Proper authentication model

Daniel Golding dgolding at
Tue Jan 11 17:48:45 UTC 2005


Its terribly important that your routers' management traffic be encrypted
all the way to the device. For this reason, the best practice is to use
ssh2. There are some other hacks that can be used, but they are hacks, and
are not scalable.

Bastion hosts are a good thing and can be a great place to put in checks for
multi-factor authentication (another must-have), but they do not replace the
need for end-to-end encryption. Turn off telnet and web administration

While you are at it, look at your SNMP setup. You want your SNMP management
to have the same characteristics as your vty management - strong
authentication and encryption. Cleartext community strings don't cut it, as
an example. 

Also, you need a secure Out of Band management network.

You may want to check out the NSP-Security mail list.

- Dan

On 1/11/05 4:17 AM, "Kim Onnel" <karim.adel at> wrote:

> Hello,
> I'd like everyones 2 cents on the BCP for network management of an ISP
> PoPs, with a non-security oriented NOC,
> Most of my routers doesnt have crypto IOS images,
> couldnt agree with core members to do a major upgrade, just a promise
> of doign that when other needs to an IOS upgrade come up,
> So i need to workaround it and secure management traffic somehow,
> Usually the NOC logs to the PoPs 24x7, so i definitely need to hit a
> balance between encryption/security and usability,
> thats why i excluded OTP,
> My homework concluded:
> 1) Establishing an ipsec tunnel from each NOC Pc to a VPN
> concentrator, and of course on every PC, there would be static routes
> injected to take management traffic through the tunnel,
> Major advantage is usability and transperancy to the user,
> One major pitfall here is when ipsec tunnels break, my presence would
> be needed to troubleshoot that,
> 2) An OpenBSD bastion host(s), where the NOC would ssh in, get
> authenticated from TACACS+ or ssh certs, and then just telnet from
> there all day,
> One major advantage here is the heavy monitoring/limiting i can do on
> a *nix box, systrace their login shell to a policy
> (telnet/ping/traceroute only)
> 3) Or just an IOS based bastion router that also runs ssh,
> This has the advantage of IOS limitations in a way, not much
> maintaining is needed but being limited with 16 vtys is a problem,
> also vtys may get stuck and all these ssh sessions would kill the
> memory of the router,
> I would of course have multiple setups one at the Datacenter, another
> at some PoP, redundant solutions incase one fails,
> and For the record, I do run rancid, syslogging and we do AAA, so its
> just down to whats others experiences/ideas about secure management?

More information about the NANOG mailing list