hi, i'm wondering how large isps offering managed cpe services manage their password databases. let's say radius/tacacs is used for normal cpe user aaa, but there is some 'backup' local user account created on the cpe for situations when the radius server is unreachable. for security reasons, this backup account (as well as snmp communities, radius key etc.) is unique per cpe to avoid frauds caused by end-users (even if one does password recovery on the cpe, they still don't have the password for other cpe's). if there are hundreds or thousands of these cpe's that could mean storing of tens thousands of password. are there any crypto-based products available or do the people use their own stuff? thanks -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
On Tue, 23 Jul 2002, Daniska Tomas wrote:
i'm wondering how large isps offering managed cpe services manage their password databases.
Slovakia, that's an interesting one for NANOG. Key management is still a hard problem. It would be nice if the NSA published how they do it, but I suspect they don't have a cost-effective way either. Vendors/providers are all over the board. For the most part, if you are concerned about security you should view it as any other vendor default password. On the other hand, people sometimes latch onto small vulnerabilities. If the only way the password can be used is at the local console, it may be considered only a slightly increased security risk. If someone has physical access to your console, you're usually toast anyway. You might configure things so the local password only works when the network authentication is not available. This reduces the window of opportunity. Its still a risk. But it may be an acceptable risk, such the fire department requiring a master key kept in a lockbox outside the front door of a office building. The broadband forums have started talking about this. But the solution they came up with isn't that great, disable local access. I suspect eventually we'll see PK smartcard addressible CPE, much like satellite/cable set-top boxes, and customers will no longer be able to (easily) access the box.
participants (2)
-
Daniska Tomas
-
Sean Donelan