[40014] in North American Network Operators' Group
Re: telnet vs ssh on Core equipment , looking for reasons why ?
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Tue Jul 31 10:18:51 2001
Date: Tue, 31 Jul 2001 15:16:17 +0100 (BST)
From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk>
To: fingers <fingers@fingers.co.za>
Cc: "Mr. James W. Laferriere" <babydr@baby-dragons.com>,
nanog@merit.edu
In-Reply-To: <20010731155409.J6051-100000@snow.fingers.co.za>
Message-ID: <Pine.LNX.4.21.0107311514050.23776-100000@staff.opaltelecom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> > true, but i would point out that if its your core equipment that you are
> > accessing from your network that sits directly on the core then you should
> > be happy with the fact that no one is eavesdropping and it makes no
> > difference.
>
> not everyone has out-of-band networks for management. Management of
> devices is sometimes done thousands of miles away. Remember also that this
> traffic can be sniffed before it gets to the core (yes, ssh is sniffable
> aswell, but just not as easily, and atleast it's not in plaintext)
this is in-band. if as you say you are accessing from another network then
this is where the encryption kicks in being useful, however that raises
another question - do you just allow any host to connect providing they
can authenticate? i know my login ports are restricted at both network and
host level to specific authorized addresses...
> > so thats my main logic, authentication... i cant understand the big
> > paranoia on people sniffing tho!
>
> unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
> it's not as easy for the naughty eavesdropper to get into the right
> position for that....
exactly, its probably easier to hack the box by other means than sniffing
auth details!
Steve
