Network Security Policies

Tony Tauber ttauber at genuity.net
Mon Jan 21 19:58:02 UTC 2002


> At the moment, we're firming up our policy on access to Networking Devices
> and the like.  In support of this, I'm looking for any links to white papers

Not a white paper or link, but some thoughts below:

A nice approach is a central AAA (Authentication, Authorization,
Accounting) server scheme of some type (eg. RADIUS, TACACS+).

> or other such sources that discuss/support the following things:
>
> 	- Limiting the number of people with access

Only enable the people you think need access on this server.
Additionally, you might work out some tiered level of priviledges
so that people got what they needed to do their jobs.
Also you can have an audit trail should something require more follow-up.

> 	- Scheduled password change/rotation

It's nice to use a one-time password scheme of some sort
(eg. software like s/key and OPIE or some token-based approach
like SecurID).  This way one shouldn't need to change PWs. (see note
below).

> 	- Password change when someone with access leaves

A well-oiled centralized scheme should provide for straightforward
revocation of access on a per-user basis so that others need not
be affected by such occurences.

Note: This approach won't necessarily cover everything. All gear
might not support it for instance.
Also, tools which require automated access will have to have some
special provision.
Lastly, given that the system is network-based, if the connectivity
to the AAA server is broken some local override PWs must be in place.
Presumably access to those can be somehow limited.  A more satisfying
solution would allow security administrators to know when those PWs
have been used or distributed to someone who's left so that they can
be changed.

Tony

> I'm going to be doing research on this to drag things up myself, but I
> figured I would put this out here to ask to provide some narrowing down of
> the search and speeding it up.
>
> Thanks in advance.
>
> --
> Clint Hauser
> AT&T Solutions
>




More information about the NANOG mailing list