[28436] in North American Network Operators' Group
RE: SSH on Cisco Routers (was RE: ABOVE.NET SECURITY TRUTHS?)
daemon@ATHENA.MIT.EDU (Roeland Meyer (E-mail))
Sat Apr 29 14:40:48 2000
Reply-To: <rmeyer@mhsc.com>
From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com>
To: "'Ron Buchalski'" <rbuchals@hotmail.com>,
<babydr@baby-dragons.com>, "'Paul Ferguson'" <ferguson@cisco.com>
Cc: <nanog@merit.edu>
Date: Sat, 29 Apr 2000 11:38:59 -0700
Message-ID: <006401bfb20a$2f95b260$eaaf6cc7@PEREGRIN>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <20000429043953.40196.qmail@hotmail.com>
Errors-To: owner-nanog-outgoing@merit.edu
> Ron Buchalski
> Sent: Friday, April 28, 2000 9:40 PM
>=20
> SSH1 is supported on the following platforms starting in 12.1(1)T:
>=20
> C17x0, C25xx, C26xx, C36xx, C4x00, C7x00
I sadly note the conspicuous absence of the 3512XL, 3524XL and the =
entire Cat 65xx series from this list <sigh>.
Granted the 65xx can't quite keep up with its advertised bandwidth (an =
indicator of insufficient CPU somewhere), but I never require more than =
65% of advertised capacity anyway (comes out to ~80 Gbps), by design, =
which the Cat6509 can do easily. The Cat6509 is still my favorite =
chasis, for internal LAN switching. I use 3512XL's (or 3524XL) for =
end-point switching when the server doesn't have a gig-E card (and never =
use more than 7 ports per gig-E uplink). I've spec'd three datacenters =
like this in the past 6 months, one is currently in production.
WRT: external access
Speaking as a suit, it is fine and dandy to make statements barring =
external access, but when running a 24x7 portal, it is deucedly =
expensive to maintain 24x7 staff at the co-lo. Especially, since most =
things can be fixed by a CLI login. This is where technical theory and =
business reality can clash. Also, down-time can be reduced when the =
on-call tech doesn't have to spend an hour driving into the co-lo from =
home (maybe getting into a wreck on the way, due to lack of sleep). This =
is exacerbated when doing regional datacenters, thousands of miles away =
from the nearest staff member. Granted, the problem may not be this =
severe for the co-lo operator themselves. But, the co-lo customer =
certainly has this problem. Co-lo operations is remote datacenter =
operations, for the co-lo customer, by definition.
WRT: Passwd diversification
Known fact: The average person can track no more than 7 +/-2 related =
items, at any given time. This is also, coincidently, the maximum number =
of passwd's that the average person can remember, without confusion or =
forgetfulness, without writing them down somewhere. The real number is =
actually 3-4, because they also have to remember their ATM passcodes and =
the like.
Given 15 or 20 switches, routers, and hosts, for a decent sized portal =
site, each having a unique passwd. You have virtually guaranteed that =
these passwd's are written down somewhere, officially or not (mine are =
in my palm pilot).
Which is worse, untracked and unofficial passwd lists, or commonly used =
passwds? Upgrading human memory isn't a viable third-alternative.
WRT: SSH CPU overhead
A PalmPilot has more total system capacity than an original IBM-PC =
(including disk drives) and about 8 times the CPU power. It can easily =
implement SSH. Granting my statement,wrt 65xxx series Capacity, I'd =
STILL like to see SSHD implemented there (now that I have a Cisco rep's =
attention <grin>). Yes, please consider this a customer request.
WRT: SSH direct logins
Eventhough, I have RSA enabled my SSH sessions, I don't allow passwdless =
login on any host [even it it's the same passwd]. It may be a small =
annoying speed-bump, for an SA, but it prevents run-amuck hackers and =
code from infecting other connected hosts. I've actually had this save =
my bacon a few times and I've seen some negative results using =
passwdless logins (system cracks AND runaway code[mine]).
Finally:
I'd like to see every internal and systems management packet using =
either 3DES or blowfish, or using SSH, SSL, or TLS systems (OpenSSL =
anyone?). I routinely do this within my systems, by design (webserver to =
Oracle databse server, and others) and if everyone else were doing it =
then B2B would be easier (more secure) as well. As I stated earlier, in =
a universe of encrypted packets, the plain-text ones stand out like =
sore-thumbs. If they are also systems management packets then the =
would-be cracker has a much easier time of things.
Incidently, if this should wreak havoc with CALEA requirements, =
<sarcasm> it would just break my heart </sarcasm> <GRIN>.
---
R O E L A N D M . J . M E Y E R
CEO, Morgan Hill Software Company, Inc.
An eCommerce and eBusiness practice
providing products and services for the Internet.
Tel: (925)373-3954
Fax: (925)373-9781
