Thad-- I may be unsure of what exactly you are after but here are some ideas I have had different levels of success with over the years. 1. Revision control. All router and switch configs should be maintained under revision control in some canonical location. One particularly nice example is to keep every config file under RCS (it's more aptly suited to system/network admin work than something more "robust" like CVS, IMHO), have the admins only make changes to the files under revision control and use tftp (or whatever suits you) on the router/switch to grab the appropriate copy. This is also nice as a way back into the device via the "service config" statement if you lock yourself out while screwing with ACLs :) 2. Logging. All Cisco routers and switches (to the best of my knowledge) can log remotely via syslog. Take advantage of this. Syslog may have it's down sides (UDP transport for log data...sigh...so sad these days) but it is most cvertainly better than nothing if your organization (technology and policy) allow for it. By maintaining a central log server(s) you are more easily able to correlate data in the event of an investigation or forensics efforts. 3. Out-of-band management. Modems and console servers can be life-savers at times when doing network administration but they require the same amount of security awareness and handling as anything else. Enough said. Chris On Wed, 4 Sep 2002, Thad Horak wrote: > I've been tasked to add to our existing incident > handling process a methodology to investigate our > Cisco routers and switches. I've found a few documents > when searching on google, but it seems that most > people just want to teach this through a course. Can > anyone suggest any documents that they written or > found helpful? Many thanks. > > Thad > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 06:59:11 PDT