RE: SSH on Cisco Routers (was RE: ABOVE.NET SECURITY TRUTHS?)

["Roeland Meyer (E-mail)" <rmeyer () mhsc com>]

> Ron Buchalski
> Sent: Friday, April 28, 2000 9:40 PM
>
> SSH1 is supported on the following platforms starting in 12.1(1)T:
>
> C17x0, C25xx, C26xx, C36xx, C4x00, C7x00

I sadly note the conspicuous absence of the 3512XL, 3524XL and the entire Cat 65xx series from this list <sigh>.

Granted the 65xx can't quite keep up with its advertised bandwidth (an indicator of insufficient CPU somewhere), but I 
never require more than 65% of advertised capacity anyway (comes out to ~80 Gbps), by design, which the Cat6509 can do 
easily. The Cat6509 is still my favorite chasis, for internal LAN switching. I use 3512XL's (or 3524XL) for end-point 
switching when the server doesn't have a gig-E card (and never use more than 7 ports per gig-E uplink). I've spec'd 
three datacenters like this in the past 6 months, one is currently in production.

WRT: external access

Speaking as a suit, it is fine and dandy to make statements barring external access, but when running a 24x7 portal, it 
is deucedly expensive to maintain 24x7 staff at the co-lo. Especially, since most things can be fixed by a CLI login. 
This is where technical theory and business reality can clash. Also, down-time can be reduced when the on-call tech 
doesn't have to spend an hour driving into the co-lo from home (maybe getting into a wreck on the way, due to lack of 
sleep). This is exacerbated when doing regional datacenters, thousands of miles away from the nearest staff member. 
Granted, the problem may not be this severe for the co-lo operator themselves. But, the co-lo customer certainly has 
this problem. Co-lo operations is remote datacenter operations, for the co-lo customer, by definition.

WRT: Passwd diversification

Known fact: The average person can track no more than 7 +/-2 related items, at any given time. This is also, 
coincidently, the maximum number of passwd's that the average person can remember, without confusion or forgetfulness, 
without writing them down somewhere. The real number is actually 3-4, because they also have to remember their ATM 
passcodes and the like.

Given 15 or 20 switches, routers, and hosts, for a decent sized portal site, each having a unique passwd. You have 
virtually guaranteed that these passwd's are written down somewhere, officially or not (mine are in my palm pilot).

Which is worse, untracked and unofficial passwd lists, or commonly used passwds? Upgrading human memory isn't a viable 
third-alternative.

WRT: SSH CPU overhead

A PalmPilot has more total system capacity than an original IBM-PC (including disk drives) and about 8 times the CPU 
power. It can easily implement SSH. Granting my statement,wrt 65xxx series Capacity, I'd STILL like to see SSHD 
implemented there (now that I have a Cisco rep's attention <grin>). Yes, please consider this a customer request.

WRT: SSH direct logins

Eventhough, I have RSA enabled my SSH sessions, I don't allow passwdless login on any host [even it it's the same 
passwd]. It may be a small annoying speed-bump, for an SA, but it prevents run-amuck hackers and code from infecting 
other connected hosts. I've actually had this save my bacon a few times and I've seen some negative results using 
passwdless logins (system cracks AND runaway code[mine]).

Finally:

I'd like to see every internal and systems management packet using either 3DES or blowfish, or using SSH, SSL, or TLS 
systems (OpenSSL anyone?). I routinely do this within my systems, by design (webserver to Oracle databse server, and 
others) and if everyone else were doing it then B2B would be easier (more secure) as well. As I stated earlier, in a 
universe of encrypted packets, the plain-text ones stand out like sore-thumbs. If they are also systems management 
packets then the would-be cracker has a much easier time of things.

Incidently, if this should wreak havoc with CALEA requirements, <sarcasm> it would just break my heart </sarcasm> 
<GRIN>.

---
R O E L A N D  M .  J .  M E Y E R
CEO, Morgan Hill Software Company, Inc.
An eCommerce and eBusiness practice
providing products and services for the Internet.
Tel: (925)373-3954
Fax: (925)373-9781