Re: Telnet Security Question for a Router.

["kawaii" <trunks () stackers org>]

From: "Tony Toni" <tony572000 () hotmail com>
Sent: Tuesday, December 10, 2002 21:45


> We were currently wrote up by our external auditors because we use telnet
to
> access all of our routers.  In some cases we use a filtered Telnet
> service...but that is not the normal practice.  We are a fairly good size
> company with about 1000+ routers.
>
> I am charged with coordinating a response to the auditors.   I know all of
> the security issues involved with Telnet...ie login id and password sent
> across the network in clear text, etc.   My question:   Is it possible to
> use SSH or CISCO TACACS+ to encrypt the entire Telnet session?  Is there a
> way to ensure no one can sniff the login id and password?   The Network
> Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
> router to correct the security issue.

Just a quick scan through the Cisco website shows that (at a minimum), all
IOS versions from 12.0 and up have Kerberos 5 authentication, as well as
RADIUS and TACACS+. My understanding (and it is limited, to be sure) is that
any of those authentication methods will not send login id and password in
clear-text. It will not encrypt the entire telnet session, to my knowledge.

This all assuming that you use Cisco equipment. If you use other vendors,
you will have to make sure that they support TACACS+ or RADIUS.

But if the auditor's concern is only that authentication is done via
clear-text, using TACACS+ or RADIUS will resolve it. I don't know if SSH is
supported on the routers but I know that all of their PIX line support ssh
as an option.

> Tony CIA,CISA,CDP,MBA
> Security and Audit Services
> Nations Banking & Trust

Ever lovable and always scrappy,
kawaii

"Cunnilingus and psychiatry brought us to this." - Tony Soprano