Security Basics mailing list archives
Re: Telnet Security Question for a Router.
From: "kawaii" <trunks () stackers org>
Date: Wed, 11 Dec 2002 15:05:46 -0500
From: "Tony Toni" <tony572000 () hotmail com> Sent: Tuesday, December 10, 2002 21:45
We were currently wrote up by our external auditors because we use telnet
to
access all of our routers. In some cases we use a filtered Telnet service...but that is not the normal practice. We are a fairly good size company with about 1000+ routers. I am charged with coordinating a response to the auditors. I know all of the security issues involved with Telnet...ie login id and password sent across the network in clear text, etc. My question: Is it possible to use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a way to ensure no one can sniff the login id and password? The Network Services Group is adamant that neither SSH or CISCO TACACS+ will work on a router to correct the security issue.
Just a quick scan through the Cisco website shows that (at a minimum), all IOS versions from 12.0 and up have Kerberos 5 authentication, as well as RADIUS and TACACS+. My understanding (and it is limited, to be sure) is that any of those authentication methods will not send login id and password in clear-text. It will not encrypt the entire telnet session, to my knowledge. This all assuming that you use Cisco equipment. If you use other vendors, you will have to make sure that they support TACACS+ or RADIUS. But if the auditor's concern is only that authentication is done via clear-text, using TACACS+ or RADIUS will resolve it. I don't know if SSH is supported on the routers but I know that all of their PIX line support ssh as an option.
Tony CIA,CISA,CDP,MBA Security and Audit Services Nations Banking & Trust
Ever lovable and always scrappy, kawaii "Cunnilingus and psychiatry brought us to this." - Tony Soprano
Current thread:
- Telnet Security Question for a Router. Tony Toni (Dec 11)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- <Possible follow-ups>
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
- RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)