North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)

  • From: Roeland Meyer (E-mail)
  • Date: Fri Apr 28 22:26:59 2000

Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits).

> John Fraizer
> Sent: Friday, April 28, 2000 6:31 PM
> 
> > > SSH version 1 is apparently supported in 12.0 as well 
> (never played w/ it,
> > > so dunno how well it works);
> > 
> <snip>
> > 
> > So just dont do a 'show slaveslot0:' over SSH  :-) Anyone 
> else have this
> > problem?  Works fine via console or (shudder) telnet..
> > 
> <snip>
> >  SSH on 6509s , that would be great! Still fighting with the idea of
> >  running real IOS on 6500s, if the real IOS part contains 
> SSH, you can bet
> >  I would upgrade sooner than later. Anyone running 'real' IOS on
> >  6500s? Any gotchas or superbugs?
> 
> 
> I have a VERY novel idea for you all and since noone has mentioned it,
> here goes:
> 
> 
> NOC----------Management Network---------SSH Drone
>                                         | | | |
>                     Serial Lines ->     | | | ---Router1
>                                         | | |--Switch1
>                                         | -Router2
>                                         -Switch2
> 
> 
> I know.  It's just too simple and it scales so very well so, 
> it MUST be a
> bad idea.
> 
> Even if you don't have a dedicated management network, you 
> just put a box
> that speaks SSH out there with serial access to your routers/switches.
> 
> If you DO have a management network, you connect that to it as well.
> 
> No matter what, you're secure to the SSH drone and if someone 
> is in your
> cabinets tapping the serial lines, you've got big physical security
> problems to deal with and you had might as well flat out give up on
> network security.
> 
> A Force Recon colonel once told me, "If it's a stupid idea, 
> and it works,
> it must not be a stupid idea."
> 
> ---
> John Fraizer
>  
>