nanog mailing list archives
Re: IT security people sleep well
From: Robert Boyle <robert () tellurian com>
Date: Mon, 07 Jun 2004 15:36:29 -0400
At 12:11 PM 6/7/2004, you wrote:
ever heard of multilayer security?
Absolutely and I am a huge believer in it and all of our systems and our network is designed with many layers of protection... which is why I am against running ssh AND leaving it open to the world since that leaves only a single layer of security. My point is simply that having SSH is a good tool, but I still don't think that having SSH relieves any of the other responsibility for proper network security.
some little problem somewhere that allows an attacker to sniff your telnet traffic and you are d00med. that might be as simple as a routing fuckup.
That would have to be a pretty major screwup.
You loose nothing with using ssh instead of telnet. You win a lot.
I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. Should it be included by default, yes.
ssh is a basic component for secure network management. it is not the one magic piece that turns a collection of crap into an ubersecure network of course, as some people seem to imply.
Exactly and that is my point. Especially when leaving SSH open to the world on all routers because it is "secure" is LESS secure than having secure passwords and ACLs and using telnet from the local LAN only. In an ideal world, you would have an ACL, a secure password, AND SSL.
not seeing the problem with cleartext telnet for remote logins in 2004, wether ACL'd or not, is just ... oh man, I don't have words for this.
I see the theoretical problem with telnet, but in the real world, I think there are many other more basic security practices which should be focused on perhaps even before worrying about ssh for routers. How many people have a dictionary word as their password for SSH? How many times have you purchased a used router which was used by (insert big ISP here) and found the password to be a simple dictionary word - on multiple routers purchased from multiple ISPs. My only point is that there are many other things to worry about for building comprehensive security as part of a network than simply enabling a protocol for remote management. That should be one of MANY issues which should constantly be addressed.
R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
Current thread:
- Re: SSH on the router - was( IT security people sleep well), (continued)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Valdis . Kletnieks (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: IT security people sleep well Daniel Senie (Jun 06)
- Re: IT security people sleep well Priscilla Oppenheimer (Jun 07)
- Re: IT security people sleep well Stephen Sprunk (Jun 07)
- Re: IT security people sleep well Robert Boyle (Jun 06)
- Re: IT security people sleep well Henning Brauer (Jun 07)
- Re: IT security people sleep well Robert Boyle (Jun 07)
- Re: IT security people sleep well Henning Brauer (Jun 07)
- Re: IT security people sleep well Stephen Sprunk (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- Re: IT security people sleep well Henning Brauer (Jun 08)
- RE: IT security people sleep well Dan Hollis (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- RE: IT security people sleep well Edward B. Dreger (Jun 07)