Re: Cisco PIX with SSH enabled on external port for maintenance

[Cory Stoker <cory () clearnetsec com>]

I took the original poster as wanting to enable SSH to the PIX itself  
for maintenance on the PIX......

If this is the case then:

- PIX SSH does not support public key authentication.  (At least I  
think so, how would this work on a PIX with a limited filesystem?)

- PIX OS versions below 7.0 do not support SSH version 2 which means  
that it has security issues.

- If you do not know the external IP addresses connecting to the PIX  
for maintenance you would have to open it to all which means that SSH  
brute forcing attempts would be possible.  VPN fixes this by  
requiring you to authenticate to the VPN then to the PIX thereby  
alleviating the brute force issue by not having SSH available to the  
outside world.

- PIX supports VPN so what other hardware would there be?  Of course  
you have to have a cryptographic license but I think these are free.

- PIX VPN's support split tunneling so you would not be disconnected.

- VPN also allows you to do other maintenance things like TFTP backup  
and SNMP querying.  As far as the PIX SSH it is not as robust as  
OpenSSH so no tunneling through it like you do on a computer running  
OpenSSH.  Also you have the ability to filter, log, and deny things  
from the VPN tunnel.

- Yes the VPN encrypts traffic so that is why you can telnet to the  
PIX after you VPN as telnet would be encrypted too by the VPN.   
However many deny telnet across the board so in that case you would  
VPN then SSH with the being double encrypted.....

- You could have a server available from the Internet with SSHD  
running that then tunnels you to the PIX on the inside interface but  
this solution has a major flaw of having to go through the PIX  
first.  What if you mess up the "static", "nat", or "access-list" on  
the PIX which means you are severed from the inside network from the  
Internet?  Many times the PIX itself is available but nothing past it  
is in my experience.  Plus you would need this server which is an  
extra item.

Thanks,
---
Cory Stoker
ClearNet Security


On Nov 16, 2005, at 3:09 PM, Alloishus BeauMains wrote:

> You can tunnel everything through SSH as well as VPN. VPN just closes
> down local network access if specified. VPN can use group
> authentication, but this seems to be just like an authentication key
> much like the one that SSH has.
>
> If you use an authentication key (This is an encrypted physically
> different file you have to load on your outside machines) and then an
> appropriate passphrase to go with it. SSH already encrypts the
> traffic, just like VPN.
>
> I am not sure how much VPN offers, additionally to this. Especially
> not for the money, since SSH (with SSHD) is completely free and can be
> loaded on any system.
>
> So, to me, it seems like you would be paying for, or supplying more
> equipment only to get the "disconnected from rest of LAN" portion of
> VPN.
>
> Anyhow, there is my take on it. You can make SSH as secure as you want
> it to be through those methods I mentioned.
>
> On 11/15/05, John Maher <john.e.maher () gmail com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> >
> > Chris Largret wrote:
> > > If you DO allow access to SSH to the outside world, there are a few
> > > things you can do to make it more secure:
> > >
> > > 1. Use a non-standard port
> > > 2. Use only the strongest algorithms that SSH supports
> > > 3. Change the passwords regularly
> > > 4. Allow only strong passwords
> > > 5. Limit which IP addresses can connect
> >
> > If feasible, I would recommend using public key authentication and
> > disabling password authentication.
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iD8DBQFDeknDuY7WcSII22oRAqCHAJ0cidbUKqRm4qUKzu/8buP/62haAgCcDJhf
> > H7mx4DzKwoJz01a/R6gVN+M=
> > =r+xe
> > -----END PGP SIGNATURE-----