That was well spoken and certainly the smartest move that I have in this entire conversation, thanks. -Henry --- Michael.Dillon@radianz.com wrote:
complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary.
every damn network device which used to have telnet should ship with ssh, it's free.
Why?
The typical network architecture of an ISP sees routers located in large clusters in a PoP or on a customer's site directly connected to a PoP. Since it is dead simple to place a 1U Linux box or similar SPARC server in a PoP to act as a secure gateway, why should router vendors encourage laziness and sloppiness? IMHO routers should not have SSH at all and should not accept any packets directed to them unless they are coming from a small set of known addresses on the network operator's management network.
Once you open the router to SSH from arbitrary locations on the Internet you also open the router to DDoS from arbitrary locations and to attacks from people with inside info (SSH keys stolen or otherwise).
It makes more sense to funnel everything through secure gateways and then use SSH as a second level of security to allow staff to connect to the secure gateways from the Internet. Of course these secure gateways are more than just security proxies; they can also contain diagnostic tools, auditing functions, scripting capability, etc.
Now there is nothing fundamentally wrong with ADDING to that type of architecture by enabling SSH between the routers and the security gateways. But I believe that it is fundamentally wrong to consider SSH on the router to be equivalent to opening the router to any staff member, anytime, anywhere on the Internet. There are still possible man in the middle attacks that cannot be protected against by SSH. Consider the case of a staff member lounging in the backyard on a lazy Saturday afternoon with their iBook. They have an 802.11 wireless LAN at home so they telnet to their Linux box in the kitchen and run SSH to the router. Ooops!
The only way to protect against that sort of situation is to encourage everyone to be security-minded and not take risks where the network is concerned. Funneling all access to routers through a secure gateway is part of that security-mindedness and is just plain good practice.
--Michael Dillon