Firewall Wizards mailing list archives

RE: What's the deal with SSH? (was: PIX software release 5.2)

From: shewitt () cdw com
Date: Wed, 20 Sep 2000 20:55:00 -0500

Pardon my ignorance with this, but what's the big deal about using something
like SecureCRT?  That's basically a secure telnet, right?  I do all my
configuring of my PIXen from the inside interface, and I'm on a almost
completely switched network.  So, I'm not too concerned about somebody
sniffing my telnet session.  Do you use SSH to protect against people
sniffing on local segments, or is the concern when going across the
internet?  Also, I only enable telnet on the inside interface, so I don't
even worry about people connecting from the outside interface.  
Could somebody please shed some light on this?
Thanks!
--Scott

-----Original Message-----
From: Daniel Linder [mailto:dan_linder () yahoo com]
Sent: Tuesday, September 19, 2000 11:25 PM
To: firewall-wizards () nfr net
Subject: Re: [fw-wiz] PIX software release 5.2



--On Monday, September 18, 2000 10:54 AM -0500 shewitt () cdw com wrote:

Anybody have any good / bad experiences with PIX 5.2(1)?


--- Carson Gaspar <carson () tla org> wrote:

It's working fine for me, so far. But it's a very small install, and
we 
don't use WebSense. 5.2(1) adds SSH support (finally!), so that's a
good 
reson to upgrade. Of course, you have to have a VPN license

to use it


(wonderful Cisco...). You can get a free 56-bit DES VPN license from
Cisco, 
but have to pay for the 3-DES license. Oh, and you can only install
the new 
license by re-loading the firmare on the PIX. Oh, and

SSH-DES doesn't

work 
with Tatu's unix SSH-1 client (it does with SecureCRT, so I suspect
the 
unix code to be at fault, but...). And OpenSSH doesn't support DES.


I'll support Mr. Gaspar in his view of PIX 5.2(1).  We have a small
network with two pairs of PIX 520's setup in failover.  It's not live
yet so we have been playing with things and have succeeded in 
finding a
bug related to the SSH key and failover (the key on the 
"returning" PIX
is lost!), but I'll get along with that until the next release.  It is
kind of a hassle to have to re-load the firmware just to upgrade a key
so do the 3DES upgrade before putting them into production (unless you
can afford the down-time).  I too have used SecureCRT under Windows
2000 and OpenSSH under Linux and don't have any complaints.

Dan

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: What's the deal with SSH? (was: PIX software release 5.2) shewitt (Sep 22)
- RE: What's the deal with SSH? (was: PIX software release 5.2) Carson Gaspar (Sep 22)
- <Possible follow-ups>
- RE: What's the deal with SSH? (was: PIX software release 5.2) sean . kelly (Sep 25)
  - RE: What's the deal with SSH? (was: PIX software release 5.2) Robert Purdy (Sep 26)