Re: Telnet Security Question for a Router.

[Jeremy Anderson <jeremy () 2monkeys org>]

I may not completely understand the last part of your message.  You say:

> The Network
> Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
> router to correct the security issue.

If they mean ssh is not available on Cisco routers, this is incorrect.

http://www.cisco.com/en/US/tech/tk583/tk209/technologies_tech_note09186a00800949e2.shtml

Please note that SSH is deprecated by Cisco.  The above paper states that
Cisco's strategy for secure communication between clients and router
devices is IPSEC.

If they mean that implementing SSH won't mollify the auditors, I can't
say.  Assuming your routers are configured to log unsuccessful attempts to
login, that the router's ssh daemon is configured to only accept logins
based on key pairs (no passphrases), you have a good key management policy
in place, and you have filters configured on the router to only accept
connections from a short list of authorized addresses, that should keep
the auditors happy.

I am not familiar enough with TACACS+ to give any comment on it.  I always
thought TACACS was an authentication protocol, not a communications
protocol.  As such, it would only solve your problem in the narrowest
sense (i.e. no unencrypted username/password pairs going over the wire
when logging in).  Information about your router's internal configuration
would still be unencrypted, as would your enable password if one of the
techs put the router into enable mode.  As such, based on what I know, it
wouldn't be suitable.

j.


On Wed, 11 Dec 2002, Tony Toni wrote:

> We were currently wrote up by our external auditors because we use telnet to
> access all of our routers.  In some cases we use a filtered Telnet
> service...but that is not the normal practice.  We are a fairly good size
> company with about 1000+ routers.

[snip...]