networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 
  Print view Previous topic | Next topic 
Author Message
Carlitos_30
PostPosted: Thu Jul 05, 2012 9:27 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Mon Feb 08, 2010 9:30 am
Posts: 1172
Location: Santiago, Chile
Certs: CCENT, CCNA,CCNP Route
Hello :D

Recently a router crashed and some suspicious about the client arised. The point is that now the order is to deny all kind of router admin access for the client. I was thinking, is this a good idea or will be better to give him limited access to the router, to avoid the client to try to access the router at all cost? Something like to stop the motivation to crack the router password.

Thanks.
Top
 Profile  
 
Otanx
PostPosted: Thu Jul 05, 2012 10:50 pm 
Offline
Ultimate Member
Ultimate Member

Joined: Wed Sep 01, 2010 3:37 pm
Posts: 907
Location: Las Vegas, NV
Certs: Sec+, MCSE, MCITP:EA, CCNP
aaa accounting and log to a server they don't have access to. They can keep their access, and you will have proof instead of suspicions next time. We log all commands, and while we haven't had to investigate an issue it has come in handy when I have to roll back a change a week after we made it, or for emergency changes, and I have to fill out the change request after the fact. Go to the log server, and get the commands that were executed.

-Otanx
Top
 Profile  
 
freestyler830
PostPosted: Thu Jul 05, 2012 11:01 pm 
Offline
Junior Member
Junior Member
User avatar

Joined: Tue Feb 15, 2011 3:19 am
Posts: 61
Certs: MCSE, CCNA, CCNP, CCSP, CCNP Security
In my opinion, logging first and finding out who did what will give you a better idea on what your next step should be. Based on what you find you can make decision on whether to give limited access or deny all. Personally, I always give limited access unless it's required. Clients always have the answer of "I didn't do anything!!" :D

_________________
Isuru Senadheera
MCSE, CCNP, CCSP, MCITP
www.isururakshitha.org
Top
 Profile  
 
mellowd
PostPosted: Fri Jul 06, 2012 3:06 am 
Offline
CCIE #38070
CCIE #38070
User avatar

Joined: Wed Jun 18, 2008 7:49 am
Posts: 12425
Location: London, UK
Certs: CCIE ,CC-NP/IP, JNCIP-SP, JNCIS-ENT, BC-/SPNE/NP
We use the archive command to log all commands. We also do not allow ssh access to the box from ANYONE expect our management range.

If anything they might get very limited snmp read only access which gives them interface statistics and not much more. We also request the IP of their snmp server and lock it down to that single IP.

_________________
www.mellowd.co.uk/ccie/
Top
 Profile  
 
Carlitos_30
PostPosted: Fri Jul 06, 2012 12:03 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Mon Feb 08, 2010 9:30 am
Posts: 1172
Location: Santiago, Chile
Certs: CCENT, CCNA,CCNP Route
Quote:
aaa accounting and log to a server they don't have access to


can be done with a syslog sever only or do I need TACACS, Radius, etc...?

Quote:
We use the archive command to log all commands


This looks interesting, gonna investigate.
Top
 Profile  
 
Carlitos_30
PostPosted: Fri Jul 06, 2012 12:52 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Mon Feb 08, 2010 9:30 am
Posts: 1172
Location: Santiago, Chile
Certs: CCENT, CCNA,CCNP Route
It seems that the "archive" feature doesn't support loggin exec commands, like erase flash:?
Top
 Profile  
 
mellowd
PostPosted: Fri Jul 06, 2012 1:13 pm 
Offline
CCIE #38070
CCIE #38070
User avatar

Joined: Wed Jun 18, 2008 7:49 am
Posts: 12425
Location: London, UK
Certs: CCIE ,CC-NP/IP, JNCIP-SP, JNCIS-ENT, BC-/SPNE/NP
Really? tbh I probably need to take a closer look at what is and is not logged. No options at all to add exec commands as well?

_________________
www.mellowd.co.uk/ccie/
Top
 Profile  
 
Carlitos_30
PostPosted: Fri Jul 06, 2012 2:05 pm 
Offline
Post Whore
Post Whore
User avatar

Joined: Mon Feb 08, 2010 9:30 am
Posts: 1172
Location: Santiago, Chile
Certs: CCENT, CCNA,CCNP Route
I made the test and no exec log is keep. It would be really cool it could.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 8 posts ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: anauj0101, haluo and 20 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group