On Fri, 28 Apr 2000, Danny McPherson wrote:
IMO, it requires more than this. Ideally, one-time, token-based (i.e. SecurID) passwords, coupled with SSH, is the best solution, especially with the turnover rates at providers these days.
There is digital certificate support in the 12.0(7)t and later versions of IOS. I'm not sure exactly how or if it will interact with SSH v.1 on the IOS router platforms (it uses an IPSec connection via the Cisco Secure VPN Client) since I'm still in the testing phase. I'm currently testing Entrust, which may be the only PKI package that Cisco currently supports. I haven't gotten around to testing the Entrust<->Cisco just yet. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/csvpnsg/idcentr... Turnover is just a problem of not being able to adequately compensate and/or respect one's employees. I've had the pleasure of walking away from my fair share of crap jobs that paid too little, and I've also walked away from a great job that paid too little. I saw one company lose 90% of it's operations staff over a three month period after the CEO decided to start dishing out insults because he just didn't understand how IP could be so much different than Cable TV. By the time the board of directors put a muzzle on him, it was too late. You just don't piss off talented people who built the network and know it better than they know themselves. Some hard-assed business people don't get this yet, thinking a college degree and a NT cert qualifies someone to handle an international IP network. Pay your talent well, treat them well, and the turnover problem should take care of itself. Don't do those things, and you just perpetuate the hired gun syndrome that seems to dominate the tech job market. Sorry for getting off-topic, but it is one of my biggest pet peeves.
Of course, this also requires that all the backend (RADIUS, configuration management, etc..) and out-of-band systems are secure, which is another rathole altogether.
It's amazing how easy it is to use some of these out-of-band systems to compromise all sorts of neat things. Companies will spend 5 figures/site on a firewall, and leave unpassword protected dial-in access to the internal network without giving it a second thought.
As for this incident, well, I think if the intial intent of the "divulging message" was simply to remind folks to change their passwords, the points been made.
Sadly, since humans are involved here, it will probably happen to someone else in the future. If a sales person knew the telnet/enable passwords, then there's a definite problem with conrtolling managing credentials. -- Joseph W. Shaw - jshaw@insync.net Sr. Security Specialist - Enron Broadband Services This is my personal account. Affiliation to my employer is given for credentials only.