Re: Cisco PIX with SSH enabled on external port for maintenance

[Alloishus BeauMains <all0i5hu5 () gmail com>]

You can tunnel everything through SSH as well as VPN. VPN just closes
down local network access if specified. VPN can use group
authentication, but this seems to be just like an authentication key
much like the one that SSH has.

If you use an authentication key (This is an encrypted physically
different file you have to load on your outside machines) and then an
appropriate passphrase to go with it. SSH already encrypts the
traffic, just like VPN.

I am not sure how much VPN offers, additionally to this. Especially
not for the money, since SSH (with SSHD) is completely free and can be
loaded on any system.

So, to me, it seems like you would be paying for, or supplying more
equipment only to get the "disconnected from rest of LAN" portion of
VPN.

Anyhow, there is my take on it. You can make SSH as secure as you want
it to be through those methods I mentioned.

On 11/15/05, John Maher <john.e.maher () gmail com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Chris Largret wrote:
> > If you DO allow access to SSH to the outside world, there are a few
> > things you can do to make it more secure:
> >
> > 1. Use a non-standard port
> > 2. Use only the strongest algorithms that SSH supports
> > 3. Change the passwords regularly
> > 4. Allow only strong passwords
> > 5. Limit which IP addresses can connect
>
> If feasible, I would recommend using public key authentication and
> disabling password authentication.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFDeknDuY7WcSII22oRAqCHAJ0cidbUKqRm4qUKzu/8buP/62haAgCcDJhf
> H7mx4DzKwoJz01a/R6gVN+M=
> =r+xe
> -----END PGP SIGNATURE-----