Security Basics mailing list archives

FW: Telnet Security Question for a Router.

From: "Stephen Wilcox" <stephenwilcox () universalcomputersys com>
Date: Thu, 12 Dec 2002 11:25:40 -0600

Telnet is not encrypted but you can prevent the packets from being send in
clear text if your equipment supports the following:


SNMPv3

Authenication is based on the Username, MD5, or SHA.

Encryption has two options: none or DES

This is the most secure of the possible models.  It allows the security be
defined in the following places: SNMP-Server Host, SNMP-Server Groups and
SNMP-Server Users

SNMP-Server Host

It allows three levels of authentication: {noauth | auth | priv}

.       Noauth - Specifies no authentication of a packet
.       Auth - Specifies authentication of a packet without encrypting it
.       Priv - Specifies authentication of a packet with encryption by scrambling
it

Command - snmp-server host (ip address of snmp server) version 3 priv
(community name)

SNMP-Server Groups

It allows three levels of authentication: {noauth | auth | priv}

.       Noauth - Specifies no authentication of a packet
.       Auth - Specifies authentication of a packet without encrypting it
.       Priv - Specifies authentication of a packet with encryption by scrambling
it

It allows two levels of view: {read | write}

.       Read - A string (up to 64 characters) that allows you to view the contents
of the agent only
.       Write - A string (up to 64 characters) that allows you to write the
contents of the agent

It allows access control lists to permit or deny availability
Command - snmp-server group (group name) v3 priv read (read name) access
(access-list)
And
Command - snmp-server group (group name) v3 priv write (write name) access
(access-list)

SNMP-Server User

It allows two levels of authentication: {auth | Priv}

.       Encrypted - Specifies whether a password appears in encrypted format
.       Auth - Initiates an authentication level setting session
o       MD5 - The HMAC-MD5-96 authentication level
o       SHA - The HMAC-SHA-96 authentication level
.       Priv - The option that initiates a privacy authentication level setting
session
o       Des56 - The CBC-DES privacy authentication algorithm

It allows access control lists to permit or deny availability

Command - snmp-server user (user name) (group name) encrypted auth sha
(password) priv des56 (password) access (access-list)



-----Original Message-----
From: Mark Maher [mailto:mmaher () ochsner org]
Sent: Wednesday, December 11, 2002 2:35 PM
To: tony572000 () hotmail com; SECURITY-BASICS () SECURITYFOCUS COM
Subject: Re: Telnet Security Question for a Router.


Most of the Cisco routers suport SSH, especially if you are running an IOS
image that supports IPSec.What we did until all of our routers supported
SSH, was set up a secure SSH server in our internal network (trusted part of
the network). Then, for access from the Internet, we SSH to the server and
then telnet from there to the router. This way, the connection to our
network was encrypted, and only the part between the SSH server and router
was unencrypted. Of course, this doesn't protect us from the inside
(internal network), but does prevent sniffing and hijacking from the
Internet (outside). Hope it helps.

Mark Maher
Ochsner Clinic Foudation

"Tony Toni" <tony572000 () hotmail com> 12/10/02 08:45PM >>>


We were currently wrote up by our external auditors because we use telnet to
access all of our routers.  In some cases we use a filtered Telnet
service...but that is not the normal practice.  We are a fairly good size
company with about 1000+ routers.

I am charged with coordinating a response to the auditors.   I know all of
the security issues involved with Telnet...ie login id and password sent
across the network in clear text, etc.   My question:   Is it possible to
use SSH or CISCO TACACS+ to encrypt the entire Telnet session?  Is there a
way to ensure no one can sniff the login id and password?   The Network
Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
router to correct the security issue.

Tony CIA,CISA,CDP,MBA
Security and Audit Services
Nations Banking & Trust

PS: I have been playing phone tag with the auditor that wrote us up...to see
what they recommend...have not reached him yet.





_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail

Current thread:

Telnet Security Question for a Router. Tony Toni (Dec 11)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- <Possible follow-ups>
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
  - RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)