Educause Security Discussion mailing list archives
Re: SSL/SSH certifiactes
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 13 May 2010 12:00:38 -0500
If it's SSH you're concerned about, and staff use a management Serer to initiate the SSH confections, you could exert a degree of control by disabling all users' host key stores, and manage an accurate host key store at the OS-wide level. At least on UNIX-like systems w/ OpenSSH. I dunno how many auditors that'd fly with, but the better ones should accept it, I'd think. -jml
Greg Washburn <gwashburn () MBC EDU> 2010-05-13 11:50 >>>
We tend to use self signed certs on the IOS devices you list below. Along with proper access lists and authorization restrictions we believe it provides more than adequate protection. Typically, only the IT staff connect to these devices and they would ignore the security prompts from an SSH or SSL management session. On our servers and publically accessible network devices (think vpn) we tend to utilize wildcard certs which saves a great deal of $$$s. Some of our devices do require that we do not use wildcard certs (NAC and older IBM servers come to mind). In other words should you go with a wildcard cert keep in mind that not all devices will support them. Greg Washburn CISSP, CCNA, MCSE Sr. Network/System Admin 540.887.7352 540.280.6087 Mary Baldwin College www.mbc.edu *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Entwistle, Bruce *Sent:* Thursday, May 13, 2010 12:02 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] SSL/SSH certifiactes We are currently reviewing our network security. One of the tools we are using in this process is reporting a vulnerability as a result of using self signed certificates on our Cisco IOS devices (switches, routers, access points) for ssh and ssl connections. Rather than purchase 300 certificates to address this issue I thought I would ask what others are doing in this area. Thank you Bruce Entwistle Network Manager University of Redlands
Current thread:
- SSL/SSH certifiactes Entwistle, Bruce (May 13)
- <Possible follow-ups>
- Re: SSL/SSH certifiactes Daniel Bennett (May 13)
- Re: SSL/SSH certifiactes Matthew Gracie (May 13)
- Re: SSL/SSH certifiactes Dexter Caldwell (May 13)
- Re: SSL/SSH certifiactes Greg Washburn (May 13)
- Re: SSL/SSH certifiactes John Ladwig (May 13)
- Re: SSL/SSH certifiactes Sam Hooker (May 13)
- Re: SSL/SSH certifiactes Andy Fleming (May 14)