RE: Telnet Security Question for a Router.

["Stephen Wilcox" <stephenwilcox () universalcomputersys com>]

You also might want to look at snmp v3:

Authenication is based on the Username, MD5, or SHA.

Encryption has two options: none or DES

This is the most secure of the possible models.  It allows the security be
defined in the following places: SNMP-Server Host, SNMP-Server Groups and
SNMP-Server Users

SNMP-Server Host

It allows three levels of authentication: {noauth | auth | priv}

·       Noauth – Specifies no authentication of a packet
·       Auth – Specifies authentication of a packet without encrypting it
·       Priv – Specifies authentication of a packet with encryption by scrambling
it

Command – snmp-server host (ip address of snmp server) version 3 priv
(community name)

SNMP-Server Groups

It allows three levels of authentication: {noauth | auth | priv}

·       Noauth – Specifies no authentication of a packet
·       Auth – Specifies authentication of a packet without encrypting it
·       Priv – Specifies authentication of a packet with encryption by scrambling
it

It allows two levels of view: {read | write}

·       Read – A string (up to 64 characters) that allows you to view the contents
of the agent only
·       Write - A string (up to 64 characters) that allows you to write the
contents of the agent

It allows access control lists to permit or deny availability
Command – snmp-server group (group name) v3 priv read (read name) access
(access-list)
And
Command – snmp-server group (group name) v3 priv write (write name) access
(access-list)

SNMP-Server User

It allows two levels of authentication: {auth | Priv}

·       Encrypted – Specifies whether a password appears in encrypted format
·       Auth – Initiates an authentication level setting session
o       MD5 – The HMAC-MD5-96 authentication level
o       SHA – The HMAC-SHA-96 authentication level
·       Priv – The option that initiates a privacy authentication level setting
session
o       Des56 – The CBC-DES privacy authentication algorithm

It allows access control lists to permit or deny availability

Command – snmp-server user (user name) (group name) encrypted auth sha
(password) priv des56 (password) access (access-list)


-----Original Message-----
From: Chris Berry [mailto:compjma () hotmail com]
Sent: Thursday, December 12, 2002 1:15 PM
To: security-basics () securityfocus com
Subject: Re: Telnet Security Question for a Router.


> From: "Tony Toni" <tony572000 () hotmail com>
> We were currently wrote up by our external auditors because we use telnet
> to access all of our routers.  In some cases we use a filtered Telnet
> service...but that is not the normal practice.  We are a fairly good size
> company with about 1000+ routers.
>
> I am charged with coordinating a response to the auditors.   I know all of
> the security issues involved with Telnet...ie login id and password sent
> across the network in clear text, etc.   My question:   Is it possible to
> use SSH or CISCO TACACS+ to encrypt the entire Telnet session?  Is there a
> way to ensure no one can sniff the login id and password?   The Network
> Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
> router to correct the security issue.

Well, you could use SSL or VPN to create a secure tunnel for the Telnet
session, but SSH would be a much better choice, its designed for that sort
of thing.  SSH works on most quality routers, what brand(s) do you have?

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Live dangerously, overclock your servers."

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail