[40055] in North American Network Operators' Group
RE: telnet vs ssh on Core equipment , looking for reasons why ?
daemon@ATHENA.MIT.EDU (Grace, Terry)
Tue Jul 31 17:25:09 2001
Message-ID: <B3AA75A19260D3118F3B00902798992B023C8D7E@mail2.thestar.ca>
From: "Grace, Terry" <tgrace@thestar.ca>
To: 'Mike Hoskins' <mike@TELEVOKE.COM>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Tue, 31 Jul 2001 17:20:50 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_000_01C11A06.A2BE886A"
Errors-To: owner-nanog-outgoing@merit.edu
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01C11A06.A2BE886A
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C11A06.A2BE886A"
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C11A06.A2BE886A
Content-Type: text/plain;
charset="iso-8859-1"
Actually, we do this now for our VPN users. Cisco Secure ACS 2.6 for NT
proxies authentication requests to an ACE/Server 5.0 (works with 4.1 as
well). Fairly stright forward to set up. I believe you can get evals of both
products. Both servers have replication partners for redundancy and sit in a
firewall DMZ. VPN users must log into a VPN web site using their tokens to
obtain the VPN client.
Gonna try this with our routers RSN.
-----Original Message-----
From: Mike Hoskins [mailto:mike@TELEVOKE.COM]
Sent: Tuesday, July 31, 2001 4:04 PM
To: Grace, Terry
Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ?
I've been thinking of doing precisely this... Any pointers to info on
something like this? I haven't researched it much yet (busy with IDS
atm).
Thanks,
-Mike
> "Grace, Terry" wrote:
>
> Here's an alternative that might work. Authenticate via Radius which
> in turn proxies the authentication request to a SecurId server. With
> one time passwords, who cares if they get sniffed? You also get the
> benefit of having your Radius server being able to do
> accounting/access control on the sessions as well.
>
> -----Original Message-----
> From: Dave Israel [mailto:davei@biohazard.demon.digex.net]
> Sent: Tuesday, July 31, 2001 2:43 PM
> To: alex@yuriev.com
> Cc: nanog@merit.edu
> Subject: RE: telnet vs ssh on Core equipment , looking for reasons why
> ?
------_=_NextPart_001_01C11A06.A2BE886A
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2650.12">
<TITLE>RE: telnet vs ssh on Core equipment , looking for reasons why =
?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Actually, we do this now for our VPN users. Cisco =
Secure ACS 2.6 for NT</FONT>
<BR><FONT SIZE=3D2>proxies authentication requests to an ACE/Server 5.0 =
(works with 4.1 as</FONT>
<BR><FONT SIZE=3D2>well). Fairly stright forward to set up. I believe =
you can get evals of both</FONT>
<BR><FONT SIZE=3D2>products. Both servers have replication partners for =
redundancy and sit in a</FONT>
<BR><FONT SIZE=3D2>firewall DMZ. VPN users must log into a VPN web site =
using their tokens to</FONT>
<BR><FONT SIZE=3D2>obtain the VPN client. </FONT>
</P>
<P><FONT SIZE=3D2>Gonna try this with our routers RSN.</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Mike Hoskins [<A =
HREF=3D"mailto:mike@TELEVOKE.COM">mailto:mike@TELEVOKE.COM</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, July 31, 2001 4:04 PM</FONT>
<BR><FONT SIZE=3D2>To: Grace, Terry</FONT>
<BR><FONT SIZE=3D2>Subject: Re: telnet vs ssh on Core equipment , =
looking for reasons why ?</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>I've been thinking of doing precisely this... =
Any pointers to info on</FONT>
<BR><FONT SIZE=3D2>something like this? I haven't researched it =
much yet (busy with IDS</FONT>
<BR><FONT SIZE=3D2>atm).</FONT>
</P>
<P><FONT SIZE=3D2>Thanks,</FONT>
<BR><FONT SIZE=3D2>-Mike</FONT>
</P>
<P><FONT SIZE=3D2>> "Grace, Terry" wrote:</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Here's an alternative that might work. =
Authenticate via Radius which</FONT>
<BR><FONT SIZE=3D2>> in turn proxies the authentication request to a =
SecurId server. With</FONT>
<BR><FONT SIZE=3D2>> one time passwords, who cares if they get =
sniffed? You also get the</FONT>
<BR><FONT SIZE=3D2>> benefit of having your Radius server being able =
to do</FONT>
<BR><FONT SIZE=3D2>> accounting/access control on the sessions as =
well.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>> From: Dave Israel [<A =
HREF=3D"mailto:davei@biohazard.demon.digex.net">mailto:davei@biohazard.d=
emon.digex.net</A>]</FONT>
<BR><FONT SIZE=3D2>> Sent: Tuesday, July 31, 2001 2:43 PM</FONT>
<BR><FONT SIZE=3D2>> To: alex@yuriev.com</FONT>
<BR><FONT SIZE=3D2>> Cc: nanog@merit.edu</FONT>
<BR><FONT SIZE=3D2>> Subject: RE: telnet vs ssh on Core equipment , =
looking for reasons why</FONT>
<BR><FONT SIZE=3D2>> ?</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C11A06.A2BE886A--
------_=_NextPart_000_01C11A06.A2BE886A
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Get to know us
http://www.thestar.com - Canada's largest daily newspaper online
http://www.toronto.com - All you need to know about T.O.
http://www.workopolis.com - Canada's biggest job site
http://www.torontostartv.com - Webcasting & Production
http://www.newinhomes.com - Ontario's Largest New Home & Condo Website
http://www.waymoresports.com - Canada's most comprehensive sports site
------_=_NextPart_000_01C11A06.A2BE886A--
