A fundamental aspect of network security is securing the networking infrastructure, which can be particularly challenging in a large scale enterprise or Internet service provider (“ISP”) networks. In such networks, hundreds or even thousands of networking devices, such as routers and switches, are widely dispersed among a geographically diverse set of offices and are typically managed by a team of network operators. It is imperative that the networking infrastructure and the information contained therein be fully protected against any malicious priers and attackers. For example, information such as router configuration and traffic statistics available at networking devices may contain confidential business data of tremendous value to a business competitor. Divulging such information will likely result in a significant disadvantage to the ISP's business. Leakage of some critical security information in the router configuration, such as Quality of Service (“QoS”) policy, firewall settings, and/or Access Control List (“ACL”) settings, may subject the network to crafted and targeted attacks such as Distributed Denial of Service (“DDoS”) attacks. In an even more devastating scenario, malicious attackers gaining privileged access to the networking device might alter the network configuration to create havoc and paralyze the entire network and the services it supports.
Given the risk of severe consequences, large scale network operators typically devise and deploy a range of security and protection measures for their networking devices. One common practice, for example, is to utilize a combination of periphery protection and centralized authentication and authorization for communication to networking devices. By restricting premises access, unauthorized persons are blocked from gaining physical access to networking devices. Through careful configuration of ACLs at all network edge routers, unauthorized network traffic is also blocked from reaching network devices. And finally, technologies such as Terminal Access Controller Access-Control System Plus (“TACACS+”) and Remote Authentication Dial In User Service (“RADIUS”) ensure that only authenticated users (i.e., authorized network operators and/or administrators) have access to routers and switches either directly or remotely over the network.