This topic doesn't seam to come up at all. I started out in the ISP biz and moved over to Information security for a company who was small enough that tik's still seamed to fit the bill.
However we are starting to get hit with PCI-DSS evaluations, Risk Assessments and Gap Analysis with an array of requirements -- most which I have been able to meet easily except one : Security authentication on the router. Almost every third part wants to see me doing it the 'cisco' way with primary remote logins being strictly unprivileged and forcing elevation to a privileged user after connection. IE - enable.
Now I can emulate this functionality by allowing only a stripped down user remote access and setting up a loopback bridge interface with no ports, setting an ip address to that bridge and ssh'ing into itself from there as the allowed ip address for the administrative full access user being the router itself.
Which in of itself isn't too terrible other than i prefer to work with firewall rules using winbox. Anyone else had experience with this and other PCI-DSS compliance rules and getting the tik to be compliant ?
I would really like to see permission elevation within both winbox and ssh as a native functionality instead of the config needing to be creative.
Also, to ssh out (use the ssh client) the test policy is required. I couldn't find this documented anywhere.