Best way to secure management dial in

Discussion in 'Cisco' started by Hoffa, Sep 18, 2007.

  1. Hoffa

    Hoffa Guest

    Hi all

    I'm planning to implement dial in using a modem connected to the
    console port of our core routers. My concern however is how this can
    be made secure.
    Any ideas?

    Regards
    Fredrik
     
    Hoffa, Sep 18, 2007
    #1
    1. Advertising

  2. Hi Fredrik,

    ~ I'm planning to implement dial in using a modem connected to the
    ~ console port of our core routers. My concern however is how this can
    ~ be made secure.
    ~ Any ideas?
    ~
    ~ Regards
    ~ Fredrik

    This is a legitimate concern. Since console ports do not have modem
    control, they will not detect a hangup from the modem. Consequently,
    one user could dial in to the console, authenticate, then hang up,
    and a subsequent caller could access the router prompt without having
    to authenticate. You could reduce the window of vulnerability by
    shrinking exec-timeout to your maximum pain tolerance point, but this
    would still be a vulnerability.

    Moreover, if your ROMMON is configured to permit halt upon break, a
    caller could dial in and get to ROMMON without ever having to authenticate.
    (As the line may detect a break signal due to a simple glitch on the line,
    it would be prudent to run in production with halt on break disabled.)

    The only really secure methods of permitting dialin access to your router
    would be to front end it with something that does authentication
    independently.

    One option would be to have a dialin modem or set of modems connected to
    router line(s) that have modem control and that are configured to
    do proper authentication. Once you dial into these modems and authenticate
    to the router, you could then reverse telnet out other router line(s) to
    the console ports of interest.

    Another option would be to use answer modems that have builtin security.
    The USR Courier, for example, can be configured to require a DTMF or
    ASCII password. This is what I would recommend if you must directly
    connect an answer modem to a console port.

    Regards,

    Aaron
     
    Aaron Leonard, Sep 18, 2007
    #2
    1. Advertising

  3. Hoffa

    Tom Linden Guest

    On Tue, 18 Sep 2007 10:37:26 -0700, Aaron Leonard <> wrote:

    > Hi Fredrik,
    >
    > ~ I'm planning to implement dial in using a modem connected to the
    > ~ console port of our core routers. My concern however is how this can
    > ~ be made secure.
    > ~ Any ideas?
    > ~
    > ~ Regards
    > ~ Fredrik
    >
    > This is a legitimate concern. Since console ports do not have modem
    > control, they will not detect a hangup from the modem. Consequently,
    > one user could dial in to the console, authenticate, then hang up,
    > and a subsequent caller could access the router prompt without having
    > to authenticate. You could reduce the window of vulnerability by
    > shrinking exec-timeout to your maximum pain tolerance point, but this
    > would still be a vulnerability.
    >
    > Moreover, if your ROMMON is configured to permit halt upon break, a
    > caller could dial in and get to ROMMON without ever having to
    > authenticate.
    > (As the line may detect a break signal due to a simple glitch on the
    > line,
    > it would be prudent to run in production with halt on break disabled.)
    >
    > The only really secure methods of permitting dialin access to your router
    > would be to front end it with something that does authentication
    > independently.
    >
    > One option would be to have a dialin modem or set of modems connected to
    > router line(s) that have modem control and that are configured to
    > do proper authentication. Once you dial into these modems and
    > authenticate
    > to the router, you could then reverse telnet out other router line(s) to
    > the console ports of interest.
    >
    > Another option would be to use answer modems that have builtin security.
    > The USR Courier, for example, can be configured to require a DTMF or
    > ASCII password. This is what I would recommend if you must directly
    > connect an answer modem to a console port.
    >
    > Regards,
    >
    > Aaron


    Why not a terminal server attached to the console ports, IP connecteded to
    a small
    OpenVMS box, like a DS10L connected to it using SSH. Nobody will ever
    hack you.
    telnet can be sniffed.


    --
    PL/I for OpenVMS
    www.kednos.com
     
    Tom Linden, Sep 18, 2007
    #3
  4. ~ > ~ I'm planning to implement dial in using a modem connected to the
    ~ > ~ console port of our core routers. My concern however is how this can
    ~ > ~ be made secure.
    ~ > ~ Any ideas?
    ~ > ~
    ~ > ~ Regards
    ~ > ~ Fredrik
    ~ >
    ~ > This is a legitimate concern. Since console ports do not have modem
    ~ > control, they will not detect a hangup from the modem. Consequently,
    ~ > one user could dial in to the console, authenticate, then hang up,
    ~ > and a subsequent caller could access the router prompt without having
    ~ > to authenticate. You could reduce the window of vulnerability by
    ~ > shrinking exec-timeout to your maximum pain tolerance point, but this
    ~ > would still be a vulnerability.
    ~ >
    ~ > Moreover, if your ROMMON is configured to permit halt upon break, a
    ~ > caller could dial in and get to ROMMON without ever having to
    ~ > authenticate.
    ~ > (As the line may detect a break signal due to a simple glitch on the
    ~ > line,
    ~ > it would be prudent to run in production with halt on break disabled.)
    ~ >
    ~ > The only really secure methods of permitting dialin access to your router
    ~ > would be to front end it with something that does authentication
    ~ > independently.
    ~ >
    ~ > One option would be to have a dialin modem or set of modems connected to
    ~ > router line(s) that have modem control and that are configured to
    ~ > do proper authentication. Once you dial into these modems and
    ~ > authenticate
    ~ > to the router, you could then reverse telnet out other router line(s) to
    ~ > the console ports of interest.
    ~ >
    ~ > Another option would be to use answer modems that have builtin security.
    ~ > The USR Courier, for example, can be configured to require a DTMF or
    ~ > ASCII password. This is what I would recommend if you must directly
    ~ > connect an answer modem to a console port.
    ~ >
    ~ > Regards,
    ~ >
    ~ > Aaron
    ~
    ~ Why not a terminal server attached to the console ports, IP connecteded to
    ~ a small
    ~ OpenVMS box, like a DS10L connected to it using SSH. Nobody will ever
    ~ hack you.

    Sure - good to hear that VMS still has its partisans.

    ~ telnet can be sniffed.

    True but irrelevant unless you permit sniffer access to your data path.
    It would be hard to offer such access in the case where the telnet data
    path is internal to a router.

    If this is an issue for you, you could use "reverse ssh" instead of
    "reverse telnet" to provide the console line access via your routers.

    Cheers,

    Aaron (denizen of comp.os.vms, 198? - 199?)
     
    Aaron Leonard, Sep 19, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Bilgrav
    Replies:
    1
    Views:
    998
    Martin Bilgrav
    Dec 20, 2003
  2. Neil
    Replies:
    174
    Views:
    3,353
    Briscobar
    Apr 17, 2006
  3. John John

    AMD Opteron: 1-way, 2-way, ... Up to 8-way.

    John John, Dec 24, 2005, in forum: Windows 64bit
    Replies:
    12
    Views:
    829
    Tony Sperling
    Dec 27, 2005
  4. Replies:
    0
    Views:
    617
  5. Replies:
    0
    Views:
    754
Loading...

Share This Page