Re: read only access and need to protect all sensitive from Steve Di Bias on 2013-02-16 (Ccielab archives 02/2013)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sat, 16 Feb 2013 09:22:28 -0800

While these *other* methods are creative, I still think the best idea is to
remove the type 7's entirely. This may not be possible in time for your
audit, but as a long term goal I highly recommend it.

Thanks,
Steve Di Bias- CCIE #32840

On Sat, Feb 16, 2013 at 7:46 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:

> That's interesting. I guess you could also add an alias for them that
> excludes
> the password 7 and the alias. You could still use enable view with only
> this
> alias/macro available to them.
>
> Regards,
> Jay McMickle- CCIE #35355 (RS)
> Sent from my iPhone 5
> Support me to fight MS!
>
> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
> rsonal&fr_id=20226
>
>
> On Feb 16, 2013, at 9:34 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>
> > Another easy way is to use EEM when show running is issued and parse the
> entire running config through eem so that when ever it encounters line
> containing password, it will simply skip it.
> >
> >
> > From: Jay McMickle <jay.mcmickle_at_yahoo.com>
> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
> > Cc: Imran Ali <immrccie_at_gmail.com>; "ccielab_at_groupstudy.com"
> <ccielab_at_groupstudy.com>
> > Sent: Saturday, February 16, 2013 6:09 PM
> > Subject: Re: read only access and need to protect all sensitive passwords
> >
> > Agreed. Enable views is what you are looking for.
> >
> > However, while this limits the commands they can run, if you give them sh
> run,
> > it will still show your line password 7's. You shouldn't be running
> enable
> > pass on your routers, so I can only imagine you are concerned with the
> line
> > passwords.
> >
> > Why not remove the line passwords and point to Local, Radius, or TACACS
> and
> > you won't have those passwords to be seen?
> >
> > No enable pass
> > Enable secret ...
> > !
> > aaa new-model
> > username Cisco priv 15 pass Cisco
> > !
> > aaa auth login default.....
> > Line con 0
> > Login auth local
> > line vty 0 15
> > Login auth local
> >
> > Then enable your views. (enable view)
> > And set the username login rights, etc.
> >
> > I'm going from memory here, so the syntax might be a little off, but you
> get
> > the point.
> >
> > Regards,
> > Jay McMickle- CCIE #35355 (RS)
> > Sent from my iPhone 5
> > Support me to fight MS!
> >
>
> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
> > rsonal&fr_id=20226
> >
> >
> > On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
> wrote:
> >
> > > If you want to give only read only access to the entire active config,
> then
> > > perhaps you can use views. It doesnt need an external server and will
> > surely
> > > meet your requirements,
> > >
> > >
> > >
> > > ________________________________
> > > From: Imran Ali
> > > <immrccie_at_gmail.com>
> > > To: Cisco certification <ccielab_at_groupstudy.com>
> > > Sent:
> > > Saturday, February 16, 2013 10:27 AM
> > > Subject: read only access and need to
> > > protect all sensitive passwords
> > >
> > > Hi all,
> > >
> > > i need to give read only access
> > > of my routers to an audit team .
> > >
> > > i have no issue setting up a radius
> > > server to throug a exec level 7
> > > .... which i customised on the router
> > > to allow only show
> > >
> > > Privelege exec all level 7 show . i found that
> > > he cant view
> > > routing config using " regular show run '' but with can view
> > > last saved
> > > config with show sartup-config.
> > >
> > > the issue is my radius server
> > > and their is no option to specify
> > > type 5 md5 strong password .
> > >
> > > i am
> > > ending up with showing my Radius key ..... as type 7 can be
> > > easily de
> > > crepted .
> > >
> > > ......i also tried service password encryption..but it is
> > > again
> > > using type 7 ...
> > >
> > >
> > >
> > > Any chance of saving from over shoulder readng
> > > attack ?
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 16 2013 - 09:22:28 ART

This archive was generated by hypermail 2.2.0 : Fri Mar 01 2013 - 07:57:58 ART