Re: Telnet Security Question for a Router.

From: Jeremy Anderson (jeremy@2monkeys.org)
Date: 12/11/02

  • Next message: Sarbjit Singh Gill: "NetScreen XP and NetMeeting"
    Date: Wed, 11 Dec 2002 11:48:26 -0800 (PST)
    From: Jeremy Anderson <jeremy@2monkeys.org>
    To: Tony Toni <tony572000@hotmail.com>
    
    

    I may not completely understand the last part of your message. You say:

    > The Network
    > Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
    > router to correct the security issue.

    If they mean ssh is not available on Cisco routers, this is incorrect.

    http://www.cisco.com/en/US/tech/tk583/tk209/technologies_tech_note09186a00800949e2.shtml

    Please note that SSH is deprecated by Cisco. The above paper states that
    Cisco's strategy for secure communication between clients and router
    devices is IPSEC.

    If they mean that implementing SSH won't mollify the auditors, I can't
    say. Assuming your routers are configured to log unsuccessful attempts to
    login, that the router's ssh daemon is configured to only accept logins
    based on key pairs (no passphrases), you have a good key management policy
    in place, and you have filters configured on the router to only accept
    connections from a short list of authorized addresses, that should keep
    the auditors happy.

    I am not familiar enough with TACACS+ to give any comment on it. I always
    thought TACACS was an authentication protocol, not a communications
    protocol. As such, it would only solve your problem in the narrowest
    sense (i.e. no unencrypted username/password pairs going over the wire
    when logging in). Information about your router's internal configuration
    would still be unencrypted, as would your enable password if one of the
    techs put the router into enable mode. As such, based on what I know, it
    wouldn't be suitable.

    j.

    On Wed, 11 Dec 2002, Tony Toni wrote:

    >
    > We were currently wrote up by our external auditors because we use telnet to
    > access all of our routers. In some cases we use a filtered Telnet
    > service...but that is not the normal practice. We are a fairly good size
    > company with about 1000+ routers.

    [snip...]



    Relevant Pages