Logical access controle to network segments and boxes

From: MeaCulpa (meaculpa_at_punkass.com)
Date: 09/11/03

  • Next message: Roger A. Grimes: "RE: Need help from a group of experts. I am not a network expert but I play one on tv." 
    To: "'Security-Basics'" <security-basics@securityfocus.com>
Date: Thu, 11 Sep 2003 21:15:13 +0200

    Hi all,

    We are currently setting up a security management system (or, what needs
    to become one anyways). Now I need to produce a document (by tomorrow, I
    do love the timely way my corp uses) which describes the "logical access
    control to other segments". I don't mind thinking this up, but I am more
    a techie guy then a management guy, so this is a little tought for me :
    )

    I was thinking the following:
    I limit the scope to accessing the firewalls, switches, routers,
    management tools and so on and will focus on an admin account per admin.
    Preferable I want to limit access to firewalls, ids, switch and router
    components to those admins who are either trained or skilled enough to
    know what they are doing.

    I want to use AAA where possible and local accounts where needed. As a
    backup I also want a (on a need to know basis) local account on routers
    and switches with an extremely hard password (auditing needed!), which
    should only be used when the AAA box isn't available and access is
    needed.

    Managing these accounts will not take place in the dept. where this
    document is to be used.

    Reporting on usage of these accounts is an issue, since central logging
    is not in place, so I want central loggin implemented, otherwise
    reporting is almost undoable (I mean, Firewalls are centrally logged,
    IDS is elsewhere logged and there are over 60 other components with
    logging which ALL log locally only....)

    And finally it might be an idea to introduce a readonly aco*** which
    can be used when I need to train people on reading and analysing
    logfiles. But this is not really necessary.

    However, I feel I am missing a few items but I just can't figure out
    what I am missing... Anyone any ideas, thoughs, remarks?

    TIA

    nebula

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

  • Next message: Roger A. Grimes: "RE: Need help from a group of experts. I am not a network expert but I play one on tv."