[71055] in North American Network Operators' Group
Re: SSH on the router - was( IT security people sleep well)
daemon@ATHENA.MIT.EDU (Edward B. Dreger)
Mon Jun 7 14:07:55 2004
Date: Mon, 7 Jun 2004 18:07:19 +0000 (GMT)
From: "Edward B. Dreger" <eddy+public+spam@noc.everquick.net>
To: nanog@merit.edu
In-Reply-To: <OF73E390E7.27FC2ECE-ON80256EAC.003931C6-80256EAC.003A972B@radianz.com>
Errors-To: owner-nanog-outgoing@merit.edu
> Date: Mon, 7 Jun 2004 11:39:57 +0100
> From: Michael.Dillon@rad...
> Consider the case of a staff member lounging in the backyard on
> a lazy Saturday afternoon with their iBook. They have an 802.11
> wireless LAN at home so they telnet to their Linux box in the
> kitchen and run SSH to the router. Ooops!
I see. SSH doesn't solve all problems, and therefore must be
worthless.
Now let's look at kerberized telnet. Someone logs in via
kerberized telnet over an insecure network, then decides to
change his/her password. Oops.
Someone could screw up OTP SSH+KRB5 logins over IPSec if using a
compromised box with a keylogger installed. Does that mean each
of these technologies is worthless?
> The only way to protect against that sort of situation is to
> encourage everyone to be security-minded and not take risks
> where the network is concerned.
Definitely. Alas, I'm seeing more "it won't happen to me" than
in the past. It's almost as if the "logic" is "I hear more about
this, but haven't noticed anything awful, and therefore must be
invincible."
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net
Sending mail to spambait addresses is a great way to get blocked.
