Ok back to the previous premise.. Linux with an IPSEC server load.. IPSEC to the Linux box, use Telnet or ??? to connect to the routers on the management VLAN/Net and your done.... Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to that to say 1 SSH enabled router or 1 IPSEC enabled router... Jim ->-----Original Message----- ->From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of ->Rubens Kuhl Jr. ->Sent: Monday, June 07, 2004 8:08 AM ->To: nanog@merit.edu; Michael.Dillon@radianz.com ->Subject: Re: SSH on the router - was( IT security people sleep well) -> -> -> -> ->I'd rather use IPSEC than SSH to connect to routers or to a ->secure gateway ->and then to routers. Flaw history in IPSEC is much better ->than SSH, IPSEC ->can easily be used to move files with FTP or TFTP (does your ->router/client ->suport SCP ? SFTP ?)... -> ->Unfortunately, IOS costs more to have IPSEC. -> -> ->Rubens -> ->----- Original Message ----- ->From: <Michael.Dillon@radianz.com> ->To: <nanog@merit.edu> ->Sent: Monday, June 07, 2004 7:39 AM ->Subject: SSH on the router - was( IT security people sleep well) -> -> ->> ->> > complaining that cisco charges extra for such a critical ->component is ->> > exactly the right thing to do; it is fucking scary. ->> > ->> > every damn network device which used to have telnet ->should ship with ->> > ssh, it's free. ->> ->> Why? ->> ->> The typical network architecture of an ISP sees routers located in ->> large clusters in a PoP or on a customer's site directly connected ->> to a PoP. Since it is dead simple to place a 1U Linux box or similar ->> SPARC server in a PoP to act as a secure gateway, why should router ->> vendors encourage laziness and sloppiness? IMHO routers should not ->> have SSH at all and should not accept any packets directed to them ->> unless they are coming from a small set of known addresses on the ->> network operator's management network. ->> ->> Once you open the router to SSH from arbitrary locations on the ->> Internet you also open the router to DDoS from arbitrary ->locations and ->> to attacks from people with inside info (SSH keys stolen or ->otherwise). ->> ->> It makes more sense to funnel everything through secure gateways and ->> then use SSH as a second level of security to allow staff to connect ->> to the secure gateways from the Internet. Of course these secure ->> gateways are more than just security proxies; they can also contain ->> diagnostic tools, auditing functions, scripting capability, etc. ->> ->> Now there is nothing fundamentally wrong with ADDING to that type ->> of architecture by enabling SSH between the routers and the security ->> gateways. But I believe that it is fundamentally wrong to consider ->> SSH on the router to be equivalent to opening the router to ->any staff ->> member, anytime, anywhere on the Internet. There are still possible ->> man in the middle attacks that cannot be protected against by SSH. ->> Consider the case of a staff member lounging in the backyard on a ->> lazy Saturday afternoon with their iBook. They have an ->802.11 wireless ->> LAN at home so they telnet to their Linux box in the kitchen and run ->> SSH to the router. Ooops! ->> ->> The only way to protect against that sort of situation is ->to encourage ->> everyone to be security-minded and not take risks where the ->network is ->> concerned. Funneling all access to routers through a secure ->gateway is ->> part of that security-mindedness and is just plain good practice. ->> ->> --Michael Dillon ->> ->> -> ->