North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Joe Shaw
  • Date: Sun Apr 30 21:36:47 2000

On Fri, 28 Apr 2000, Danny McPherson wrote:

> IMO, it requires more than this.  Ideally, one-time, token-based (i.e. SecurID)
> passwords, coupled with SSH, is the best solution, especially with the turnover
> rates at providers these days.

There is digital certificate support in the 12.0(7)t and later versions of
IOS.  I'm not sure exactly how or if it will interact with SSH v.1 on the
IOS router platforms (it uses an IPSec connection via the Cisco 
Secure VPN Client) since I'm still in the testing phase.  I'm currently
testing Entrust, which may be the only PKI package that Cisco currently
supports.  I haven't gotten around to testing the Entrust<->Cisco just
Turnover is just a problem of not being able to adequately compensate
and/or respect one's employees.  I've had the pleasure of walking away
from my fair share of crap jobs that paid too little, and I've also walked
away from a great job that paid too little.  I saw one company lose 90% of
it's operations staff over a three month period after the CEO decided to
start dishing out insults because he just didn't understand how IP could
be so much different than Cable TV.  By the time the board of directors 
put a muzzle on him, it was too late.  You just don't piss off talented
people who built the network and know it better than they know
themselves.  Some hard-assed business people don't get this yet, thinking
a college degree and a NT cert qualifies someone to handle an
international IP network.

Pay your talent well, treat them well, and the turnover problem should
take care of itself.  Don't do those things, and you just perpetuate the
hired gun syndrome that seems to dominate the tech job market.

Sorry for getting off-topic, but it is one of my biggest pet peeves.  

> Of course, this also requires that all the backend (RADIUS, configuration management,
> etc..) and out-of-band systems are secure, which is another rathole altogether.

It's amazing how easy it is to use some of these out-of-band systems to
compromise all sorts of neat things.  Companies will spend 5 figures/site 
on a firewall, and leave unpassword protected dial-in access to the
internal network without giving it a second thought.

> As for this incident, well, I think if the intial intent of the 
> "divulging message" was simply to remind folks to change their 
> passwords, the points been made.

Sadly, since humans are involved here, it will probably happen to someone
else in the future.  If a sales person knew the telnet/enable passwords,
then there's a definite problem with conrtolling managing credentials.

Joseph W. Shaw - [email protected]
Sr. Security Specialist - Enron Broadband Services
This is my personal account.  Affiliation to my employer is given for credentials only.