North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
- From: Shawn McMahon
- Date: Fri Apr 28 23:05:21 2000
There are lots of ways to make this work:
Digiboard or Rocketport in the Linux box.
Real terminal server (Livingston is good, Computone Powerrack is cheaper,
has more ports per Rack Unit, and is good enough for this usage) in the
rack with direct Ethernet connect to a Linux box racked right above it, so
physical security is still easy, then SSH to the Linux box.
If you lock that Linux (or Open/Free/Net-BSD) box down so it accepts
NOTHING other than that SSH traffic, you could even slap a hub down and use
it to direct Ethernet management traffic, although that opens you up to
possible sniffing if a router is cracked.
Best to stick with the serial solutions, but they can be pretty damn cheap.
Certainly cheaper than breakins.
Figure anywhere from $500 to $1,500 for the Linux server (depending upon
the quality of components, and whether you put it in a rack-mount case or
just drop it on top of the terminal server), and $2,500 for a Computone
Powerrack (with ISP discounts, and using the pricing I remember from years
ago, which could very well have changed), with no expenditure on software
at all (unless you count $1.99 for a CD from CheapBytes) and you're looking
at a damned cheap, damned secure system that your entire staff can use.
You could even log all the traffic on the Linux box, provide scripts for
common tasks and keep them on the isolated server where they're safe, or
even (if you needed to) tcpdump all the traffic to the terminal server for
infinite levels of security micromanagement.
All for less than the cost of the consultants who'd sell you the
less-secure versions of securing this traffic.
On Fri, 28 Apr 2000, "Roeland Meyer (E-mail)" wrote:
> Date: Fri, 28 Apr 2000 19:24:32 -0700
> To: "'John Fraizer'" <nanog@EnterZone.Net>,
> "'Jason Ackley'" <email@example.com>
> From: "Roeland Meyer (E-mail)" <firstname.lastname@example.org>
> Reply-To: <email@example.com>
> Subject: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
> Actually doing that now, with a Linux box and an old Livingston PM2E.
> Linux box runs SSHD, the portmaster runs directly into console ports
> 'stead of modems. I figured that was obvious. However, I don't run a
> co-lo either. Most of my systems reside in them. This is okay, until your
> ladders have to run through semi-public space. There is also a 50 foot
> length restriction, on RS-232 lines, unless you like running at less than
> 115K baud. Also, figure the expense of the extra hardware. In my case, it
> was unused sunk-cost anyway (surplus, for you non-suits).