nanog mailing list archives
Re: IT security people sleep well
From: Robert Boyle <robert () tellurian com>
Date: Sun, 06 Jun 2004 21:52:51 -0400
At 07:14 PM 6/6/2004, you wrote:
On the SSH/SSL front: IMHO these technologies give a false sense of security. Sniffing cleartext management sessions is a concern, yes, but actual incidents where it occurs, especially within your own network infrastructure, are vanishingly rare compared to the commonplace compromise of individual hosts. Creating a secure link between hosts is wasted effort at best if you can't trust the host at the other end of that link.
Agreed. I really truly don't see the problem with plaintext telnet management of routers. We have access-lists on vty 0 15 specifying which networks can even connect. We can't connect except for from a trusted internal management network and I control all the routers and circuits in the path. If someone is in the middle of one of my circuits doing some type of dump of the data to disk, they are probably the NSA or CIA, and I've got much bigger problems. Can someone please provide a situation where doing this can lead to compromise or any type of problem at all? I just don't see it. However, I see people having unpatched servers running without proper ACLs every day and this is rarely discussed and as Stephen Sprunk points out, lot of people here on nanog don't apply bogon filters or even source filter their customers - and this doesn't require a feature set upgrade to IOS. (All of which we do, btw) So I'm still not convinced that SSL on routers is needed. Nice, sure, but needed? no. Please convince me otherwise if you feel this is such a hugely pressing need or at least explain your position.
R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211"Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
Current thread:
- Re: SSH on the router - was( IT security people sleep well), (continued)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Valdis . Kletnieks (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: IT security people sleep well Daniel Senie (Jun 06)
- Re: IT security people sleep well Priscilla Oppenheimer (Jun 07)
- Re: IT security people sleep well Stephen Sprunk (Jun 07)
- Re: IT security people sleep well Robert Boyle (Jun 06)
- Re: IT security people sleep well Henning Brauer (Jun 07)
- Re: IT security people sleep well Robert Boyle (Jun 07)
- Re: IT security people sleep well Henning Brauer (Jun 07)
- Re: IT security people sleep well Stephen Sprunk (Jun 07)
- Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- Re: IT security people sleep well Henning Brauer (Jun 08)
- RE: IT security people sleep well Dan Hollis (Jun 07)