nanog mailing list archives

RE: ABOVE.NET SECURITY TRUTHS?

From: "Roeland Meyer (E-mail)" <rmeyer () mhsc com>
Date: Fri, 28 Apr 2000 14:38:04 -0700


The private net is still subject to wire-tap tricks. If the switch supports SSH1 then that should be sufficient. 
MHSC.NET, and every host I setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it needs CLI access, it 
gets SSH or, you have to go to the console. Even X11 and SMB sessions are forwarded through SSH. Given this sort of 
secure environment, plain-text Cisco sessions stand out like a sore thumb, to a sniffer. They only have to look for the 
packets that are NOT encrypted. A private net is even worse, you are guaranteed that each packet is part of a network 
management session.

-----Original Message-----
From: Greene, Dylan [mailto:DGreene () NaviSite com]
Sent: Friday, April 28, 2000 2:10 PM
To: 'Paul Froutan'; rmeyer () mhsc com
Cc: nanog () merit edu
Subject: RE: ABOVE.NET SECURITY TRUTHS?



Maybe I should read the entire message before responding.. hehe.. =)

A switched private management lan resolves the cleartext problem.  

SSH version 1 is apparently supported in 12.0 as well (never 
played w/ it,
so dunno how well it works);

http://www.cisco.com/univercd/cc/td/doc/product/software/ios12

0/120newft/120
limit/120s/120s5/sshv1.htm

..Dylan 

| -----Original Message-----
| From: Paul Froutan [mailto:pfroutan () rackspace com]
| Sent: Friday, April 28, 2000 4:46 PM
| To: rmeyer () mhsc com
| Cc: nanog () merit edu
| Subject: RE: ABOVE.NET SECURITY TRUTHS?
| 
| 
| 
| I don't think you can.  However, I use TACACS on all my switches and 
| routers.  From what I know, TACACS passwords are encrypted 
| using the key on 
| your network devices and the TACACS server.  So, that, in 
| combination with 
| a private management LAN not accessible by your customers 
| should lock down 
| your network pretty effectively.  Any comments?
| 
| At 4/28/00 -0700, you wrote:
| 
| > > Exiled Dave
| > > Sent: Friday, April 28, 2000 1:10 PM
| >
| > > Lets think about this, cisco in no way has such a flaw
| > > that would allow someone to 'root' and erase all the
| > > info on switches. The password was sniffed.
| >
| >Can one setup SSH on a Cisco 6509?
| 
| Paul Froutan                              Email: 
| pfroutan () rackspace com
| Rackspace, Ltd                       <http://www.rackspace.com>
| 
|

Current thread:

Re: ABOVE.NET SECURITY TRUTHS?, (continued)
- - Re: ABOVE.NET SECURITY TRUTHS? Alex Rubenstein (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Greene, Dylan (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Danny McPherson (Apr 28)
  - Re: ABOVE.NET SECURITY TRUTHS? Joe Shaw (Apr 30)
- RE: ABOVE.NET SECURITY TRUTHS? Greene, Dylan (Apr 28)
  - RE: ABOVE.NET SECURITY TRUTHS? Mr. James W. Laferriere (Apr 28)
    - RE: ABOVE.NET SECURITY TRUTHS? Chris Cappuccio (Apr 28)
    - Re: ABOVE.NET SECURITY TRUTHS? Michael Shields (Apr 28)
    - Re: ABOVE.NET SECURITY TRUTHS? Mark Milhollan (Apr 30)
    - RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
  - RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
  - SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?) Jason Ackley (Apr 28)
    - Re: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?) John Fraizer (Apr 28)
    - RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?) Roeland Meyer (E-mail) (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Vadim Antonov (Apr 28)
  - Re: ABOVE.NET SECURITY TRUTHS? dies (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
  - RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
  - Re: ABOVE.NET SECURITY TRUTHS? Christopher B. Zydel (Apr 29)
    - Re: ABOVE.NET SECURITY TRUTHS? Dave Crocker (Apr 29)
  - Re: ABOVE.NET SECURITY TRUTHS? Henry R. Linneweh (Apr 29)

(Thread continues...)