|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: IT security people sleep well
> -----Original Message----- > From: Robert Boyle [mailto:[email protected]] > > Agreed. I really truly don't see the problem with plaintext telnet > management of routers. We have access-lists on vty 0 15 > specifying which > networks can even connect. We can't connect except for from a trusted > internal management network and I control all the routers and > circuits in > the path. If someone is in the middle of one of my circuits > doing some type > of dump of the data to disk, they are probably the NSA or > CIA, and I've got > much bigger problems. Can someone please provide a situation Yeah, that would be a concern... :) > where doing > this can lead to compromise or any type of problem at all? I > just don't see Do you trust every person you work with? Are your internal networks completely segmented (including the ethernet switches?) Here, they are not. And as much as it's been pointed out, they continue to leave everyone in the company on the same segment. Our security guy proved this point by hijacking a switch, convincing it that the traffic had to pass through his computer, and sniffed a TON of traffic ... All within a few minutes, without anyone knowing until he showed it... Through this, he was able to grab a number of passwords all through telnet sessions. Unless you can completely trust everyone in your internal network, ACL's aren't always enough... > it. However, I see people having unpatched servers running > without proper > ACLs every day and this is rarely discussed and as Stephen > Sprunk points > out, lot of people here on nanog don't apply bogon filters or > even source > filter their customers - and this doesn't require a feature > set upgrade to > IOS. (All of which we do, btw) So I'm still not convinced that SSL on > routers is needed. Nice, sure, but needed? no. Please > convince me otherwise > if you feel this is such a hugely pressing need or at least > explain your > position. I've been converted into the "secure it if you can, ensure it's not important if you can't" way of thinking ... I would very much like to change our ACL's to only allow telnet from our server farm (which is SSH *ONLY*), thus allowing a little bit of security ... This would at least bring us into the "if someone's listening, it's gotta be the NSA or CIA" class of security... :) > R Jason Frisvold Penteledata
|