Re: Telnet Security Question for a Router.

From: Mark Maher (mmaher@ochsner.org)
Date: 12/11/02

Next message: Garbrecht, Frederick: "RE: Dns info mapping"

Previous message: Bruyere, Michel: "RE: File Monitoring Program"
Maybe in reply to: Tony Toni: "Telnet Security Question for a Router."
Next in thread: Jill Tovey: "Re: Telnet Security Question for a Router."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Dec 2002 14:35:00 -0600
From: "Mark Maher" <mmaher@ochsner.org>
To: <tony572000@hotmail.com>, <SECURITY-BASICS@SECURITYFOCUS.COM>

Most of the Cisco routers suport SSH, especially if you are running an IOS image that supports IPSec.What we did until all of our routers supported SSH, was set up a secure SSH server in our internal network (trusted part of the network). Then, for access from the Internet, we SSH to the server and then telnet from there to the router. This way, the connection to our network was encrypted, and only the part between the SSH server and router was unencrypted. Of course, this doesn't protect us from the inside (internal network), but does prevent sniffing and hijacking from the Internet (outside). Hope it helps.

Mark Maher
Ochsner Clinic Foudation

>>> "Tony Toni" <tony572000@hotmail.com> 12/10/02 08:45PM >>>

We were currently wrote up by our external auditors because we use telnet to
access all of our routers. In some cases we use a filtered Telnet
service...but that is not the normal practice. We are a fairly good size
company with about 1000+ routers.

I am charged with coordinating a response to the auditors. I know all of
the security issues involved with Telnet...ie login id and password sent
across the network in clear text, etc. My question: Is it possible to
use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a
way to ensure no one can sniff the login id and password? The Network
Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
router to correct the security issue.

Tony CIA,CISA,CDP,MBA
Security and Audit Services
Nations Banking & Trust

PS: I have been playing phone tag with the auditor that wrote us up...to see
what they recommend...have not reached him yet.

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail

Next message: Garbrecht, Frederick: "RE: Dns info mapping"
Previous message: Bruyere, Michel: "RE: File Monitoring Program"
Maybe in reply to: Tony Toni: "Telnet Security Question for a Router."
Next in thread: Jill Tovey: "Re: Telnet Security Question for a Router."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Telnet Security Question for a Router.
... In some cases we use a filtered Telnet ... company with about 1000+ routers. ... I am charged with coordinating a response to the auditors. ... router to correct the security issue. ...
(Security-Basics)
Re: Telnet Security Question for a Router.
... Telnet Security Question for a Router. ... > I am charged with coordinating a response to the auditors. ...
(Security-Basics)
Re: several vulnerabilities present in Belkin wireless routers
... >> different Belkin wireless routers. ... The interesting thing about the telnet interface in this ... >> NOT accessible through the administrative web interface. ... >> the filesystem and dump the config file on the screen. ...
(Bugtraq)
several vulnerabilities present in Belkin wireless routers
... several vulnerabilities present in Belkin wireless routers ... - default telnet backdoor ... different Belkin wireless routers. ... NOT accessible through the administrative web interface. ...
(Bugtraq)
Re: several vulnerabilities present in Belkin wireless routers
... >different Belkin wireless routers. ... From my experience, telnet ... >NOT accessible through the administrative web interface. ...
(Bugtraq)