Kirby Dolak wrote: >> 2. Bay recommends that both accounts (User and Manager) have passwords >> assigned. Both have default/null passwords as they ship from the factory, >> just like a Unix system. The administrator should immediately take >> measures to secure the system, at initial system install, so that an >> unauthenticated user/manager doesn't have >> access to device management information, such as the community names and >> addresses via telnet/console. Gert Doering wrote: >> I like the way Cisco approaches this issue. >> And if you are logged in to an unprivileged account, you cannot become >> superuser unless you have already set the enable password from the console. >> >> This is VERY good. >> >> No need to "recommend" anything, it's just "secure out of the box". If >> you neglect to configure the password, it just isn't accessible at all >> (except from the physical console). Sounds reasonable to me to apply good password on User/Manager accounts and thus secure the box. I'm wondering, however, what's the real raison d'etre of two privilege levels, if I can obtain a more privileged information from a higher-privileged level. The basic function of a non-privileged level is to give it to the remote support officer, ISP engineer or to a responsible person from the network peering with my network, according to the ripe-037 document. Well, I also wouldn't like to recommend anything, but here are the facts: Cisco IOS gives the possibility to define up to 16 different privilege levels, with strictly defined rights. IOS, further, allows to define a restricted set of commands, which may be executed from each privilege level. I can, thus, give this type of access to the peering ISP personnel for the purpose of monitoring without any fear ... At last - try to telnet to route-views.oregon-ix.net - a Cisco box with public access! No password! Now, what to do with a Bay box, located in the middle of a network? Sit and cry! When your peer ISP asks you to take a look at your router config, you'll have to log into it yourself and read them (oops, sorry - not to "log in" - you'll have to start a "user-friendly" SNMP client, drink a coffee until it brings itself up completely, then click, click, click ...). I can talk about fun with Bay routers for hours, but that's another story. Best regards, Beri .-------. | --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERIat_private | /|\ Hostmaster of the YU TLD | |-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419 | \|/ Bulevar Revolucije 73 | 3370-106 | --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681 `-------' --------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:40 PDT