nanog mailing list archives
Re: ABOVE.NET SECURITY TRUTHS?
From: Danny McPherson <danny () tcb net>
Date: Fri, 28 Apr 2000 21:15:10 -0600
IMO, it requires more than this. Ideally, one-time, token-based (i.e. SecurID) passwords, coupled with SSH, is the best solution, especially with the turnover rates at providers these days. Of course, this also requires that all the backend (RADIUS, configuration management, etc..) and out-of-band systems are secure, which is another rathole altogether. As for this incident, well, I think if the intial intent of the "divulging message" was simply to remind folks to change their passwords, the points been made. -danny
I don't think you can. However, I use TACACS on all my switches and routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments?
Current thread:
- RE: ABOVE.NET SECURITY TRUTHS?, (continued)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Paul Froutan (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Travis Pugh (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Hank Nussbacher (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 30)
- Re: ABOVE.NET SECURITY TRUTHS? Philip Smith (Apr 30)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? John Kristoff (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Joe Shaw (Apr 30)
- RE: ABOVE.NET SECURITY TRUTHS? Mr. James W. Laferriere (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Chris Cappuccio (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Michael Shields (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Mark Milhollan (Apr 30)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- Re: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?) John Fraizer (Apr 28)