Compare cert salaries and plan your next career move
broc wrote: » What you need is physical security! Nobody should have easy physical access to your distribution or core switch (or your access switch for that matter...). No matter what kind of security you put on the switch, you can always reset it if you have physical access.
DevilWAH wrote: » Say on a switch I have two routed interfaces back to the core layer. each of these would have an IP address, so there is no reason (with out ACL's in place) that you could not connect to the switch for managment on these interfaces. I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI) What methods to people use to limit what interface on a switch can recive managment traffic. Or do people jsut leave the routed intrefaces open and just limit what various subnets can talk to eachother?
Forsaken_GA wrote: » All of our equipment is only accessible from 2 very particular servers, and these servers are only accessible from the NOC network, or the NOC VPN. Absolutely positively no remote access from public IP space. Since our core routers are at a remote facility, they do have out of band management in the form of a separate pots line with a modem attached to it.
DevilWAH wrote: » sounds exactly what I want, but do you know if this works on CISCO switchs (3750's), it seems it only works on version 12.4 IOS for routers. Cheers
DevilWAH wrote: » Yes but to do this you must have set up managment access. becasue by default on a router interface you have set to be the DFGW for a subnet, you can manager the router from that ipaddress. So i see it there are two aproches you either set up an ACL on ever routed interface to block managment traffic from every subnet/devices apart from the ones you want. Or you only allow managment traffic one set interfaces (using the managment plane control feature) and then only allow the wanted devices to route to them. the way i see it that if you use the managment plane settings you dont have to worry about someone bringing up an new interface and forgetting to protect it. As this would be the default. So how do you insure that only your servers can talk to your devices?
DevilWAH wrote: » I assume most people dont want this and only want one interface on the swich that you can carry out managment (loopback interface or specified SVI)
Forsaken_GA wrote: » Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list, with other protections in place to prevent spoofing.
DevilWAH wrote: » So you have an ACL on the VTY lines that just says allow managment from X,Y,Z deny any thing else?
Forsaken_GA wrote: » Oh, we don't care what interface it comes in over. The only management protocols allowed are ssh and snmp, and both are restricted by access list
DevilWAH wrote: » Cheers guys, Thats how I do it currently as well, just wondering if there were other better methods. So in fact for logical purposes there is no reson to have a managment interface configured, other then to make it easy to keep track of managment IP's. I am comming at this from a switching point of view where the default config is normaly to set up a SVI interface for managment. I supose with routers this is not done so much and you would just used an ip from an interface or a loopback address. Aaron
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
