We've been told by our PCI QSA that we have to implement 2 factor authentication for admin access to all network devices (Cisco routers, switches, ASAs, etc.) this year. Information on this seems pretty sparse on the web, has anyone here done it before? What did you use for the second factor? How does it work exactly?
We already have an RSA soft token infrastructure. If we went with these as the second factors, how would that work exactly? Would another prompt come up in the CLI to input the code? What about scripts and monitoring access?
Or is it possible to combine SSH public key authentication with password authentication and use certificates as the second factor? This seems preferable because I'm really not liking the idea of having to type in the code every last friggin time I need to log into a switch.
Any other possible second factors I'm not thinking of?
No comments:
Post a Comment