Cisco ACL guru help

[child of wonder]

Just found out today someone has removed the ACLs from our WAN routers and anyone from the internet can telnet to them. :Q

I'd like to disable telnet from all subnets save for our management one.

Not being a Cisco guy I've been doing some Google-fu to come up with an ACL to accomplish this but haven't found anything yet. Thought someone here could shoot something my way real fast.

So to clarify, I want our internal management subnet to be able to telnet to the router but nothing else.

Thanks

 

[spidey07]

access-list 1 permit 192.168.5.0 0.0.0.255
line vty 0 4
access-class 1 in

This restricts it to the virtual terminal lines. So rather than blocking at the interface level you're blocking access to the line itself.

 

[child of wonder]

So just replace 192.168.5.0 with our internal subnet and we're good to go? I've never seen 0.255.255.255 before. What does that represent?

Thanks for your help, spidey.

 

[spidey07]

It's a wildcard mask. The opposite of a subnet mask. And I wrote it wrong. For a class C network it would be 192.168.5.0 0.0.0.255. That would represent anything with the first three octets of 192.168.5

 

[child of wonder]

Got it up and working. I owe you a beer. :beer:

 

[Cooky]

don't forget the rest of the vty lines if you have more than 5.

 

[child of wonder]

Originally posted by: Cooky
don't forget the rest of the vty lines if you have more than 5.

Nope, just 5.

My boss thought it was too much of a hassle to maintain an ACL on the external routers so removed them.

"If someone hacks into them and messes them up we can just drive in and restore the config."

:roll:

Meanwhile every one of our branches will be without internet, backup jobs will fail, and we'll lose our connection to the Fed and nightly runs will fail.

 

[Jamsan]

Originally posted by: child of wonder

Originally posted by: Cooky
don't forget the rest of the vty lines if you have more than 5.

Nope, just 5.

My boss thought it was too much of a hassle to maintain an ACL on the external routers so removed them.

"If someone hacks into them and messes them up we can just drive in and restore the config."

:roll:

Meanwhile every one of our branches will be without internet, backup jobs will fail, and we'll lose our connection to the Fed and nightly runs will fail.

Just wow...

 

[child of wonder]

Originally posted by: Jamsan

Originally posted by: child of wonder

Originally posted by: Cooky
don't forget the rest of the vty lines if you have more than 5.

Nope, just 5.

My boss thought it was too much of a hassle to maintain an ACL on the external routers so removed them.

"If someone hacks into them and messes them up we can just drive in and restore the config."

:roll:

Meanwhile every one of our branches will be without internet, backup jobs will fail, and we'll lose our connection to the Fed and nightly runs will fail.

Just wow...

Is it any wonder I'm looking for a new job? lol

 

[spidey07]

Originally posted by: child of wonder

Originally posted by: Jamsan

Originally posted by: child of wonder

Originally posted by: Cooky
don't forget the rest of the vty lines if you have more than 5.

Nope, just 5.

My boss thought it was too much of a hassle to maintain an ACL on the external routers so removed them.

"If someone hacks into them and messes them up we can just drive in and restore the config."

:roll:

Meanwhile every one of our branches will be without internet, backup jobs will fail, and we'll lose our connection to the Fed and nightly runs will fail.

Just wow...

Is it any wonder I'm looking for a new job? lol

It's your job to know the technical details. It's not your boss's job to know that. It's your job to bring this to his attention.

 

[child of wonder]

Originally posted by: spidey07

Originally posted by: child of wonder

Originally posted by: Jamsan

Originally posted by: child of wonder

Originally posted by: Cooky
don't forget the rest of the vty lines if you have more than 5.

Nope, just 5.

My boss thought it was too much of a hassle to maintain an ACL on the external routers so removed them.

"If someone hacks into them and messes them up we can just drive in and restore the config."

:roll:

Meanwhile every one of our branches will be without internet, backup jobs will fail, and we'll lose our connection to the Fed and nightly runs will fail.

Just wow...

Is it any wonder I'm looking for a new job? lol

It's your job to know the technical details. It's not your boss's job to know that. It's your job to bring this to his attention.

First, it was my boss's job up until 1 year ago. That doesn't stop him from continuing to make changes to the network.

Second, I'm the server guy not the network guy. I assist with networking from time to time but I can't audit the entire network (104 branches, Data Center, DR). Even if I had the desire to do so I don't have the time.

Third, even when I brought the lack of ACL to his attention he didn't want me to lock down telnet from the internet. When I informed him we would fail a FDIC audit he then allowed me to do so.

Fourth, you're operating under the assumption that my environment consists of a typical "supervisor/employee" relationship or hierarchy. In reality, my boss tries to get his hands into everything, overrides our decisions (especially when it benefits his friend who is head of sales for a local vendor), and, as I pointed out with the security of those routers, makes changes to things and doesn't inform anyone, even the network tech. I found out about telnet being open because of a security audit done by an outside company. He tasked me with identifying and eliminating vulnerabilities discovered. When I showed him the telnet vulnerability on our external routers then he confessed to removing the ACLs.

Being the server admin, what should I have done differently?

 

[child of wonder]

No response?

 

[1ceHacka]

Give it time, its still early in the day for a response.

BTW, I am totally on both of your sides. It is the job of technical experts to inform supervisors of issues and other technical issues. The supervisor gets paid to take that information and do something with it. So, by you informing him of this, you have done your duty and what he does with that info makes him the supervisor that he is or isn't.

 

[child of wonder]

Originally posted by: 1ceHacka
Give it time, its still early in the day for a response.

BTW, I am totally on both of your sides. It is the job of technical experts to inform supervisors of issues and other technical issues. The supervisor gets paid to take that information and do something with it. So, by you informing him of this, you have done your duty and what he does with that info makes him the supervisor that he is or isn't.

Absolutely. And that would be the responsibility of our networking guy to inform him of networking risks. The only reason I'm involved is because I'm going over a vulnerability audit and telnet open to the internet is one of the problems it caught. The rest are things like "update PHP to 5.x.x" or "upgrade Apache to ... " which are all things I deal with.

I just think it was a pretty shitty thing to come in here and imply I'm not doing my job when someone has no clue what goes on here and how difficult my boss makes me and my coworkers jobs to perform.

Imagine working on a project then your boss decides to go cowboy on the work you did and f*ck it all up. That kind of stuff happens here.

 

[spidey07]

child of wonder - I wasn't implying you weren't doing you job. Only to point out the lines that are sometimes confused. Boss sounds like a cowboy however and probably shouldn't be screwing around.

 

[Jamsan]

What bank do you work for? I'll be sure to never bank there...

 

[child of wonder]

I better not say. But I won't be working here anymore in about 2 weeks.