[176065] in North American Network Operators' Group
Re: Kind of sad
daemon@ATHENA.MIT.EDU (Michael Thomas)
Tue Nov 11 10:44:12 2014
X-Original-To: nanog@nanog.org
Date: Tue, 11 Nov 2014 07:44:04 -0800
From: Michael Thomas <mike@mtcc.com>
To: nanog@nanog.org
In-Reply-To: <1415696708.11568.96.camel@karl>
Errors-To: nanog-bounces@nanog.org
On 11/11/2014 01:05 AM, Karl Auer wrote:
> Someone who puts a real switch doing real work on the Internet with
> working telnet access is asking to have at least the switch
> compromised very quickly. A plaything, a honeypot, or a teaching tool
> - maybe. Anything else, probably a bad idea. Remember that if I own
> your switch, I own all the data sent to or from any system connected
> to that switch... Regards, K.
How so? Assuming that you're using password auth, the real vulnerability
is somebody figuring out the
password and owning the box. SSH certainly helps here immensely with rsa
auth, but only if you use it.
An active MITM attack or passive snooping on telnet streams seems like
it would be orders of magnitude less
dangerous on a list of threats. SSH is definitely a Good Thing, but it's
not a sliver bullet.
Mike
