Re: Logical access controle to network segments and boxes

[Tim Syratt <tims () syratt com>]

Neb,

Do a google search and have a good read... thats how I put together my
last CIRP.. (Which was 3 years ago, but I've since left that company)
learn from those who already have similar plans in action, chances are
they've learned from someone else who's learned from their mistakes :-)

HTH
T.

On Thu, 11 Sep 2003, MeaCulpa wrote:

> Hi all,
>
> We are currently setting up a security management system (or, what needs
> to become one anyways). Now I need to produce a document (by tomorrow, I
> do love the timely way my corp uses) which describes the "logical access
> control to other segments". I don't mind thinking this up, but I am more
> a techie guy then a management guy, so this is a little tought for me :
> )
>
> I was thinking the following:
> I limit the scope to accessing the firewalls, switches, routers,
> management tools and so on and will focus on an admin account per admin.
> Preferable I want to limit access to firewalls, ids, switch and router
> components to those admins who are either trained or skilled enough to
> know what they are doing.
>
> I want to use AAA where possible and local accounts where needed. As a
> backup I also want a (on a need to know basis) local account on routers
> and switches with an extremely hard password (auditing needed!), which
> should only be used when the AAA box isn't available and access is
> needed.
>
> Managing these accounts will not take place in the dept. where this
> document is to be used.
>
> Reporting on usage of these accounts is an issue, since central logging
> is not in place, so I want central loggin implemented, otherwise
> reporting is almost undoable (I mean, Firewalls are centrally logged,
> IDS is elsewhere logged and there are over 60 other components with
> logging which ALL log locally only....)
>
> And finally it might be an idea to introduce a readonly acocunt which
> can be used when I need to train people on reading and analysing
> logfiles. But this is not really necessary.
>
> However, I feel I am missing a few items but I just can't figure out
> what I am missing... Anyone any ideas, thoughs, remarks?
>
> TIA
>
> nebula
>
>
>
> ---------------------------------------------------------------------------
> Captus Networks
> Are you prepared for the next Sobig & Blaster?
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Precisely Define and Implement Network Security
>  - Automatically Control P2P, IM and Spam Traffic
> FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
> http://www.captusnetworks.com/ads/42.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------