|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: SSH on the router - was( IT security people sleep well)
Ok back to the previous premise.. Linux with an IPSEC server load.. IPSEC to the Linux box, use Telnet or ??? to connect to the routers on the management VLAN/Net and your done.... Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to that to say 1 SSH enabled router or 1 IPSEC enabled router... Jim ->-----Original Message----- ->From: [email protected] [mailto:[email protected]]On Behalf Of ->Rubens Kuhl Jr. ->Sent: Monday, June 07, 2004 8:08 AM ->To: [email protected]; [email protected] ->Subject: Re: SSH on the router - was( IT security people sleep well) -> -> -> -> ->I'd rather use IPSEC than SSH to connect to routers or to a ->secure gateway ->and then to routers. Flaw history in IPSEC is much better ->than SSH, IPSEC ->can easily be used to move files with FTP or TFTP (does your ->router/client ->suport SCP ? SFTP ?)... -> ->Unfortunately, IOS costs more to have IPSEC. -> -> ->Rubens -> ->----- Original Message ----- ->From: <[email protected]> ->To: <[email protected]> ->Sent: Monday, June 07, 2004 7:39 AM ->Subject: SSH on the router - was( IT security people sleep well) -> -> ->> ->> > complaining that cisco charges extra for such a critical ->component is ->> > exactly the right thing to do; it is fucking scary. ->> > ->> > every damn network device which used to have telnet ->should ship with ->> > ssh, it's free. ->> ->> Why? ->> ->> The typical network architecture of an ISP sees routers located in ->> large clusters in a PoP or on a customer's site directly connected ->> to a PoP. Since it is dead simple to place a 1U Linux box or similar ->> SPARC server in a PoP to act as a secure gateway, why should router ->> vendors encourage laziness and sloppiness? IMHO routers should not ->> have SSH at all and should not accept any packets directed to them ->> unless they are coming from a small set of known addresses on the ->> network operator's management network. ->> ->> Once you open the router to SSH from arbitrary locations on the ->> Internet you also open the router to DDoS from arbitrary ->locations and ->> to attacks from people with inside info (SSH keys stolen or ->otherwise). ->> ->> It makes more sense to funnel everything through secure gateways and ->> then use SSH as a second level of security to allow staff to connect ->> to the secure gateways from the Internet. Of course these secure ->> gateways are more than just security proxies; they can also contain ->> diagnostic tools, auditing functions, scripting capability, etc. ->> ->> Now there is nothing fundamentally wrong with ADDING to that type ->> of architecture by enabling SSH between the routers and the security ->> gateways. But I believe that it is fundamentally wrong to consider ->> SSH on the router to be equivalent to opening the router to ->any staff ->> member, anytime, anywhere on the Internet. There are still possible ->> man in the middle attacks that cannot be protected against by SSH. ->> Consider the case of a staff member lounging in the backyard on a ->> lazy Saturday afternoon with their iBook. They have an ->802.11 wireless ->> LAN at home so they telnet to their Linux box in the kitchen and run ->> SSH to the router. Ooops! ->> ->> The only way to protect against that sort of situation is ->to encourage ->> everyone to be security-minded and not take risks where the ->network is ->> concerned. Funneling all access to routers through a secure ->gateway is ->> part of that security-mindedness and is just plain good practice. ->> ->> --Michael Dillon ->> ->> -> ->
|