Phraxos
Premium
join:2004-06-12
UK
| reply to TomS_
Re: Is it national hack a router day?
Some interesting suggestions and thanks for taking the time to post but I don't think any of them really address my requirement. I would also disagree about passwords being 'simple'. Bearing in mind this is a username/password combination a sensible choice of both will result in an unbreakable combination by dictionary/brute force methods, the main vulnerability being an insecure terminal (key loggers etc) and that is not usually an issue for me.
said by TomS_  :As much as you might like to access your router from anywhere, and as handy as that may be, I would probably look at establishing some sort of central location where you initiate all of your access from. Something like a Linux/FreeBSD box would suffice. Configure your VTY ACL to only allow access from the IP or subnet that box lives in (preferably have it on a static IP), and maybe one or two others (home, and a trusted friends or work place incase your box goes down). You may not like the idea, and it may take some getting used to, but it is far far far more secure. Think about it, you wouldn't have this current issue with the implementation as per above.  Umm I'm really not sure how this helps
I would still have to gain access to the linux box from anywhere and that access will still be via a router so I have just swapped one issue for two. Also, I think we have done this before but there are people in the world who don't "do" Linux. No prejudice, just no commercial value to me to learn it (well more a case of less commercial value than spending my time doing something else).
Effectively I already do what you suggest in practice - have one central system that I log into to gain access to all the remote systems I look after. But I still need access to that central site via a router and if there is a router issue I need to be able to log into it if possible to resolve it. |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
July 28th, @12:33PM
| Well, you could setup something like Cisco MARS and/or IPS 4215 to detect and to automatically block password scan attack. However this solution might not be financially feasible. 
With limited budget, your best bet is probably IPSec VPN approach as mentioned. Yes, it may not set security perimeter like you are looking for. However it is still a good solution with (again) limited budget. |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
edit:
July 29th, @04:56AM
| reply to Phraxos
said by Phraxos :Umm I'm really not sure how this helps It helps by allowing you to lock down your routers to only allow remote access from one or two trusted locations, rather than everywhere, thus reducing possible attack vectors.
If there are only two places you are able to telnet from, and both of those locations are relatively secure, youre less likely to suffer from the problem you were experiencing at the beginning of this thread - unwanted authentication attempts.
You dont have to learn everything about linux, just enough to set it up so that you can SSH in from where ever, and then SSH or Telnet out to whereever. Linux 101 really.
But its up to you, I just offered one such suggestion which does work in practice, and doesnt cost an arm, a leg, nor a finger, heck not even a pinky toe to setup - if you have an oldish box sitting around you have a perfect candidate. |
|
Phraxos
Premium
join:2004-06-12
UK
| I appreciate the suggestion.
I see what you are saying now and it is sort of the solution I have at the moment (except I VPN into my network and access other routers/systems from there). The problem is the router that gives access to all that has to be accessible to anywhere in case I have an issue with it (I have twin connections in the event of one going down).
There isn't really a problem as such in that I use login tracking and silent time to make sure that nobody can make a concerted attack and my choice of username/password (which changes reguarly) is certainly strong enough. However, I don't come close to the level of knowledge I would like to have with Cisco routers and thought it was just worth checking there wasn't a better way to achieve what I want. |
|
