--- Begin Message ---
> On Apr 20, 2019, at 9:49 AM, Alex K. <[email protected]> wrote:
>
> Hello Dave,
>
> Thank you.
>
> Sure, it isn't *really* separated. After all, RPs' CPU connected to both
> (management interface and router forwarding matrix). It's really software
> imposed separation.
I’m always a bit puzzled by the design choices and how long they’ve stayed
around. Back in 10.3 I got it - nobody cared about this, you just access-list
everything and hope you didn’t miss some service. And now it seems essentially
the same. Why the command shell wouldn’t be bound to a single IP (or a defined
list of IPs) as part of the isolation is beyond me. The fact that if I have 200
interfaces configured with an IP that the shell process (and snmp, and ntp and
whatever else is running) listens on those IPs is just insane.
I’m a bit of a dinosaur, so maybe in the new versions this has changed, but as
of the last time I really paid attention to IOS they were still in the 90’s as
far as keeping the management processes separate.
Charles
>
> בתאריך שבת, 20 באפר' 2019, 16:04, מאת Dave Cardwell <
> [email protected]>:
>
>>
>> On Sat, 20 Apr 2019, 12:46 Alex K., <[email protected]> wrote:
>>
>>>
>>> An interesting question I got from one of my customers - how secure Cisco
>>> ASR management interface is? Meaning, how really *separate* it is.
>>>
>>>
>> Its not the vector you describe below but the linked CVE relates to the
>> separation or lack thereof (see the workaround).
>>
>>
>> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
>>
> _______________________________________________
> cisco-nsp mailing list [email protected]
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
--- End Message ---
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
