there access to just enabling/disabling ports?

Thanks for all the help.

Thomas Graf
HW/SW Technician




---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------







---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------

Current thread:

Desktop Support Access Thomas Graf (Oct 17)
- Re: Desktop Support Access David Nichols (Oct 17)
  - Re: Desktop Support Access khayes (Oct 20)
- <Possible follow-ups>
- RE: Desktop Support Access John Canty (Oct 17)
- Re: Desktop Support Access Thomas Graf (Oct 17)
  - Re: Desktop Support Access Tim Syratt (Oct 20)
- RE: Desktop Support Access Halverson, Chris (Oct 20)
  - RE: Desktop Support Access JGrimshaw (Oct 20)
- Re: Desktop Support Access Ivan Coric (Oct 20)
- RE: Desktop Support Access Gross Barry D. (Oct 20)
- RE: Desktop Support Access Wilcox, Stephen (Oct 20)
- RE: Desktop Support Access Tucker, Jason (Oct 20)