Security Basics mailing list archives
RE: Telnet Security Question for a Router.
From: Tim Donahue <TDonahue () haynesconstruction com>
Date: Thu, 12 Dec 2002 09:47:37 -0500
IOS (if you are running all Cisco equipment) also supports SSH access (I believe it was introduced in version 12.0) if you are running any of the versions that include IPSEC support. I considered doing this upgrade and in the end decided that it was not worth the cost for our company at this time. But for you, it may be worthwhile for you to look into. Tim Donahue
-----Original Message----- From: kawaii [mailto:trunks () stackers org] Sent: Wednesday, December 11, 2002 3:06 PM To: SECURITY-BASICS () securityfocus com Subject: Re: Telnet Security Question for a Router. From: "Tony Toni" <tony572000 () hotmail com> Sent: Tuesday, December 10, 2002 21:45We were currently wrote up by our external auditors because we use telnettoaccess all of our routers. In some cases we use a filtered Telnet service...but that is not the normal practice. We are afairly goodsize company with about 1000+ routers. I am charged with coordinating a response to the auditors.I know all ofthe security issues involved with Telnet...ie login id andpassword sentacross the network in clear text, etc. My question: Isit possible touse SSH or CISCO TACACS+ to encrypt the entire Telnetsession? Is there away to ensure no one can sniff the login id and password?The NetworkServices Group is adamant that neither SSH or CISCO TACACS+will workon a router to correct the security issue.Just a quick scan through the Cisco website shows that (at a minimum), all IOS versions from 12.0 and up have Kerberos 5 authentication, as well as RADIUS and TACACS+. My understanding (and it is limited, to be sure) is that any of those authentication methods will not send login id and password in clear-text. It will not encrypt the entire telnet session, to my knowledge. This all assuming that you use Cisco equipment. If you use other vendors, you will have to make sure that they support TACACS+ or RADIUS. But if the auditor's concern is only that authentication is done via clear-text, using TACACS+ or RADIUS will resolve it. I don't know if SSH is supported on the routers but I know that all of their PIX line support ssh as an option.Tony CIA,CISA,CDP,MBA Security and Audit Services Nations Banking & TrustEver lovable and always scrappy, kawaii "Cunnilingus and psychiatry brought us to this." - Tony Soprano
Current thread:
- Telnet Security Question for a Router. Tony Toni (Dec 11)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- <Possible follow-ups>
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
- RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)