2000-04-30-17:16:41 Sean Donelan:
Folks seem to be concentrating on locking down the front door. You also need to watch all the backdoors. With multi-protocol equipment, there are a lot of backdoors.
Excellent point. Personally I think it's easier to balkanize than to really secure. So use access lists so telnet access is either entirely disabled, or if it's needed is restricted to the local LAN. Restrict all questionable services to the local LAN, making sure there's a bastion on that LAN, and use ingress/egress filtering wherever possible to break address forging between LANs. What this turns up is that it's exceptionally helpful if you can have a really solid bastion host on every LAN. Fortunately, that doesn't have to be too hard. I _still_ wish someone would make e.g. a PCI card with say 32 or 64 10BaseT ports on it, but a civilized approximation for many purposes is a nice 100Mbps port talking 802.1Q VLANs to a switch dedicated to this purpose. But back to the wealth of possible, worrisome backdoors in modern multiprotocol gear, what are people doing to try and get a grip on config management for piles and stacks of Cisco? (my apologies if this thread has already been pounded to death, I just joined). Seems to me like a lot could be done with some simple m4 work, but so far a lot of the parameterizing I'd like to achieve (e.g. interfaces, access-list rules) has evaded me. The fantasy of course would be to get hip to a new thought --- a new kind of filtering you want to add to your access lists, or whatever --- and do it in one place, with the confidence that it'll take effect on every box it applies to. The distribution I can handle, it's the structured config management that's evading me. -Bennett