North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: telnet vs ssh on Core equipment , looking for reasons why ?

  • From: Ariel Biener
  • Date: Tue Jul 31 18:53:51 2001

On Tue, 31 Jul 2001, Dan Hollis wrote:

> Hmmm, how about I lockdown all MAC addresses on switch ports and configure
> port IP filters and set the switch so filter violations automatically
> disable your port?

Dan, really, how many people do you know that actually enforce any of the
above techniques ?  Talking about security is fun, and can get tiresome,
but, a network administrator or system administrator, or even an
organization makes a decision how far they wish to go with it, and how
willing they are to hinder the normal course of working.

Just as an example, lets assume you use a FastEthernet interafce, with MAC
address X. Tomorrow you find out that you're using some 80% of it, and you
define a portchannel, with two FEs. The ARP address will change. Now, if
you are running through a few networks, or even, if you are managing a few
10s of routers, doing what you are suggesting creates imense overheads of
management.

The idea is to work as secure as possible, without hindering work, and
without creating more work, and spending alot more time (this money) on
these things.

Think about it for a minute.

--Ariel

> 
> Then when you try this arp spoofing nonsense, your link goes down and I'll
> get paged so I can permanently correct your workstation with a
> sledgehammer.
> 
> -Dan
> 
> --
> [-] Omae no subete no kichi wa ore no mono da. [-]
> 

--
Ariel Biener
e-mail: [email protected]
PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html