Extermely easy solution - block telnet to your routers at your edge, except from bastion hosts that are logically as close to your routers as possible (say, one per POP). ssh into the bastion host, then telnet to the Criscos from there. This is extermely easy to implement assuming you dedicate network blocks to network equipment in each of your sites. Speaking of, out of curiosity (this is from a DSL line downstream from above.net)... rekoil@electro:~$ telnet iad1-core1.atlas.icix.net Trying 165.117.1.121... Connected to iad1-core1-l0.atlas.icix.net. Escape character is '^]'. Intermedia Business Internet (iad1-core1.atlas.digex.net) Unauthorized Access is Prohibited Three routers of various powers for the internal works Seven for customers in nearby towns Nine for frame relay customers and all their quirks One for the Mae-East deep underground In the land of Datanet where the fiber lies. One router to route them all, One router to find them, One router to peer with them all and with BGP bind them In the land of MFS Datanet where the fiber lies. User Access Verification Password: telnet> quit Connection closed. Any other "major" ISPs still allowing telnet access to their cores from untrusted hosts? -C On Wed, Jul 25, 2001 at 08:57:45PM -0400, Marshall Eubanks wrote:
How many of us here run anything less than SSH and even allow telnetd
to
live on any of our hosts?
Hey, we have had to do without SSH in more than one CISCO IOS build in the last 6 months in 12.1 / 12.2.
This always made me feel very nervous.
Regards Marshall Eubanks
Here? Probably not all that many.
[bill's password slide from the Scottsdale NANOG] suggests that many (most?) of the NANOG attendees are shipping passwords around in the clear (not necessarily all telnet, but indicative of a mindset).
The system with that data on it is off right now, but my recollection was that the top three offenders were (in no particular order)
- cleartext POP - cleartext IMAP - http:// (mostly people reading their email via Exchange).
Note that the final slide that I put up at the end of the meeting (with something like 150 passwords on it) had one of my passwords too (my Vindigo password, if anyone wants to change what cities I have configured =), so even people who are aware of the issues sometimes still send cleartext passwords.
Bill
Marshall Eubanks
tme@21rst-century.com
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B