RE: Telnet Security Question for a Router.

[Tim Donahue <TDonahue () haynesconstruction com>]

IOS (if you are running all Cisco equipment) also supports SSH access (I
believe it was introduced in version 12.0) if you are running any of the
versions that include IPSEC support.  I considered doing this upgrade and in
the end decided that it was not worth the cost for our company at this time.
But for you, it may be worthwhile for you to look into.

Tim Donahue

> -----Original Message-----
> From: kawaii [mailto:trunks () stackers org] 
> Sent: Wednesday, December 11, 2002 3:06 PM
> To: SECURITY-BASICS () securityfocus com
> Subject: Re: Telnet Security Question for a Router. 
>
>
> From: "Tony Toni" <tony572000 () hotmail com>
> Sent: Tuesday, December 10, 2002 21:45
>
>
> > We were currently wrote up by our external auditors because we use 
> > telnet
> to
> > access all of our routers.  In some cases we use a filtered Telnet 
> > service...but that is not the normal practice.  We are a 
> fairly good 
> > size company with about 1000+ routers.
> >
> > I am charged with coordinating a response to the auditors.  
>  I know all of
> > the security issues involved with Telnet...ie login id and 
> password sent
> > across the network in clear text, etc.   My question:   Is 
> it possible to
> > use SSH or CISCO TACACS+ to encrypt the entire Telnet 
> session?  Is there a
> > way to ensure no one can sniff the login id and password?   
> The Network
> > Services Group is adamant that neither SSH or CISCO TACACS+ 
> will work 
> > on a router to correct the security issue.
>
> Just a quick scan through the Cisco website shows that (at a 
> minimum), all IOS versions from 12.0 and up have Kerberos 5 
> authentication, as well as RADIUS and TACACS+. My 
> understanding (and it is limited, to be sure) is that any of 
> those authentication methods will not send login id and 
> password in clear-text. It will not encrypt the entire telnet 
> session, to my knowledge.
>
> This all assuming that you use Cisco equipment. If you use 
> other vendors, you will have to make sure that they support 
> TACACS+ or RADIUS.
>
> But if the auditor's concern is only that authentication is 
> done via clear-text, using TACACS+ or RADIUS will resolve it. 
> I don't know if SSH is supported on the routers but I know 
> that all of their PIX line support ssh as an option.
>
> > Tony CIA,CISA,CDP,MBA
> > Security and Audit Services
> > Nations Banking & Trust
>
> Ever lovable and always scrappy,
> kawaii
>
> "Cunnilingus and psychiatry brought us to this." - Tony Soprano