I know lots about Cisco routers, but I guess that the below might hold true with other brands as well. NB: I do not work for Cisco (although if they're hiring...)
With enough work you can implement pretty much all the task-based controls you outlined (although most people don't). SSH is now available on all interfaces with the latest IOS versions, which obviates the risk you discuss about plaintext passwords on LANs. Given that routers should already have (at least) ACLs limiting where they can be managed from, this provides enough security for all but the most paranoid people. The most paranoid would probably have a dedicated management station with serial links to all the routers concerned, via a multiport serial card, or using a router with a high serial-port density as a serial switch. Then you'd turn off _all_ network management. I know of at least one site that does this. In fact, they go one better - there is no serial connection made to the router until a change request has been entered, and then one needs to cut dated seals off the rack doors to get to the ports. If you want to be _really_ paranoid, cover the serial TX/RX LEDs with black tape. (that's getting into black helicopter territory, though) You've already heard Mike's rant about SNMPv2, so I won't go there again. Overall, I think that you may be ignoring some features that are already there. Even in the old text-only days you could use one-time passwords via RADIUS or TACACS+ to access the router, which provides pretty damn good protection against passwords theft (shame about the session hijacking risk - that's why SSH is good). The AAA stuff is already there, the authentication you want is available via RADIUS/TACACS, the task-based control for user ids is available (although you can't, AFAIK, lock down configure mode quite as granularly as you suggest). You're right that most people don't have secure routers (oh boy, do I know _that_), but I think that a great deal can be done with existing equipment beore we need to start asking the vendors for more features. I'm happy enough if devices support SSH, serial only management, RADIUS/TACACS+ authentication and some sort of privileged / unprivileged mode. Cheers! -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Marc E. Mandel [...] White Paper Subject: Proposed Router Security Requirements Issued by: Marc Mandel [...] PROBLEM STATEMENT [...]This concern derives from the fact that access control, in most routers, currently is normally limited to two group ids (operative and administrative) and their associated passwords. While link encryption can secure WAN circuits, data on LAN wiring can be eavesdropped by anyone who can gain access.[...] PROPOSED SOLUTION In response to the above problem, the author has proposed that routers be modified to support discretionary access control with individual accountability: [masses of stuff snipped] The author welcomes any and all feedback/constructive criticisms on this white paper. [...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
