|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IT security people sleep well
At 12:11 PM 6/7/2004, you wrote: Absolutely and I am a huge believer in it and all of our systems and our network is designed with many layers of protection... which is why I am against running ssh AND leaving it open to the world since that leaves only a single layer of security. My point is simply that having SSH is a good tool, but I still don't think that having SSH relieves any of the other responsibility for proper network security.ever heard of multilayer security? some little problem somewhere that allows an attacker to sniff your telnet traffic and you are d00med. that might be as simple as a routing fuckup. That would have to be a pretty major screwup. I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. Should it be included by default, yes.You loose nothing with using ssh instead of telnet. You win a lot. Exactly and that is my point. Especially when leaving SSH open to the world on all routers because it is "secure" is LESS secure than having secure passwords and ACLs and using telnet from the local LAN only. In an ideal world, you would have an ACL, a secure password, AND SSL.ssh is a basic component for secure network management. it is not the one magic piece that turns a collection of crap into an ubersecure network of course, as some people seem to imply. I see the theoretical problem with telnet, but in the real world, I think there are many other more basic security practices which should be focused on perhaps even before worrying about ssh for routers. How many people have a dictionary word as their password for SSH? How many times have you purchased a used router which was used by (insert big ISP here) and found the password to be a simple dictionary word - on multiple routers purchased from multiple ISPs. My only point is that there are many other things to worry about for building comprehensive security as part of a network than simply enabling a protocol for remote management. That should be one of MANY issues which should constantly be addressed.not seeing the problem with cleartext telnet for remote logins in 2004, wether ACL'd or not, is just ... oh man, I don't have words for this. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
|