Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Just out of general interest guys,

Status
Not open for further replies.
ChrisAC

ChrisAC

ISP
Aug 6, 2001
2,158
GB
Just out of general interest guys, if you have a lot of routers to manage, say 300 plus, what kind of password policy do you implement? How often do you rotate passwords and how do you control access to those routers so that not anybody can have a crack at them?

This issue has come us recently at work and I'd like to know how other people handle it. Any input would be most welcome.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Sort by date Sort by votes
We have a password daemon that runs on a linux box that updates the passwords every 1 month, and keeps a database of all past passwords. I believe it does it via SNMP and then opens a telnet session and tests the passwords to make sure they work.

Then it sends the new passwords to the the head engineers pagers.

Of course this linux box is locked down very tight. Like it only enables the ethernet once a month during the password change and then shuts it back down.

The root password to the linux box is a 12 digit alphanumeric password which is changed each time a head engineer leaves the company.

Or course, in our routing environment, you dont make changes all that often. Most of the time you just want to get some info from the router (like show commands) and this is easily done via snmp without having to actually know the router passwords. This is very good cause then it protects you from some dumb tech accidentally entering a wrong command.

When a change does need to be made to a router, it is done over a web interface using PHP. The commands are entered in, then it is sent to the supervisor to confirm, then the linux box opens a telnet session, runs the commands, and prints the results to the webpage. Again, this is very efficient because no passwords need be remembered or shown.

Security a little tight? You betcha!
logo-tektips.gif
 
Upvote 0 Downvote
Inikis,

That is a very tight system you have there! I'd like to have that kind of automated system but at the moment everything is done manually. Is your password daemon off the shelf or developed "in house"? I'm guessing in house. Maybe it's time that we started looking at something like that as the number of customer routers is growing rapidly.

Thanks for the input.

Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Could this be run from a windows based machine?

thanks,
steven
 
Upvote 0 Downvote
Yes, it is absolutely compatible with windows. Runs on PHP and MySQL. I built most all of it myself. It boils down to a little PHP/MySQL programming, and a few cron jobs.
logo-tektips.gif
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
443
DavetheChef
DavetheChef
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
246
NavinNet
NavinNet
wybnormal
  • Locked
  • Question
9K observation of type 7 keys
Replies
0
Views
253
wybnormal
wybnormal
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
317
tviman
tviman
mushobozi
  • Locked
  • Question
Can not access console port of Cisco 7200 VXR
Replies
1
Views
340
rpereiran
rpereiran

Part and Inventory Search

Sponsor

Back
Top