North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)

  • From: Howard Hart
  • Date: Sat Apr 29 14:52:31 2000

Careful on this. There are a number of systems out there (Sun's in particular)
that equate toggling on the serial line to a halt/shutdown command. Imagine
your surprise when you reboot your cheap terminal server only to discover your
vendors routers/switches/BSD-based load balancers/etc. employ this feature
too...Ughh.

Howard Hart
ipDialog, Inc.

Shawn McMahon wrote:

> There are lots of ways to make this work:
>
> Digiboard or Rocketport in the Linux box.
>
> Real terminal server (Livingston is good, Computone Powerrack is cheaper,
> has more ports per Rack Unit, and is good enough for this usage) in the
> rack with direct Ethernet connect to a Linux box racked right above it, so
> physical security is still easy, then SSH to the Linux box.
>
> If you lock that Linux (or Open/Free/Net-BSD) box down so it accepts
> NOTHING other than that SSH traffic, you could even slap a hub down and use
> it to direct Ethernet management traffic, although that opens you up to
> possible sniffing if a router is cracked.
>
> Best to stick with the serial solutions, but they can be pretty damn cheap.
>
> Certainly cheaper than breakins.
>
> Figure anywhere from $500 to $1,500 for the Linux server (depending upon
> the quality of components, and whether you put it in a rack-mount case or
> just drop it on top of the terminal server), and $2,500 for a Computone
> Powerrack (with ISP discounts, and using the pricing I remember from years
> ago, which could very well have changed), with no expenditure on software
> at all (unless you count $1.99 for a CD from CheapBytes) and you're looking
> at a damned cheap, damned secure system that your entire staff can use.
> You could even log all the traffic on the Linux box, provide scripts for
> common tasks and keep them on the isolated server where they're safe, or
> even (if you needed to) tcpdump all the traffic to the terminal server for
> infinite levels of security micromanagement.
>
> All for less than the cost of the consultants who'd sell you the
> less-secure versions of securing this traffic.
>
> On Fri, 28 Apr 2000, "Roeland Meyer (E-mail)" wrote:
> > Date: Fri, 28 Apr 2000 19:24:32 -0700
> > To: "'John Fraizer'" <[email protected]>,
> >         "'Jason Ackley'" <[email protected]>
> > From: "Roeland Meyer (E-mail)" <[email protected]>
> > Reply-To: <[email protected]>
> > Subject: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
> >
> >
> > Actually doing that now, with a Linux box and an old Livingston PM2E.
> > Linux box runs SSHD, the portmaster runs directly into console ports
> > 'stead of modems. I figured that was obvious. However, I don't run a
> > co-lo either. Most of my systems reside in them. This is okay, until your
> > ladders have to run through semi-public space. There is also a 50 foot
> > length restriction, on RS-232 lines, unless you like running at less than
> > 115K baud. Also, figure the expense of the extra hardware. In my case, it
> > was unused sunk-cost anyway (surplus, for you non-suits).