North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
- From: Roeland Meyer (E-mail)
- Date: Fri Apr 28 22:26:59 2000
Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits).
> John Fraizer
> Sent: Friday, April 28, 2000 6:31 PM
> > > SSH version 1 is apparently supported in 12.0 as well
> (never played w/ it,
> > > so dunno how well it works);
> > So just dont do a 'show slaveslot0:' over SSH :-) Anyone
> else have this
> > problem? Works fine via console or (shudder) telnet..
> > SSH on 6509s , that would be great! Still fighting with the idea of
> > running real IOS on 6500s, if the real IOS part contains
> SSH, you can bet
> > I would upgrade sooner than later. Anyone running 'real' IOS on
> > 6500s? Any gotchas or superbugs?
> I have a VERY novel idea for you all and since noone has mentioned it,
> here goes:
> NOC----------Management Network---------SSH Drone
> | | | |
> Serial Lines -> | | | ---Router1
> | | |--Switch1
> | -Router2
> I know. It's just too simple and it scales so very well so,
> it MUST be a
> bad idea.
> Even if you don't have a dedicated management network, you
> just put a box
> that speaks SSH out there with serial access to your routers/switches.
> If you DO have a management network, you connect that to it as well.
> No matter what, you're secure to the SSH drone and if someone
> is in your
> cabinets tapping the serial lines, you've got big physical security
> problems to deal with and you had might as well flat out give up on
> network security.
> A Force Recon colonel once told me, "If it's a stupid idea,
> and it works,
> it must not be a stupid idea."
> John Fraizer