Security Basics mailing list archives

RE: Telnet Security Question for a Router.

From: "d'Ambly, Jeff" <jdambly () monster com>
Date: Thu, 12 Dec 2002 13:41:35 -0500

Here is a great example of a secure router config

http://www.cymru.com/Documents/secure-ios-template.html

        As is see it TACACS is the only way to go for router logins, I don't
know why they would object to it.

        I don't see why they would object to ssh, as far as I know ssh does
not send clear text passwords, I used ssh and sniffed out all my packets and
I did not see the password in clear text. 

        I object to ssh on the routers because the code releases that
support ssh tend to be buggy. This is not directly related to ssh. The
problem is that these images also support other features that have not been
fully tested. 
        I like to run service provider on all my routers, this is a stripped
down image and does not have all the features that you may need. I don't use
any but the basic features BGP, CEF, ISL and I run an IP only network, so it
makes more sense for me to use that.
        
In the end it is up to you what code you choose the TAC can help you with
that

        Some other people don't like the added cpu over head ssh gives the
routers. This really depends on what platform you are using and what the cpu
usage is on the router. If the routers are really busy I have seen some
cases where ssh will hinder trouble shooting.

Hope this helps.

-----Original Message-----
From: Charley Hamilton [mailto:chamilto () uci edu] 
Sent: Wednesday, December 11, 2002 4:28 PM
To: SECURITY-BASICS () securityfocus com
Subject: Re: Telnet Security Question for a Router.

The Network Services Group is adamant that neither SSH or 
CISCO TACACS+ will work on a router to correct the security
issue.


*blink blink*

As a relative newbie/ignorant, I am distressed to hear that
ssh doesn't "correct the security issues" with regard to
clear-text username/password travel.  Doesn't ssh send *all*
traffic (from login to logoff inclusive) encrypted?  Granted,
no encryption is perfect, but take a large key and it'll take
a while to decrypt, no?  If you don't want to have passwords
traveling at all, use keypairs with passphrases, with
the keys stored on encrypted removable media.  (That's my
strategy for my ssh/sftp servers.)

Is there something specific to routers that makes this solution
inappropriate?  Alternatively, is there some other problem with
the routers that makes ssh and incomplete solution?

Inquiring (newbie) minds want to know!

Charley

-- 
Charles Hamilton, PhD EIT               Faculty Fellow
Department of Civil and                 Phone: 949.824.3752
     Environmental Engineering           FAX:   949.824.2117
University of California, Irvine        Email: chamilto () uci edu

Current thread:

Re: Telnet Security Question for a Router., (continued)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
  - RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)