[71061] in North American Network Operators' Group
Re: SSH on the router - was( IT security people sleep well)
daemon@ATHENA.MIT.EDU (Alex Bligh)
Mon Jun 7 17:13:17 2004
Date: Mon, 07 Jun 2004 22:12:36 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Randy Bush <randy@psg.com>, Michael.Dillon@radianz.com
Cc: nanog@merit.edu, Alex Bligh <alex@alex.org.uk>
In-Reply-To: <16580.44936.434801.42241@ran.psg.com>
Errors-To: owner-nanog-outgoing@merit.edu
--On 07 June 2004 11:10 -0700 Randy Bush <randy@psg.com> wrote:
>> It makes more sense to funnel everything through secure gateways and
>> then use SSH as a second level of security to allow staff to connect
>> to the secure gateways from the Internet. Of course these secure
>> gateways are more than just security proxies; they can also contain
>> diagnostic tools, auditing functions, scripting capability,
>> etc.
>
> and all the other things single points of failure need. like
> pixie dust, chicken entrails, ...
Where did the word "single" come from, given he had an "s" on gateways?
Replicate them across POPs. Having lots of routers accessible from a small
number of machines, which are (relatively) widely accessible but can be
firewalled to hell, seems a better option than having lots of routers
accessible from a large number of machines (esp. ones outside ones own
administrative domain, e.g. home machines). YMMV. [no I don't think
they need the other pixie dust stuff on though]
Alex
