At the moment, we're firming up our policy on access to Networking Devices and the like. In support of this, I'm looking for any links to white papers
Not a white paper or link, but some thoughts below: A nice approach is a central AAA (Authentication, Authorization, Accounting) server scheme of some type (eg. RADIUS, TACACS+).
or other such sources that discuss/support the following things:
- Limiting the number of people with access
Only enable the people you think need access on this server. Additionally, you might work out some tiered level of priviledges so that people got what they needed to do their jobs. Also you can have an audit trail should something require more follow-up.
- Scheduled password change/rotation
It's nice to use a one-time password scheme of some sort (eg. software like s/key and OPIE or some token-based approach like SecurID). This way one shouldn't need to change PWs. (see note below).
- Password change when someone with access leaves
A well-oiled centralized scheme should provide for straightforward revocation of access on a per-user basis so that others need not be affected by such occurences. Note: This approach won't necessarily cover everything. All gear might not support it for instance. Also, tools which require automated access will have to have some special provision. Lastly, given that the system is network-based, if the connectivity to the AAA server is broken some local override PWs must be in place. Presumably access to those can be somehow limited. A more satisfying solution would allow security administrators to know when those PWs have been used or distributed to someone who's left so that they can be changed. Tony
I'm going to be doing research on this to drag things up myself, but I figured I would put this out here to ask to provide some narrowing down of the search and speeding it up.
Thanks in advance.
-- Clint Hauser AT&T Solutions