Re: Using conserver to secure cisco routers

hey mark...yep, that's what conserver was made for.  ;-)

you just point conserver at your consoles (in the example below, it's
/dev/cuad0 - but any others you might hook up as well), and folks could
then log in and use 'console <router>' to gain access.  if you wanted to
be even more secure you could limit who had login access to the freebsd
box to just you and have them use the console client from remote
machines.  and as a "middle ground", you could set their shell to a
script that execed 'console <router>' and put them in the "restricted
user" list inside conserver...that way they'd be "locked" onto the
console and unable to do some of the more advanced commands (that may or
may not be appropriate, depending on your world).

that's a lot to absorb.  i'd start with something simple (getting
conserver going and using the client locally) and then refine that if
you need to.  check out conserver.cf/samples/simple.cf (and the others)
in the distribution for a starting point of crafting a config file.

good luck!

Bryan

On Thu, Mar 09, 2006 at 12:33:46AM -0800, Mark Jayson Alvarez wrote:
> Good day!
>  
>  I'm looking for ways to secure our cisco routers by not allowing
>  remote access to it, and  only console access. To do this, I would
>  connect the router to a pc using a console cable. The pc is running
>  freebsd 6.0. The pc can be accessed via a much secure ssh.  After a
>  user logs in, he can use "cu -l /dev/cuad0 -s 9600" Now he can
>  connect to the cisco router and recieve the login prompt. Now my
>  problem is how am I going to have multiple users login to the router
>  using only one console cable (as the router is limited to only one
>  console port). This is required because most of the time, our NOC
>  engineers are troubleshooting our network at the same time using
>  different priviledges. After googling for a while, I found conserver. 
>  
>  Question: Am I looking into the right tool or not??  Anyone here
>  doing the same thing with their routers??