Re: SSL/SSH certifiactes

[Greg Washburn <gwashburn () MBC EDU>]

We tend to use self signed certs on the IOS devices you list below.  Along
with proper access lists and authorization restrictions we believe it
provides more than adequate protection.  Typically, only the IT staff
connect to these devices and they would ignore the security prompts from an
SSH or SSL management session.

On our servers and publically accessible network devices (think vpn) we tend
to utilize wildcard certs which saves a great deal of $$$s.  Some of our
devices do require that we do not use wildcard certs (NAC and older IBM
servers come to mind).  In other words should you go with a wildcard cert
keep in mind that not all devices will support them.





Greg Washburn

CISSP, CCNA, MCSE

Sr. Network/System Admin

540.887.7352

540.280.6087

Mary Baldwin College

www.mbc.edu







*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce
*Sent:* Thursday, May 13, 2010 12:02 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] SSL/SSH certifiactes



We are currently reviewing our network security.  One of the tools we are
using in this process is reporting a vulnerability as a result of using self
signed certificates on our Cisco IOS devices (switches, routers, access
points) for ssh and ssl connections.  Rather than purchase 300 certificates
to address this issue I thought I would ask what others are doing in this
area.



Thank you

Bruce Entwistle

Network Manager

University of Redlands