nanog mailing list archives

Re: Subject : RE: ACL Monitoring


From: "Alexei Roudnev" <alex () relcom net>
Date: Fri, 13 May 2005 00:38:34 -0700


It's all done in CCR. It encrypts passwords (allowing you to have a few
password groups, all WEB configurable), and uses
passphrases + 3DES or public/private key encryption (or just you can enter
logi and password from the web).
idea is simple - operators have WEB access and know passphrase, but they
have not cisco logins except if they granted direct cisco access, and they
never have access on the server.

Other approach could be 'snmp, but it works on a very few OS (IOS) only (do
not work for PIX, for example).

But you are correct - CCR have all this things, such as crypt / openssl;
sudo to get access top the passphrase file
from web cgi script, passphrase input for manual config downloads, webcvs
fro history analyze, etc etc.

Of course, tacacs+ accounting is necessary for full scale change monitoring.
Unfortunately, even different Cico devices have
different accounting rules (and very different access rules, counting PIX as
most useless from this point of view - you must
grant full access for 95% of operators tasks, even to monitor VPN
associations -:)).



If you anticipate doing a lot of this kind of monitoring in the future
you
may want to take a look at the "expect" programming language
http://expect.nist.gov/ , which has very simple "send"/"expect"
constructs.
E.g. send "show acl 101/r" expect "access-list .." etc. Perl also allows
similar although is probably not quite as easy to pick up if you've
never
done this kind of thing before.

Essentially you'd write a quick script to telnet or ssh to the router
"send"
your commands, expect a result and do something based on that result. As
I
said, its worth the time investment and you'll find once you get the
script
done you can just reuse it for many other tasks.

Kind of silly to state using an expect script or any other "script" for
that matter considering the assumption that, it seems he is not trusting
someone (as mentioned in another post), so I would take it that this
script would run from where?

Not only that, you would go through hell configuring encrypting the
password on an expect script for the script to decrypt, then send. Now,
not only that, but then what? How would you configure it to monitor
something say in real time? You would likely have to use the diff and grep
commands for parsing, and a whole bunch of other things to get it to just
monitor a change, not a guarantee you will find out who changed it without
some major scripting as opposed to using accounting ala TACACS+



    spawn ssh username () router company org net.whatever
    expect "Password: "
    send "secret\r"
    expect "something"
    send "something\r"
    expect $RESPONSE_FROM_ROUTER
    spawn $WHAT_DO_YOU_SPAWN_TO_COPY_WHAT_YOU_SEE

Expect would be worthless in my opinion. Why reinvent the "kick their
asses to accounting mode" wheel.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x0D99C05C
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C

sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey


Current thread: