On Fri, 28 April 2000, Paul Ferguson wrote:
What does the list, in general, think about this proposal?
I think it is a fine idea. Although some may think it isn't a technical topic, instead handled by PR people and those worried about stock prices, not by engineers. On a more proactive stance, I'd like to see a Best Common Practice for how a service provider configures its management network. We've all seen those USR modems stuffed in ISP racks for "out-of-band" management which are likely connected to POTS lines anyone could call if they knew the "secret" phone number. Secure - A relative term, but secured against at least "common" attacks known and used. Fault-tolerant - The management access stills works, even when the network doesn't. Maintainable - People come and go, if you revoke access is it really revoked everywhere. I've seen several proposals, each with their plus and minus. TACACS, Kerberos and other centralized authorization mechanisms tend to have poor fault-tolerant qualities when dealing with misbehaving networks. SSH distributes the authorization, but tends to be difficult to be sure you have revoked everything, everywhere. SecureID does everything, include slice bread, according to the SecureID sales people. But how well does it work when everything isn't working. Using POTS as your out-of-band access tends to be vulnerable to others having access to the public switched network. Using frame-relay or some other closed-user group data transport tends to have nasty fate-sharing properties with your IP network. Do you have "backup" administrative passwords configured in your network equipment for use only when the network is down. How do you prevent someone from taking down your network, just so they can use those backup passwords. If you don't have backup passwords, what do you do if your password doesn't work. At what point do you punt, and if Murphy still gets you, can you say you did everything reasonable to avoid it with a straight face.