nanog mailing list archives
Re: Proper authentication model
From: Kevin <kkadow () gmail com>
Date: Tue, 11 Jan 2005 14:28:01 -0600
On Tue, 11 Jan 2005 11:17:55 +0200, Kim Onnel <karim.adel () gmail com> wrote:
Hello, I'd like everyones 2 cents on the BCP for network management of an ISP PoPs, with a non-security oriented NOC,
. . .
2) An OpenBSD bastion host(s), where the NOC would ssh in, get authenticated from TACACS+ or ssh certs, and then just telnet from there all day,
If the OpenBSD host is located in the same physical site as the Cisco products, you have the additional option of providing serial console access to the console port on the Cisco devices through the OpenBSD bastion host. To take this a step further, you can log all serial port I/O to disk. Using the serial console as your management port has one major drawback (some would call it a feature), you can only have one person (two with the AUX port) logged into a given router or switch at a time. This is very much "out of band" management, and having remote serial access is great for fault diagnosis and recovery (Not just for Cisco, Sun, etc). I've resolved more than a few Cisco switch "halt and catch fire" failures based on the last gasp fault message dumped to the console port.
Current thread:
- Proper authentication model Kim Onnel (Jan 11)
- Re: Proper authentication model Daniel Golding (Jan 11)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 12)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 12)
- Re: Proper authentication model David Gethings (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 12)
- Re: Proper authentication model Daniel Golding (Jan 12)
- Re: Proper authentication model Erik Haagsman (Jan 13)
- Re: Proper authentication model Iljitsch van Beijnum (Jan 11)
- Re: Proper authentication model Daniel Golding (Jan 11)
- Re: Proper authentication model Gernot W. Schmied (Jan 16)
- Re: Proper authentication model Joe Abley (Jan 11)
- Re: Proper authentication model Stephen Stuart (Jan 12)
- <Possible follow-ups>
- RE: Proper authentication model Hannigan, Martin (Jan 12)
- Re: Proper authentication model Joe Abley (Jan 12)
- RE: Proper authentication model Steve Gibbard (Jan 12)
- RE: Proper authentication model Hannigan, Martin (Jan 12)
- Re: Proper authentication model Joe Abley (Jan 12)
- Re: Proper authentication model Daniel Golding (Jan 12)
- Re: Proper authentication model Michael . Dillon (Jan 13)
- Re: Proper authentication model Joe Abley (Jan 12)