[28393] in North American Network Operators' Group
RE: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (Roeland Meyer (E-mail))
Fri Apr 28 17:57:10 2000
Reply-To: <rmeyer@mhsc.com>
From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com>
To: "'Greene, Dylan'" <DGreene@NaviSite.com>,
"'Paul Froutan'" <pfroutan@rackspace.com>
Cc: <nanog@merit.edu>
Date: Fri, 28 Apr 2000 14:38:04 -0700
Message-ID: <004401bfb15a$0955bc90$eaaf6cc7@PEREGRIN>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <7C06EA1D5AAAD311B4EB00508B550B99014F7A2A@navexc01.and.navisite.com>
Errors-To: owner-nanog-outgoing@merit.edu
The private net is still subject to wire-tap tricks. If the switch =
supports SSH1 then that should be sufficient. MHSC.NET, and every host I =
setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it =
needs CLI access, it gets SSH or, you have to go to the console. Even =
X11 and SMB sessions are forwarded through SSH. Given this sort of =
secure environment, plain-text Cisco sessions stand out like a sore =
thumb, to a sniffer. They only have to look for the packets that are NOT =
encrypted. A private net is even worse, you are guaranteed that each =
packet is part of a network management session.
> -----Original Message-----
> From: Greene, Dylan [mailto:DGreene@NaviSite.com]
> Sent: Friday, April 28, 2000 2:10 PM
> To: 'Paul Froutan'; rmeyer@mhsc.com
> Cc: nanog@merit.edu
> Subject: RE: ABOVE.NET SECURITY TRUTHS?
>=20
>=20
>=20
> Maybe I should read the entire message before responding.. hehe.. =3D)
>=20
> A switched private management lan resolves the cleartext problem. =20
>=20
> SSH version 1 is apparently supported in 12.0 as well (never=20
> played w/ it,
> so dunno how well it works);
>=20
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
0/120newft/120
limit/120s/120s5/sshv1.htm
..Dylan=20
| -----Original Message-----
| From: Paul Froutan [mailto:pfroutan@rackspace.com]
| Sent: Friday, April 28, 2000 4:46 PM
| To: rmeyer@mhsc.com
| Cc: nanog@merit.edu
| Subject: RE: ABOVE.NET SECURITY TRUTHS?
|=20
|=20
|=20
| I don't think you can. However, I use TACACS on all my switches and=20
| routers. From what I know, TACACS passwords are encrypted=20
| using the key on=20
| your network devices and the TACACS server. So, that, in=20
| combination with=20
| a private management LAN not accessible by your customers=20
| should lock down=20
| your network pretty effectively. Any comments?
|=20
| At 4/28/00 -0700, you wrote:
|=20
| > > Exiled Dave
| > > Sent: Friday, April 28, 2000 1:10 PM
| >
| > > Lets think about this, cisco in no way has such a flaw
| > > that would allow someone to 'root' and erase all the
| > > info on switches. The password was sniffed.
| >
| >Can one setup SSH on a Cisco 6509?
|=20
| Paul Froutan Email:=20
| pfroutan@rackspace.com
| Rackspace, Ltd <http://www.rackspace.com>
|=20
|=20
