North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SSH on the router - was( IT security people sleep well)
That was well spoken and certainly the smartest move that I have in this entire conversation, thanks. -Henry --- [email protected] wrote: > > > complaining that cisco charges extra for such a > critical component is > > exactly the right thing to do; it is fucking > scary. > > > > every damn network device which used to have > telnet should ship with > > ssh, it's free. > > Why? > > The typical network architecture of an ISP sees > routers located in > large clusters in a PoP or on a customer's site > directly connected > to a PoP. Since it is dead simple to place a 1U > Linux box or similar > SPARC server in a PoP to act as a secure gateway, > why should router > vendors encourage laziness and sloppiness? IMHO > routers should not > have SSH at all and should not accept any packets > directed to them > unless they are coming from a small set of known > addresses on the > network operator's management network. > > Once you open the router to SSH from arbitrary > locations on the > Internet you also open the router to DDoS from > arbitrary locations and > to attacks from people with inside info (SSH keys > stolen or otherwise). > > It makes more sense to funnel everything through > secure gateways and > then use SSH as a second level of security to allow > staff to connect > to the secure gateways from the Internet. Of course > these secure > gateways are more than just security proxies; they > can also contain > diagnostic tools, auditing functions, scripting > capability, etc. > > Now there is nothing fundamentally wrong with ADDING > to that type > of architecture by enabling SSH between the routers > and the security > gateways. But I believe that it is fundamentally > wrong to consider > SSH on the router to be equivalent to opening the > router to any staff > member, anytime, anywhere on the Internet. There are > still possible > man in the middle attacks that cannot be protected > against by SSH. > Consider the case of a staff member lounging in the > backyard on a > lazy Saturday afternoon with their iBook. They have > an 802.11 wireless > LAN at home so they telnet to their Linux box in the > kitchen and run > SSH to the router. Ooops! > > The only way to protect against that sort of > situation is to encourage > everyone to be security-minded and not take risks > where the network is > concerned. Funneling all access to routers through a > secure gateway is > part of that security-mindedness and is just plain > good practice. > > --Michael Dillon >
|