North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Telco's write best practices for packet switching networks

  • From: Christopher L. Morrow
  • Date: Wed Mar 06 13:34:18 2002

On 6 Mar 2002, Eric Brandwine wrote:

> >>>>> "rp" == Rob Pickering <[email protected]> writes:
> rp> Why would you want to expose a management protocol like ssh to the
> rp> Internet?
> You wouldn't.  Neither would I.  I'll go poke fun at Chris.

I can think of a few reasons, it's no more/less secure than
sendmail/postfix/bind/snmpdx/...... its just another thing to monitor and
upgrade when there are problems.

In most people's example networks they PROBABLY run all their 'services'
on virtual interfaces anyway so ssh doesn't have to listen on the same ip
as bind so perhaps it's a non-issue.

> rp> OK so leaving ssh open is convenient, but if we are talking best
> rp> practice surely having your remote management protocols running on a
> rp> separate network, or at the very least filtering on a host basis so
> rp> that it's only listening to connects from your NOC has to be the way
> rp> to do this.
> Absolutely.  It bothers me that as an ISP, we kinda have to run mail
> and dns servers.  If there were two protocols I'd choose NOT to expose
> to the public network, they'd be it.  I'd much rather expose ssh than
> bind or sendmail.

We can be an ISP or we can not be an ISP, its a business decision... the
'be an ISP' seems to make money while the 'I got big vats of fiber in the
ground wanna use it for telephones?' seems to NOT make money.