Security Basics mailing list archives

Re: Cisco PIX with SSH enabled on external port for maintenance

From: Cory Stoker <cory () clearnetsec com>
Date: Tue, 15 Nov 2005 17:02:51 -0700

As far as the PIX goes I would try to avoid leaving the managementfunctions out in the open. I personally favor connecting to the PIXthrough IPSec then SSHing or even telneting to the "inside"interfaces through the tunnel. This allows you to also support othermanagement items like SNMP, TFTP, and PDM. Also for PIX versions6.x, SSH 2 is not supported so you have to use SSH 1. PIX 7.x doesinclude SSH version 2 support.

If you must support SSH to the "outside" interface then you shouldtry to limit the SSH access to specific IP addresses like so:


"ssh 1.1.1.1 255.255.255.255 outside"

The key to the first solution is the command "management-access" asPIX does not allow you to connect to it from a VPN tunnel terminatingon the PIX by default unless you specify this command.


Thanks,
---
Cory Stoker
ClearNet Security

On Nov 15, 2005, at 10:56 AM, <Steve.Cummings () barclayscapital com><Steve.Cummings () barclayscapital com> wrote:

It's a firewall do you really want anyone attaching to it?


-----Original Message-----
From: Chris Largret <largret () gmail com>
To: Cam Fischer <camfischer () gmail com>

CC: security-basics () securityfocus com <security-basics () securityfocus com>

Sent: Thu Nov 10 22:02:39 2005

Subject: Re: Cisco PIX with SSH enabled on external port formaintenance


On Wed, 2005-11-09 at 19:01 -0700, Cam Fischer wrote:

I am looking for some reasons why I should not be allowing SSH on the
external side of my Cisco PIX firewall. It would be great for
management, but what are the risks associated with this?

SSH brute force attacks (and guessing schemes) have been on-goingfor a

while. Take a look at http://www.agleia.de/luser2 for a list of
usernames that were used in one attack.

If you DO allow access to SSH to the outside world, there are a few
things you can do to make it more secure:

1. Use a non-standard port
2. Use only the strongest algorithms that SSH supports
3. Change the passwords regularly
4. Allow only strong passwords
5. Limit which IP addresses can connect

It is possible to keep an SSH server secure, but it does take work. If

someone gains access through SSH, it is generally only a matter oftimeuntil they have full control over the system. If they can getinside the

firewall, the other computers on the network could be equally

compromised if your security model doesn't protect computers fromothers

on the same network.

--
Chris Largret <http://daga.dyndns.org>

Current thread:

Cisco PIX with SSH enabled on external port for maintenance Cam Fischer (Nov 10)
- Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 15)
- Re: Cisco PIX with SSH enabled on external port for maintenance Chris Largret (Nov 15)
  - Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 16)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 17)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 21)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 21)
- Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 15)
- <Possible follow-ups>
- Re: Cisco PIX with SSH enabled on external port for maintenance Steve.Cummings (Nov 15)
  - ActivX execution with PowerUser Privilege Marco Spennato (Nov 16)
  - Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 16)