Security Basics mailing list archives
RE: Telnet Security Question for a Router.
From: "d'Ambly, Jeff" <jdambly () monster com>
Date: Thu, 12 Dec 2002 13:41:35 -0500
Here is a great example of a secure router config http://www.cymru.com/Documents/secure-ios-template.html As is see it TACACS is the only way to go for router logins, I don't know why they would object to it. I don't see why they would object to ssh, as far as I know ssh does not send clear text passwords, I used ssh and sniffed out all my packets and I did not see the password in clear text. I object to ssh on the routers because the code releases that support ssh tend to be buggy. This is not directly related to ssh. The problem is that these images also support other features that have not been fully tested. I like to run service provider on all my routers, this is a stripped down image and does not have all the features that you may need. I don't use any but the basic features BGP, CEF, ISL and I run an IP only network, so it makes more sense for me to use that. In the end it is up to you what code you choose the TAC can help you with that Some other people don't like the added cpu over head ssh gives the routers. This really depends on what platform you are using and what the cpu usage is on the router. If the routers are really busy I have seen some cases where ssh will hinder trouble shooting. Hope this helps. -----Original Message----- From: Charley Hamilton [mailto:chamilto () uci edu] Sent: Wednesday, December 11, 2002 4:28 PM To: SECURITY-BASICS () securityfocus com Subject: Re: Telnet Security Question for a Router.
The Network Services Group is adamant that neither SSH or CISCO TACACS+ will work on a router to correct the security issue.
*blink blink* As a relative newbie/ignorant, I am distressed to hear that ssh doesn't "correct the security issues" with regard to clear-text username/password travel. Doesn't ssh send *all* traffic (from login to logoff inclusive) encrypted? Granted, no encryption is perfect, but take a large key and it'll take a while to decrypt, no? If you don't want to have passwords traveling at all, use keypairs with passphrases, with the keys stored on encrypted removable media. (That's my strategy for my ssh/sftp servers.) Is there something specific to routers that makes this solution inappropriate? Alternatively, is there some other problem with the routers that makes ssh and incomplete solution? Inquiring (newbie) minds want to know! Charley -- Charles Hamilton, PhD EIT Faculty Fellow Department of Civil and Phone: 949.824.3752 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: chamilto () uci edu
Current thread:
- Re: Telnet Security Question for a Router., (continued)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
- RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)