Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: telnet vs ssh on Core equipment , looking for reasons why ?

  • From: Valdis.Kletnieks
  • Date: Tue Jul 31 19:27:10 2001

On Tue, 31 Jul 2001 13:45:33 PDT, Dan Hollis said:
> Hmmm, how about I lockdown all MAC addresses on switch ports and configure
> port IP filters and set the switch so filter violations automatically
> disable your port?

I'd love to do this to our users.  I've suggested it.

I was promptly told that if implemented, I'd be the guy answering the phone
each time one of our 30K users replaced an Ethernet card or moved a
computer across a room and plugged it into another "Known Working" portal. ;)

However, we *do* dump the ARP caches on every switch every 5 minutes and
keep a database on every time we see a change on a port.  Good thing disk
space is cheap, we've got the data going back to <when the heck did managed
switches/hubs hit the markend>.  No, it's not as secure - but I'd like
to get work done once in a while too. ;)

You want *security*?  I'm surprised nobody has suggested running cable
in pressurized conduit - I fully believe some paranoid TLA's use 400PSI
and a pressure-drop alarm as a deterrent.  I keep hearing rumors that
involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;)

The rest of us need to balance security against getting work done.  Sure,
there's MIM attacks against SSH. On the other hand, I'm pretty sure
that if somebody talented enough that they can man-in-middle an SSH session
*without* me seeing a "host key has changed" message decides to attack me,
there isn't much I'll be able to do to stop him anyhow.

On the other hand, I need to smack the admins of the 48 machines of ours
that got CodeRed'ed.  Guess which is considered more important by our
management, smacking the CodeRed machines, or worrying about SSH holes? ;)
-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech
  

Attachment: pgp00031.pgp
Description: PGP signature




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.