[28410] in North American Network Operators' Group
RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
daemon@ATHENA.MIT.EDU (Roeland Meyer (E-mail))
Fri Apr 28 22:26:15 2000
Reply-To: <rmeyer@mhsc.com>
From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com>
To: "'John Fraizer'" <nanog@EnterZone.Net>,
"'Jason Ackley'" <jason@ackley.net>
Cc: <nanog@merit.edu>
Date: Fri, 28 Apr 2000 19:24:32 -0700
Message-ID: <005501bfb182$0e6925a0$eaaf6cc7@PEREGRIN>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <Pine.LNX.3.96.1000428212251.27837B-100000@Overkill.EnterZone.Net>
Errors-To: owner-nanog-outgoing@merit.edu
Actually doing that now, with a Linux box and an old Livingston PM2E. =
Linux box runs SSHD, the portmaster runs directly into console ports =
'stead of modems. I figured that was obvious. However, I don't run a =
co-lo either. Most of my systems reside in them. This is okay, until =
your ladders have to run through semi-public space. There is also a 50 =
foot length restriction, on RS-232 lines, unless you like running at =
less than 115K baud. Also, figure the expense of the extra hardware. In =
my case, it was unused sunk-cost anyway (surplus, for you non-suits).
> John Fraizer
> Sent: Friday, April 28, 2000 6:31 PM
>=20
> > > SSH version 1 is apparently supported in 12.0 as well=20
> (never played w/ it,
> > > so dunno how well it works);
> >=20
> <snip>
> >=20
> > So just dont do a 'show slaveslot0:' over SSH :-) Anyone=20
> else have this
> > problem? Works fine via console or (shudder) telnet..
> >=20
> <snip>
> > SSH on 6509s , that would be great! Still fighting with the idea of
> > running real IOS on 6500s, if the real IOS part contains=20
> SSH, you can bet
> > I would upgrade sooner than later. Anyone running 'real' IOS on
> > 6500s? Any gotchas or superbugs?
>=20
>=20
> I have a VERY novel idea for you all and since noone has mentioned it,
> here goes:
>=20
>=20
> NOC----------Management Network---------SSH Drone
> | | | |
> Serial Lines -> | | | ---Router1
> | | |--Switch1
> | -Router2
> -Switch2
>=20
>=20
> I know. It's just too simple and it scales so very well so,=20
> it MUST be a
> bad idea.
>=20
> Even if you don't have a dedicated management network, you=20
> just put a box
> that speaks SSH out there with serial access to your routers/switches.
>=20
> If you DO have a management network, you connect that to it as well.
>=20
> No matter what, you're secure to the SSH drone and if someone=20
> is in your
> cabinets tapping the serial lines, you've got big physical security
> problems to deal with and you had might as well flat out give up on
> network security.
>=20
> A Force Recon colonel once told me, "If it's a stupid idea,=20
> and it works,
> it must not be a stupid idea."
>=20
> ---
> John Fraizer
> =20
>=20
