nanog mailing list archives

RE: IT security people sleep well

From: "Jason Frisvold" <friz () corp ptd net>
Date: Mon, 7 Jun 2004 22:40:19 -0400

-----Original Message-----
From: Robert Boyle [mailto:robert () tellurian com] 

Agreed. I really truly don't see the problem with plaintext telnet 
management of routers. We have access-lists on vty 0 15 
specifying which 
networks can even connect. We can't connect except for from a trusted 
internal management network and I control all the routers and 
circuits in 
the path. If someone is in the middle of one of my circuits 
doing some type 
of dump of the data to disk, they are probably the NSA or 
CIA, and I've got 
much bigger problems. Can someone please provide a situation


Yeah, that would be a concern...  :)

where doing 
this can lead to compromise or any type of problem at all? I 
just don't see


Do you trust every person you work with?  Are your internal networks
completely segmented (including the ethernet switches?)  Here, they are
not.  And as much as it's been pointed out, they continue to leave
everyone in the company on the same segment.  Our security guy proved
this point by hijacking a switch, convincing it that the traffic had to
pass through his computer, and sniffed a TON of traffic ...  All within
a few minutes, without anyone knowing until he showed it...  Through
this, he was able to grab a number of passwords all through telnet
sessions.

Unless you can completely trust everyone in your internal network, ACL's
aren't always enough...

it. However, I see people having unpatched servers running 
without proper 
ACLs every day and this is rarely discussed and as Stephen 
Sprunk points 
out, lot of people here on nanog don't apply bogon filters or 
even source 
filter their customers - and this doesn't require a feature 
set upgrade to 
IOS. (All of which we do, btw) So I'm still not convinced that SSL on 
routers is needed. Nice, sure, but needed? no. Please 
convince me otherwise 
if you feel this is such a hugely pressing need or at least 
explain your 
position.


I've been converted into the "secure it if you can, ensure it's not
important if you can't" way of thinking ...  I would very much like to
change our ACL's to only allow telnet from our server farm (which is SSH
*ONLY*), thus allowing a little bit of security ...  This would at least
bring us into the "if someone's listening, it's gotta be the NSA or CIA"
class of security...  :)


Jason Frisvold
Penteledata

Current thread:

RE: IT security people sleep well, (continued)
- RE: IT security people sleep well Jason Frisvold (Jun 07)
  - Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
  - RE: IT security people sleep well Edward B. Dreger (Jun 07)
    - Re: IT security people sleep well Adrian Chadd (Jun 07)
    - Re: IT security people sleep well Suresh Ramasubramanian (Jun 07)
    - Trusting COTS - What's really in the box? Sean Donelan (Jun 07)
    - Re: Trusting COTS - What's really in the box? Randy Bush (Jun 07)
    - Re: Trusting COTS - What's really in the box? Sean Donelan (Jun 10)
    - Re: Trusting COTS - What's really in the box? Suresh Ramasubramanian (Jun 07)
    - RE: IT security people sleep well Jason Frisvold (Jun 08)
- RE: IT security people sleep well Jason Frisvold (Jun 07)
  - Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
    - Re: IT security people sleep well Randy Bush (Jun 07)
    - Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- RE: IT security people sleep well Jason Frisvold (Jun 07)
  - Re: IT security people sleep well Valdis . Kletnieks (Jun 07)
- RE: IT security people sleep well Michel Py (Jun 07)