North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SSH on the router - was( IT security people sleep well)

  • From: Alex Bligh
  • Date: Mon Jun 07 13:29:33 2004


[use telnet+ACL instead of SSH]
while this protects the router such that it allows packets in only
from known addresses, it does not allow packets in only from known
MACHINES. Addresses can be spoofed. Vendor C (at least in recent
history) did/does not allow binding of the host stack only to specific
interfaces.

Thus it is (if you are determined) not impossible to spoof a telnet
session especially if the first thing you do is inject a return
route.

This is why we were all good chaps and secured our BGP sessions,
remember?

Of course SSH should ALSO be secured so it only comes from known
source addresses, mainly for administrative reasons (I'd like to
know just WHICH NOC member of staff logged in from where and when).

There are still possible
man in the middle attacks that cannot be protected against by SSH.
Consider the case of a staff member lounging in the backyard on a
lazy Saturday afternoon with their iBook. They have an 802.11 wireless
LAN at home so they telnet to their Linux box in the kitchen and run
SSH to the router. Ooops!
Umm, I get seriously worried when people suggest they allow people
with router access to telnet from box A to box B, then SSH to a router.
Firstly, they should be logging into a secure set of machines first
in all sensible security models I've seen (even if an ACL doesn't
force them to do that, they should do it as good practice). Before
you say "that requires them to have connectivity to those machines
in the case of network meltdown", in all sensible authentication
schemes the router is going to challenge some remote box(es) anyway,
and you can provide multiple such boxes - anything beyond that
is failover.

But the major point is: what kind of people do you (a) give enable
access on your router, and (b) do not appreciate that telnet, then
ssh, is a seriously bad idea in terms of security (and can't
instead install ssh on whatever box it is). Are engineers really
that dumb these days? Doing that sort of thing was a disciplinary
offence last time I ran a large network - not something to try and
work around with security policy. Note we even had this degree of
protection (no passwords in the clear over wires not controlled
by us) when IOS did not even have an ssh build.

Alex