North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits). > John Fraizer > Sent: Friday, April 28, 2000 6:31 PM > > > > SSH version 1 is apparently supported in 12.0 as well > (never played w/ it, > > > so dunno how well it works); > > > <snip> > > > > So just dont do a 'show slaveslot0:' over SSH :-) Anyone > else have this > > problem? Works fine via console or (shudder) telnet.. > > > <snip> > > SSH on 6509s , that would be great! Still fighting with the idea of > > running real IOS on 6500s, if the real IOS part contains > SSH, you can bet > > I would upgrade sooner than later. Anyone running 'real' IOS on > > 6500s? Any gotchas or superbugs? > > > I have a VERY novel idea for you all and since noone has mentioned it, > here goes: > > > NOC----------Management Network---------SSH Drone > | | | | > Serial Lines -> | | | ---Router1 > | | |--Switch1 > | -Router2 > -Switch2 > > > I know. It's just too simple and it scales so very well so, > it MUST be a > bad idea. > > Even if you don't have a dedicated management network, you > just put a box > that speaks SSH out there with serial access to your routers/switches. > > If you DO have a management network, you connect that to it as well. > > No matter what, you're secure to the SSH drone and if someone > is in your > cabinets tapping the serial lines, you've got big physical security > problems to deal with and you had might as well flat out give up on > network security. > > A Force Recon colonel once told me, "If it's a stupid idea, > and it works, > it must not be a stupid idea." > > --- > John Fraizer > >
|