For what its worth, we use OpenBGP's LG on OpenBSD. It peers "read-only" with our Internet Gateway routers and Route Reflectors.
Advantages: - Probably one of, if not the most secure solution. - No logging at all on routers themselves. - By simple deduction you get to see the best active route on all routers. Disadvantages: - You don't get to see all routes on all routers. - You can't traceroute or ping from each routers (since you don't log to these routers). Disadvantages are not a big deal as we use other tools a well. Another solution is to virtualize these servers, one per router, to get even better view. So far, no complaints. I like it runs on OpenBSD to be honest. BR, +Dragan On Thu, May 18, 2017 at 9:08 PM, Saku Ytti <[email protected]> wrote: > On 18 May 2017 at 21:47, Patrick M. Hausen <[email protected]> wrote: > > I am in no way planning to make this public. We have had routerproxy in > > place as a convenient tool for our own admins, specifically the ones who > > are not IOS gurus and just want to look up stuff, not configure the > systems. > > I get that, but you shouldn't use system() or back-ticks ever, > regardless security posture. Because it is 0 cost to do this right > (e.g. popen) versus wrong, so you have no upside on the wrong way. > Also, you may intend it internal use only, but then you leave the > company, and customer RFP mandates looking glass, and fastest way to > do it, is to expose the NOC tool to customer. > > -- > ++ytti > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
