North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SSH on the router - was( IT security people sleep well)

  • From: Henry Linneweh
  • Date: Mon Jun 07 11:15:38 2004

That was well spoken and certainly the smartest move
that I have in this entire conversation, thanks.

-Henry



--- [email protected] wrote:
> 
> > complaining that cisco charges extra for such a
> critical component is 
> > exactly the right thing to do; it is fucking
> scary.
> > 
> > every damn network device which used to have
> telnet should ship with 
> > ssh, it's free. 
> 
> Why?
> 
> The typical network architecture of an ISP sees
> routers located in
> large clusters in a PoP or on a customer's site
> directly connected
> to a PoP. Since it is dead simple to place a 1U
> Linux box or similar
> SPARC server in a PoP to act as a secure gateway,
> why should router 
> vendors encourage laziness and sloppiness? IMHO
> routers should not 
> have SSH at all and should not accept any packets
> directed to them
> unless they are coming from a small set of known
> addresses on the
> network operator's management network.
> 
> Once you open the router to SSH from arbitrary
> locations on the 
> Internet you also open the router to DDoS from
> arbitrary locations and
> to attacks from people with inside info (SSH keys
> stolen or otherwise).
> 
> It makes more sense to funnel everything through
> secure gateways and
> then use SSH as a second level of security to allow
> staff to connect
> to the secure gateways from the Internet. Of course
> these secure
> gateways are more than just security proxies; they
> can also contain
> diagnostic tools, auditing functions, scripting
> capability, etc.
> 
> Now there is nothing fundamentally wrong with ADDING
> to that type
> of architecture by enabling SSH between the routers
> and the security
> gateways. But I believe that it is fundamentally
> wrong to consider
> SSH on the router to be equivalent to opening the
> router to any staff
> member, anytime, anywhere on the Internet. There are
> still possible
> man in the middle attacks that cannot be protected
> against by SSH.
> Consider the case of a staff member lounging in the
> backyard on a
> lazy Saturday afternoon with their iBook. They have
> an 802.11 wireless
> LAN at home so they telnet to their Linux box in the
> kitchen and run
> SSH to the router. Ooops!
> 
> The only way to protect against that sort of
> situation is to encourage 
> everyone to be security-minded and not take risks
> where the network is 
> concerned. Funneling all access to routers through a
> secure gateway is
> part of that security-mindedness and is just plain
> good practice.
> 
> --Michael Dillon
>