Nearly every time I have dealt with TAC they have asked if there was
remote access so they could get into the routers and look around on
their own.
After a couple times of doing this I started configuring separate logins
and one-time passwords just for TAC, and only when needed. Granted this
doesn't stop the clear text mode of Telnet, but with the combination of
encrypted passwords I think it was adequate for what that company was
trying to secure.
Jim
Priscilla Oppenheimer wrote:
> At 07:32 PM 1/18/01, Erick B. wrote:
>
>> I don't understand how companys can have main network
>> equipment (routers, etc) accessible over the internet
>> with telnet (and other mgmt services) running *with*
>> no passwords or filters. I see it on a regular
>> occurance.
>
>
> That is amazing. But in this case the company had a lot of security, it
> sounds like. It was not possible to get into the routers until this guy
> opened up a backdoor and let Cisco engineers Telnet in over a dial-up line
> connected to his PC. I can't believe Cisco engineers would thwart their
> customer's security policy in that way. I think the story sounds fishy.
>
> Priscilla
>
>
>
>> --- Priscilla Oppenheimer <[EMAIL PROTECTED]> wrote:
>>
>>> At 10:31 PM 1/17/01, J Roysdon wrote:
>>>
>>>> Today I was a site w/o internet access, but I
>>>
>>> needed to get Cisco into it to
>>>
>>>> save time relaying commands and information. I had
>>>
>>> a dial-up connection out
>>>
>>>> to my ISP, and then thought about the built-in
>>>
>>> Telnet server that Windows
>>>
>>>> 2000 Professional has. I made a quick guest
>>>
>>> account for Cisco, and told
>>>
>>>> them my dial-up IP, which they could connect to,
>>>
>>> and then once telnetted
>>>
>>>> into my workstation, they were able to telnet out
>>>
>>> my NIC to the routers they
>>>
>>>> needs to get to. Only catch is that you can only
>>>
>>> have one session up
>>>
>>>> through it (enough for us):
>>>
>>> Good thing! Can you imagine the issues if you had
>>> just opened up port 23
>>> for the whole world? Good grief.
>>>
>>> I just asked a security expert at my company about
>>> this scenario and he
>>> took a sinister view. He wondered if the story was
>>> broadcast in order to
>>> incite damange. I don't think that's the case, but
>>> this message did come
>>> from the same guy that posted photographs of his
>>> site for some reason. See
>>> the message about patch panels.
>>>
>>> Priscilla
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Get email at your own domain with Yahoo! Mail.
>> http://personal.mail.yahoo.com/
>
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]