-----Original Message----- From: Greene, Dylan [mailto:DGreene@NaviSite.com] Sent: Friday, April 28, 2000 2:10 PM To: 'Paul Froutan'; rmeyer@mhsc.com Cc: nanog@merit.edu Subject: RE: ABOVE.NET SECURITY TRUTHS?
Maybe I should read the entire message before responding.. hehe.. =)
A switched private management lan resolves the cleartext problem.
SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works);
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12 0/120newft/120
The private net is still subject to wire-tap tricks. If the switch supports SSH1 then that should be sufficient. MHSC.NET, and every host I setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it needs CLI access, it gets SSH or, you have to go to the console. Even X11 and SMB sessions are forwarded through SSH. Given this sort of secure environment, plain-text Cisco sessions stand out like a sore thumb, to a sniffer. They only have to look for the packets that are NOT encrypted. A private net is even worse, you are guaranteed that each packet is part of a network management session. limit/120s/120s5/sshv1.htm ..Dylan | -----Original Message----- | From: Paul Froutan [mailto:pfroutan@rackspace.com] | Sent: Friday, April 28, 2000 4:46 PM | To: rmeyer@mhsc.com | Cc: nanog@merit.edu | Subject: RE: ABOVE.NET SECURITY TRUTHS? | | | | I don't think you can. However, I use TACACS on all my switches and | routers. From what I know, TACACS passwords are encrypted | using the key on | your network devices and the TACACS server. So, that, in | combination with | a private management LAN not accessible by your customers | should lock down | your network pretty effectively. Any comments? | | At 4/28/00 -0700, you wrote: | | > > Exiled Dave | > > Sent: Friday, April 28, 2000 1:10 PM | > | > > Lets think about this, cisco in no way has such a flaw | > > that would allow someone to 'root' and erase all the | > > info on switches. The password was sniffed. | > | >Can one setup SSH on a Cisco 6509? | | Paul Froutan Email: | pfroutan@rackspace.com | Rackspace, Ltd <http://www.rackspace.com> | |