I'm faced with this as well. how hard would it REALLY be to force a login and then an enable type uplog.
On Jan 22, 2013, at 7:35 PM, "Kriss (Nebonet.com)" <[email protected]> wrote: > This topic doesn't seam to come up at all. I started out in the ISP biz and > moved over to Information security for a company who was small enough that > tik's still seamed to fit the bill. > > However we are starting to get hit with PCI-DSS evaluations, Risk Assessments > and Gap Analysis with an array of requirements -- most which I have been able > to meet easily except one : Security authentication on the router. Almost > every third part wants to see me doing it the 'cisco' way with primary remote > logins being strictly unprivileged and forcing elevation to a privileged user > after connection. IE - enable. > > Now I can emulate this functionality by allowing only a stripped down user > remote access and setting up a loopback bridge interface with no ports, > setting an ip address to that bridge and ssh'ing into itself from there as > the allowed ip address for the administrative full access user being the > router itself. > > Which in of itself isn't too terrible other than i prefer to work with > firewall rules using winbox. Anyone else had experience with this and other > PCI-DSS compliance rules and getting the tik to be compliant ? > > - Kriss > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
