Educause Security Discussion mailing list archives
Re: SSL/SSH certifiactes
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Thu, 13 May 2010 12:36:03 -0400
You might be able to use IPSCA (2 yr certs- free for Education) for official certs that don't cost $$$ but you'd need a ton of them. If you use dns names for your devices, I suppose you could use a wildcard dns or multidomain cert or something like that. You could create an internal private zone in a new or existing dns server that no one knew existed except your network team and unless you had your computer configured to look it up, you would not by default be able to resolve or query names therein. If you used a new dns server, you could restrict who ould query against it with a firewall. Then install the same cert on them all and see how it works. Also, if you have security around who can access the switches in the first place, you might not have to worry so much about the dns names unless you name switches with obvious names. I'm not sure it's the best idea, but it's one. D/C The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
We are currently reviewing our network security.� One of the tools we are using in this process is reporting a vulnerability as a result of using self signed certificates on our Cisco IOS devices (switches, routers, access points) for ssh and ssl connections.� Rather than purchase 300 certificates to address this issue I thought I would ask what others are doing in this area. � Thank you Bruce Entwistle Network Manager University of Redlands
Current thread:
- SSL/SSH certifiactes Entwistle, Bruce (May 13)
- <Possible follow-ups>
- Re: SSL/SSH certifiactes Daniel Bennett (May 13)
- Re: SSL/SSH certifiactes Matthew Gracie (May 13)
- Re: SSL/SSH certifiactes Dexter Caldwell (May 13)
- Re: SSL/SSH certifiactes Greg Washburn (May 13)
- Re: SSL/SSH certifiactes John Ladwig (May 13)
- Re: SSL/SSH certifiactes Sam Hooker (May 13)
- Re: SSL/SSH certifiactes Andy Fleming (May 14)