At 11:06 AM 12/29/2014, you wrote:
On 12/29/2014 10:32 AM, Colton Conor wrote:
My fear would be we would hire an outsourced tech. After a certain
amount of time we would have to let this part timer go, and would
disabled his or her username and password in TACAS. However, if
that tech still knows the root password they could still remotely
login to our network and cause havoc. The thought of having to
change the root password on hundreds of devices doesn't sound
appealing either every time an employee is let go. To make matters
worse we are using an outsourced firm for some network management,
so the case of hiring and firing is fairly consistent.
You can setup your aaa in most devices so tacacs+ is allowed first
and the local password is only usable if tacacs+ is unreachable. In
that case, even if you fire someone you can just remove them from
tacacs and they can't get in.
At that point you will want to do a global password change of the
local password since it's compromised, but it's not an immediate concern.
You should also have access lists or firewall rules on all your
devices which only allow login from specific locations. If you fire
someone then you remove their access to that location (their VPN
credentials, username and password for UNIX login, etc), which also
makes it harder for them to log back into your network even if they
know the local device password.
Umm...what do you guys do when the network is down?
All of our engineers know the 'default' username/pw - but it is not
usable unless the AAA server is unreachable. I don't know of a way we
could do circuit troubleshooting with that password locked up in a
safe somewhere. Yes, it's a pain to change when people leave - but it
would be a much larger pain to do deployments without it, I think.
Berry