Re: customers and web servers and level one naps

[Alexis Rosen <alexis () panix com>]

Curtis Villamizar writes:
> It is possible though admitedly not easy to secure a Unix machine
> quite tightly (and still put some services on it allowing it to do
> some useful work) since the services needed for remote administrative
> access can be fully encrypted.  It is not possible to secure a router
> from the major router vendors at the present time since administrative
> access involves telnet access where the open TCP session has full
> priviledges and remains "in the clear" for long periods of time and
> ready for hijack.

If (and only if) you're competent to secure a Unix box, this is pretty
easy to deal with. Put one on a private wire with the router, connect to
it in a secure encrypted fashion (kerb or ssh, these days?), and from
there cleartext telnet to the router is fine.

Of course, it costs money. But you can get away with one box and one
private net for all the routers in one location, assuming all the routers
are in the same security zone.

/a
- - - - - - - - - - - - - - - - -