Writing a logical access control document....

From: nebula (donotemailme_at_nowhere.com)
Date: 09/11/03 

Date: Thu, 11 Sep 2003 21:17:01 +0200

Hi all,

We are currently setting up a security management system (or, what needs to
become one anyways). Now I need to produce a document which describes the
"logical access control to other segments". I don't mind thinking this up,
but I am more a techie guy then a management guy, so this is a little tought
for me : )

I was thinking the following:

I limit the scope to accessing the firewalls, switches, routers, management
tools and so on and will focus on an admin account per admin. Preferable I
want to limit access to firewalls, ids, switch and router components to
those admins who are either trained or skilled enough to know what they are
doing.

I want to use AAA where possible and local accounts where needed. As a
backup I also want a (on a need to know basis) local account on routers and
switches with an extremely hard password (auditing needed!), which should
only be used when the AAA box isn't available and access is needed.

Managing these accounts will not take place in the dept. where this document
is to be used.

Reporting on usage of these accounts is an issue, since central logging is
not in place, so I want central loggin implemented, otherwise reporting is
almost undoable (I mean, Firewalls are centrally logged, IDS is elsewhere
logged and there are over 60 other components with logging which ALL log
locally only....)

And finally it might be an idea to introduce a readonly aco*** which can be
used when I need to train people on reading and analysing logfiles. But this
is not really necessary.

However, I feel I am missing a few items but I just can't figure out what I
am missing... Anyone any ideas, thoughs, remarks?

TIA

nebula