IT questions: config management on network gear

Jul. 28th, 2005 10:11 am
rmd: (trinity keyboard)
[personal profile] rmd
i am pondering a technical IT config management best-practices problem. I'll put it behind the cut because a lot of you really don't care.


so, i've got a bunch of network devices. some of them are reachable via ssh, and some by telnet. all of them are reachable on their console by telnetting to a console server.

the devices, and the console server, all authenticate via RSA's securid two factor authentication.

most of my network devices let me send a magic SNMP string that tell the devices "hey, tftp your config over here".

but some of them don't. those are the troublesome ones.

the easiest way is for me to set up a static password that's good for half an hour or so per day, and run my "login and grab the config" scripts with those. except for the fact that it would be allowing something with a static password to log into my network gear. even time-restricted, that's more of a big flapping hole than i'm comfortable with.

what are other people doing for config management on network devices that don't support (either by design or by "to be fixed in a later version of code" bugs) snmp-triggered tftp?

EDIT: the problem i am trying to solve is how to get automated periodic downloads of configs from these machines, when i can't authenticate with securid tokens (since that requires a human) and static passwords are pretty much too insecure.

this is the sort of thing that doesn't seem to make it into the "best practices" docs i've found so far, but i'll likely continue pouring over docs today...

thoughts? suggestions?
  • Current Mood: productive
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only
(deleted comment)

Date: 2005-07-28 03:54 pm (UTC)
From: [identity profile] rmd.livejournal.com
thanks!

to get to the consoles, i have to go over the network to my console server and authenticate.

the problem is authenticating in a way that doesn't make the auditors hit me with a rolled up newspaper, but that still lets me use an automated login (which usually means a static password).

the network devices can speak tacacs and/or securid. or static password. i suppose they could do radius, but that doesn't do much more for me.

ponder ponder ponder.


Date: 2005-07-28 04:11 pm (UTC)
cz_unit: (Default)
From: [personal profile] cz_unit
Hm. For the old crud on our network we run RS232 over cat 5 to a Lantronix switch. The Lantronix supporst ssh and all that, then you hop to the right port.

Out of band. Works neat.

CZ

Date: 2005-07-28 04:15 pm (UTC)
From: [identity profile] rmd.livejournal.com
yeah, i don't have a problem getting to them when i'm doing so interactively. i'm trying to figure out how to get unattended copies of the configs on a regular basis for config management.

Date: 2005-07-29 03:58 am (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
As you well know I'm no network expert either, but there is the SecureID technology. Perhaps it could be utilized to help this situation?

Date: 2005-07-29 12:32 pm (UTC)
From: [identity profile] rmd.livejournal.com
the problem is that securid's job is to make sure that there is an appropriate person on the other side of the screen, and i want to do things with nobody on the other side of the screen. :-)

Date: 2005-07-29 05:39 pm (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
So let me see if I get this straight...

You want to run an automated script that will then write over an existing file (albeit a system file) on a number of computers who are the same network on a regular basis to ensure everyone is on the same page?

Date: 2005-07-29 05:41 pm (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
I"m thinking...you're trying to figure out how to pull the information...what about having the information push itself to you?

Date: 2005-07-29 05:47 pm (UTC)
From: [identity profile] rmd.livejournal.com
the network devices are too stupid (or clever) to do that. the best i can do on some of them is to trigger a download via SNMP, but for the ones that don't support that, i have to get the configs some other way.

if there's a static password account, i have a script that logs in, says "gimme your config" and then logs out. but a static password account is a big honking security hole.

hence, my dilemma.

Date: 2005-07-29 05:52 pm (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
is the need to trigger it manually the problem? Or can it be something the system does on schedule? You know, like executing a .bat file. Ok, as we both know, I'm no admin and I'm probably asking the stupid/obvious questions.

I should probably ask you in person some time how SysID works. I am rather fascinated by it.

Date: 2005-07-29 06:00 pm (UTC)
From: [identity profile] rmd.livejournal.com
yeah. right now, if i want the config, i have to personally log in and trigger it. i want to automate this process. but to do so, the program trying to automatically trigger the download has to be able to authenticate. which goes back to the problem of static password accounts being a security hole.

I should probably ask you in person some time how SysID works.

there's a secret number that exists on both your keyfob and on the securid server. every minute, it generates a new number based on that secret number and the current time. so the server knows what number you should have every minute and it can say with some confidence that you have the physical token with you ("something you have"). the PIN that you type in with that is the "something you know" that proves it's you holding the token fob.

"two factor authentication" generally means "something you have" plus "something you know".

another example is your ATM card and the PIN.

Date: 2005-07-29 06:53 pm (UTC)
muffyjo: (Default)
From: [personal profile] muffyjo
Hmm, ah, got the SysID, it's exactly what I thought it was. But I missed the part about you not wanting to be there when it happened. I blame it on my mucosal membranes.

Ok, so back to the problem at hand...you need a secure method to copy the config file to be stored on another machine in the same network. The roadblock is authentication, which is what is needed for it to pass the file outward and check in on the other machine. The problem doesn't lie on the individual machines themselves, necessarily, it's on whichever machine you end up storing the data - assuming a push technology instead of a pull.

TACACS+ to the rescue

Date: 2005-07-29 05:17 am (UTC)
From: (Anonymous)
Your network sounds a LOT like the one I provide security for, except that the guys who do our networking don't even want configuration backups automated at all :)

You should be able to use TACACS+ to set up a password account in your TACACS server which is restricted to just running the commands to do a show running and/or to FTP a configuration copy off the Cisco.

This is the "Authorization" feature of TACACS+, not supported with RADIUS. If you have a separate TACACS server (e.g. CiscoSecure ACS) that forwards to SecurID, you can hardcode this restricted passworded account in TACACS, and the request will never make it up to ACE/Server.

Kevin Kadow

Re: TACACS+ to the rescue

Date: 2005-07-29 12:31 pm (UTC)
From: [identity profile] rmd.livejournal.com
interesting idea. i've been a few places where people have tried to do this on various tacacs+ servers, but never seen it work successfully. but then, that was years ago, so perhaps i'm on a better platform or things are sucking less, now.

thanks!

Date: 2005-07-30 12:53 am (UTC)
From: [identity profile] madbodger.livejournal.com
Some variant of s/key might help, so the password effectively expires as soon as it gets used. Last
time I had a setup like this, I did like CZ and just spoonfed them the passwords over dedicated
serial links and then they slurped up their configs over the network.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

rmd: (Default)
rmd

June 2025

S M T W T F S
1234567
89 1011121314
15161718192021
22232425262728
2930     

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Jan. 22nd, 2026 08:05 pm
Powered by Dreamwidth Studios