Security Basics mailing list archives
Re: Telnet Security Question for a Router.
From: Jeremy Anderson <jeremy () 2monkeys org>
Date: Wed, 11 Dec 2002 11:48:26 -0800 (PST)
I may not completely understand the last part of your message. You say:
The Network Services Group is adamant that neither SSH or CISCO TACACS+ will work on a router to correct the security issue.
If they mean ssh is not available on Cisco routers, this is incorrect. http://www.cisco.com/en/US/tech/tk583/tk209/technologies_tech_note09186a00800949e2.shtml Please note that SSH is deprecated by Cisco. The above paper states that Cisco's strategy for secure communication between clients and router devices is IPSEC. If they mean that implementing SSH won't mollify the auditors, I can't say. Assuming your routers are configured to log unsuccessful attempts to login, that the router's ssh daemon is configured to only accept logins based on key pairs (no passphrases), you have a good key management policy in place, and you have filters configured on the router to only accept connections from a short list of authorized addresses, that should keep the auditors happy. I am not familiar enough with TACACS+ to give any comment on it. I always thought TACACS was an authentication protocol, not a communications protocol. As such, it would only solve your problem in the narrowest sense (i.e. no unencrypted username/password pairs going over the wire when logging in). Information about your router's internal configuration would still be unencrypted, as would your enable password if one of the techs put the router into enable mode. As such, based on what I know, it wouldn't be suitable. j. On Wed, 11 Dec 2002, Tony Toni wrote:
We were currently wrote up by our external auditors because we use telnet to access all of our routers. In some cases we use a filtered Telnet service...but that is not the normal practice. We are a fairly good size company with about 1000+ routers.
[snip...]
Current thread:
- Telnet Security Question for a Router. Tony Toni (Dec 11)
- Re: Telnet Security Question for a Router. kawaii (Dec 11)
- Re: Telnet Security Question for a Router. Jeremy Anderson (Dec 11)
- Re: Telnet Security Question for a Router. Jill Tovey (Dec 12)
- Re: Telnet Security Question for a Router. Charley Hamilton (Dec 12)
- <Possible follow-ups>
- Re: Telnet Security Question for a Router. Mark Maher (Dec 12)
- RE: Telnet Security Question for a Router. Tim Donahue (Dec 12)
- Re: Telnet Security Question for a Router. Eric Schroeder (Dec 12)
- FW: Telnet Security Question for a Router. Stephen Wilcox (Dec 13)
- Re: Telnet Security Question for a Router. Chris Berry (Dec 13)
- RE: Telnet Security Question for a Router. Stephen Wilcox (Dec 16)
- RE: Telnet Security Question for a Router. d'Ambly, Jeff (Dec 13)