Re: IT security people sleep well

[Priscilla Oppenheimer <po () priscilla com>]

On Jun 6, 2004, at 5:38 PM, Daniel Senie wrote:

> At 12:50 AM 6/6/2004, Paul Jakma wrote:
>
> > On Sat, 5 Jun 2004, Mike Lewinski wrote:
> >
> > > And that provides protection against MITM attacks how?
> >
> > kerberised telnet can be encrypted (typically DES - sufficient to 
> > guard MITM).
>
> Am I the only one who really likes devices to handle their own login 
> authentication? I've had more than one occasion to need to get into 
> and manage a device when the link between the device any anything 
> resembling an authentication server is toast, and the reason I'm 
> bothering to talk to the device in the first place?

I'm with you. I've had lots of occasions where I'm accessing the router 
because of a problem that would also affect the router's ability to 
reach an authentication server.

It's egregious that SSH isn't standard in all IOS images, especially 
when you consider that choosing the right image is almost an 
NP-complete problem even with feature navigator! :-)

Of course, there are workarounds to no SSH, and SSH for routers is only 
one aspect of a multifaceted "security defense  in depth" approach, but 
a rather important aspect...

Priscilla


> Yes, terminal servers can be an answer. But SSH can be a perfectly 
> good path in across whatever link(s) are still functional.
>
> Even an inexpensive managed layer 2 switch I installed recently for a 
> client had decent ssh support (yes, it supported other methods of 
> authentication too, including the use of server-based authentication).

__________________

Priscilla Oppenheimer
www.topdownbook.com
"Life's a gift, and then you die."