North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: ABOVE.NET SECURITY TRUTHS?

  • From: Roeland Meyer (E-mail)
  • Date: Fri Apr 28 17:57:53 2000 
The private net is still subject to wire-tap tricks. If the switch supports SSH1 then that should be sufficient. MHSC.NET, and every host I setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it needs CLI access, it gets SSH or, you have to go to the console. Even X11 and SMB sessions are forwarded through SSH. Given this sort of secure environment, plain-text Cisco sessions stand out like a sore thumb, to a sniffer. They only have to look for the packets that are NOT encrypted. A private net is even worse, you are guaranteed that each packet is part of a network management session.

> -----Original Message-----
> From: Greene, Dylan [mailto:[email protected]]
> Sent: Friday, April 28, 2000 2:10 PM
> To: 'Paul Froutan'; [email protected]
> Cc: [email protected]
> Subject: RE: ABOVE.NET SECURITY TRUTHS?
> 
> 
> 
> Maybe I should read the entire message before responding.. hehe.. =)
> 
> A switched private management lan resolves the cleartext problem.  
> 
> SSH version 1 is apparently supported in 12.0 as well (never 
> played w/ it,
> so dunno how well it works);
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
0/120newft/120
limit/120s/120s5/sshv1.htm

..Dylan 

| -----Original Message-----
| From: Paul Froutan [mailto:[email protected]]
| Sent: Friday, April 28, 2000 4:46 PM
| To: [email protected]
| Cc: [email protected]
| Subject: RE: ABOVE.NET SECURITY TRUTHS?
| 
| 
| 
| I don't think you can.  However, I use TACACS on all my switches and 
| routers.  From what I know, TACACS passwords are encrypted 
| using the key on 
| your network devices and the TACACS server.  So, that, in 
| combination with 
| a private management LAN not accessible by your customers 
| should lock down 
| your network pretty effectively.  Any comments?
| 
| At 4/28/00 -0700, you wrote:
| 
| > > Exiled Dave
| > > Sent: Friday, April 28, 2000 1:10 PM
| >
| > > Lets think about this, cisco in no way has such a flaw
| > > that would allow someone to 'root' and erase all the
| > > info on switches. The password was sniffed.
| >
| >Can one setup SSH on a Cisco 6509?
| 
| Paul Froutan                              Email: 
| [email protected]
| Rackspace, Ltd                       <http://www.rackspace.com>
| 
|