Security Basics mailing list archives
RE: Telnet Security Question for a Router.
From: "Stephen Wilcox" <stephenwilcox () universalcomputersys com>
Date: Mon, 16 Dec 2002 09:46:50 -0600
You also might want to look at snmp v3: Authenication is based on the Username, MD5, or SHA. Encryption has two options: none or DES This is the most secure of the possible models. It allows the security be defined in the following places: SNMP-Server Host, SNMP-Server Groups and SNMP-Server Users SNMP-Server Host It allows three levels of authentication: {noauth | auth | priv} · Noauth Specifies no authentication of a packet · Auth Specifies authentication of a packet without encrypting it · Priv Specifies authentication of a packet with encryption by scrambling it Command snmp-server host (ip address of snmp server) version 3 priv (community name) SNMP-Server Groups It allows three levels of authentication: {noauth | auth | priv} · Noauth Specifies no authentication of a packet · Auth Specifies authentication of a packet without encrypting it · Priv Specifies authentication of a packet with encryption by scrambling it It allows two levels of view: {read | write} · Read A string (up to 64 characters) that allows you to view the contents of the agent only · Write - A string (up to 64 characters) that allows you to write the contents of the agent It allows access control lists to permit or deny availability Command snmp-server group (group name) v3 priv read (read name) access (access-list) And Command snmp-server group (group name) v3 priv write (write name) access (access-list) SNMP-Server User It allows two levels of authentication: {auth | Priv} · Encrypted Specifies whether a password appears in encrypted format · Auth Initiates an authentication level setting session o MD5 The HMAC-MD5-96 authentication level o SHA The HMAC-SHA-96 authentication level · Priv The option that initiates a privacy authentication level setting session o Des56 The CBC-DES privacy authentication algorithm It allows access control lists to permit or deny availability Command snmp-server user (user name) (group name) encrypted auth sha (password) priv des56 (password) access (access-list) -----Original Message----- From: Chris Berry [mailto:compjma () hotmail com] Sent: Thursday, December 12, 2002 1:15 PM To: security-basics () securityfocus com Subject: Re: Telnet Security Question for a Router.
From: "Tony Toni" <tony572000 () hotmail com> We were currently wrote up by our external auditors because we use telnet to access all of our routers. In some cases we use a filtered Telnet service...but that is not the normal practice. We are a fairly good size company with about 1000+ routers. I am charged with coordinating a response to the auditors. I know all of the security issues involved with Telnet...ie login id and password sent across the network in clear text, etc. My question: Is it possible to use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a way to ensure no one can sniff the login id and password? The Network Services Group is adamant that neither SSH or CISCO TACACS+ will work on a router to correct the security issue.
Well, you could use SSL or VPN to create a secure tunnel for the Telnet session, but SSH would be a much better choice, its designed for that sort of thing. SSH works on most quality routers, what brand(s) do you have? Chris Berry compjma () hotmail com Systems Administrator JM Associates "Live dangerously, overclock your servers." _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- Telnet Security Question for a Router. Tony Toni (Dec 11)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- <Possible follow-ups>
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
- RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)