North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: SSH on Cisco Routers (was RE: ABOVE.NET SECURITY TRUTHS?)

  • From: Roeland Meyer (E-mail)
  • Date: Sat Apr 29 14:41:34 2000

> Ron Buchalski
> Sent: Friday, April 28, 2000 9:40 PM
> 
> SSH1 is supported on the following platforms starting in 12.1(1)T:
> 
> C17x0, C25xx, C26xx, C36xx, C4x00, C7x00

I sadly note the conspicuous absence of the 3512XL, 3524XL and the entire Cat 65xx series from this list <sigh>.

Granted the 65xx can't quite keep up with its advertised bandwidth (an indicator of insufficient CPU somewhere), but I never require more than 65% of advertised capacity anyway (comes out to ~80 Gbps), by design, which the Cat6509 can do easily. The Cat6509 is still my favorite chasis, for internal LAN switching. I use 3512XL's (or 3524XL) for end-point switching when the server doesn't have a gig-E card (and never use more than 7 ports per gig-E uplink). I've spec'd three datacenters like this in the past 6 months, one is currently in production.

WRT: external access

Speaking as a suit, it is fine and dandy to make statements barring external access, but when running a 24x7 portal, it is deucedly expensive to maintain 24x7 staff at the co-lo. Especially, since most things can be fixed by a CLI login. This is where technical theory and business reality can clash. Also, down-time can be reduced when the on-call tech doesn't have to spend an hour driving into the co-lo from home (maybe getting into a wreck on the way, due to lack of sleep). This is exacerbated when doing regional datacenters, thousands of miles away from the nearest staff member. Granted, the problem may not be this severe for the co-lo operator themselves. But, the co-lo customer certainly has this problem. Co-lo operations is remote datacenter operations, for the co-lo customer, by definition.

WRT: Passwd diversification

Known fact: The average person can track no more than 7 +/-2 related items, at any given time. This is also, coincidently, the maximum number of passwd's that the average person can remember, without confusion or forgetfulness, without writing them down somewhere. The real number is actually 3-4, because they also have to remember their ATM passcodes and the like.

Given 15 or 20 switches, routers, and hosts, for a decent sized portal site, each having a unique passwd. You have virtually guaranteed that these passwd's are written down somewhere, officially or not (mine are in my palm pilot).

Which is worse, untracked and unofficial passwd lists, or commonly used passwds? Upgrading human memory isn't a viable third-alternative.

WRT: SSH CPU overhead

A PalmPilot has more total system capacity than an original IBM-PC (including disk drives) and about 8 times the CPU power. It can easily implement SSH. Granting my statement,wrt 65xxx series Capacity, I'd STILL like to see SSHD implemented there (now that I have a Cisco rep's attention <grin>). Yes, please consider this a customer request.

WRT: SSH direct logins

Eventhough, I have RSA enabled my SSH sessions, I don't allow passwdless login on any host [even it it's the same passwd]. It may be a small annoying speed-bump, for an SA, but it prevents run-amuck hackers and code from infecting other connected hosts. I've actually had this save my bacon a few times and I've seen some negative results using passwdless logins (system cracks AND runaway code[mine]).

Finally:

I'd like to see every internal and systems management packet using either 3DES or blowfish, or using SSH, SSL, or TLS systems (OpenSSL anyone?). I routinely do this within my systems, by design (webserver to Oracle databse server, and others) and if everyone else were doing it then B2B would be easier (more secure) as well. As I stated earlier, in a universe of encrypted packets, the plain-text ones stand out like sore-thumbs. If they are also systems management packets then the would-be cracker has a much easier time of things.

Incidently, if this should wreak havoc with CALEA requirements, <sarcasm> it would just break my heart </sarcasm> <GRIN>.

---
R O E L A N D  M .  J .  M E Y E R
CEO, Morgan Hill Software Company, Inc.
An eCommerce and eBusiness practice
providing products and services for the Internet.
Tel: (925)373-3954
Fax: (925)373-9781