Re: Is SSH worth it??

From: Brad Arlt (arlt@cpsc.ucalgary.ca)
Date: 10/07/02


Date: Mon, 7 Oct 2002 12:51:27 -0600
From: Brad Arlt <arlt@cpsc.ucalgary.ca>
To: Trevor Cushen <Trevor.Cushen@sysnet.ie>

On Mon, Oct 07, 2002 at 04:02:35PM +0100, Trevor Cushen wrote:
> Hello all,
>
> Quick opinion based question. I have an switched internal network that
> currently uses a lot of rcp with rsh authentication to moves files
> about. Platforms are unix and nt (ftp on the nt side)
>
> More secure is ssh and scp for all platforms, but I have several scripts
> that would all have to be re-written and a fair bit of setting up for
> all the clients and servers involved throughout the organisation.
>
> The questions is this;
>
> On an internal network that is switched (making sniffing harder) is it
> worth going to SSH and SCP??????
>
> I am aware how to set it all up but the thing is, is it worth it. Bare
> in mind also that few people have passwords to the boxes and the only
> real threat is sniffing the traffic.

You must think SSH has some redeeming quality if you even ask the
question. Ponder that for a moment.

As to my generic two cents:

SSH is handy for interactive sessions where entering a password must
happen. I also like many of the features (X11 forwarding, so I don't
have to type that crap manually). Install ssh for telnet/rlogin
replacing and see how it goes. If you want to use it in scripts for
the security it provides, then you should make sure that it is used
during interactive sessions for the security it provides (or you
wasted a lot of time for little gain).

My less generic two cents:

Ask yourself "How likely is it that someone can sniff and alter clear
text data streams on my network?"

Then ask "How bad is it if they do?"

Then ask "With the same level of access required to sniff/alter data
streams on your network, could they do even more harmful things?"

If you deem a snowball in a hot underworld stands a better chance
sniffing packets on your network, then don't worry about it. Just be
aware that there is a non-zero chance that this can happen no matter
what you do (or don't do).

If the universe would end if someone saw (or corrupted) data as a
result of clear text transmission. Then maybe a little bit of effort
now would be better in the long run.

If the people sniffing can do way more harm than sniffing with the
access needed for sniffing, then fix that before you add ssh to the
equation.

-----------------------------------------------------------------------
   __o Bradley Arlt Security Team Lead
 _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) I should be biking right now. Computer Science



Relevant Pages

  • Re: Need Advice in SSH
    ... >> So I think both gets internal network addresses from their respective ... Does this mean I can not use ssh from either both PC's? ... > network configured to permit inbound connections initiated from your ...
    (freebsd-questions)
  • Re: Restricting Internal Users Ports
    ... > I am attempting to setup an internal network on my Ubuntu machine. ... > have taken a look at the various iptables rules and believe I have a ... but I only want the internal users to be able to use SSH (port ... If you want to use an encrypted internal network, ...
    (comp.os.linux.networking)
  • Re: Is SSH worth it??
    ... sniffing switched networks is possible. ... on your "internal" network may not be limited to who you *think* is on your ... machines and I ssh between them, ... > I am aware how to set it all up but the thing is, is it worth it. ...
    (Security-Basics)
  • Re: SSH not working
    ... > is most likely its address on your internal network. ... >> I have used telnet before and when using telnet (the insecure counterpart ... >> of ssh) server and client I used the same strategy I tried for ssh. ... > But not a 192.xxx.xxx.xxx IP address except from within your home network. ...
    (alt.os.linux)
  • RE: Is SSH worth it??
    ... Sniffing the traffic is trivial, even on a switched network. ... switch and it will 'fail-open'...that means that it ... the most recent version of ssh. ...
    (Security-Basics)