SSH on Cisco Routers (was RE: ABOVE.NET SECURITY TRUTHS?)
SSH1 is supported on the following platforms starting in 12.1(1)T: C17x0, C25xx, C26xx, C36xx, C4x00, C7x00 See: http://www.cisco.com/warp/customer/cc/cisco/mkt/ios/rel/121/prodlit/1065_pp.... -rb
From: "Mr. James W. Laferriere" <babydr@baby-dragons.com> To: "Greene, Dylan" <DGreene@NaviSite.com> CC: "'Paul Froutan'" <pfroutan@rackspace.com>, rmeyer@mhsc.com, nanog@merit.edu Subject: RE: ABOVE.NET SECURITY TRUTHS? Date: Fri, 28 Apr 2000 14:34:14 -0700 (PDT)
Hello Dylan, Knew this was coming . But I'd hoped that the supported platforms would have been a little larger . Just the 7200 & UP . Seems cisco thinks ssh puts a bit of load on a cpu ? I can't see that for just a terminal session though . Twyl, JimL
________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Ron Buchalski Sent: Friday, April 28, 2000 9:40 PM
SSH1 is supported on the following platforms starting in 12.1(1)T:
C17x0, C25xx, C26xx, C36xx, C4x00, C7x00
I sadly note the conspicuous absence of the 3512XL, 3524XL and the entire Cat 65xx series from this list <sigh>. Granted the 65xx can't quite keep up with its advertised bandwidth (an indicator of insufficient CPU somewhere), but I never require more than 65% of advertised capacity anyway (comes out to ~80 Gbps), by design, which the Cat6509 can do easily. The Cat6509 is still my favorite chasis, for internal LAN switching. I use 3512XL's (or 3524XL) for end-point switching when the server doesn't have a gig-E card (and never use more than 7 ports per gig-E uplink). I've spec'd three datacenters like this in the past 6 months, one is currently in production. WRT: external access Speaking as a suit, it is fine and dandy to make statements barring external access, but when running a 24x7 portal, it is deucedly expensive to maintain 24x7 staff at the co-lo. Especially, since most things can be fixed by a CLI login. This is where technical theory and business reality can clash. Also, down-time can be reduced when the on-call tech doesn't have to spend an hour driving into the co-lo from home (maybe getting into a wreck on the way, due to lack of sleep). This is exacerbated when doing regional datacenters, thousands of miles away from the nearest staff member. Granted, the problem may not be this severe for the co-lo operator themselves. But, the co-lo customer certainly has this problem. Co-lo operations is remote datacenter operations, for the co-lo customer, by definition. WRT: Passwd diversification Known fact: The average person can track no more than 7 +/-2 related items, at any given time. This is also, coincidently, the maximum number of passwd's that the average person can remember, without confusion or forgetfulness, without writing them down somewhere. The real number is actually 3-4, because they also have to remember their ATM passcodes and the like. Given 15 or 20 switches, routers, and hosts, for a decent sized portal site, each having a unique passwd. You have virtually guaranteed that these passwd's are written down somewhere, officially or not (mine are in my palm pilot). Which is worse, untracked and unofficial passwd lists, or commonly used passwds? Upgrading human memory isn't a viable third-alternative. WRT: SSH CPU overhead A PalmPilot has more total system capacity than an original IBM-PC (including disk drives) and about 8 times the CPU power. It can easily implement SSH. Granting my statement,wrt 65xxx series Capacity, I'd STILL like to see SSHD implemented there (now that I have a Cisco rep's attention <grin>). Yes, please consider this a customer request. WRT: SSH direct logins Eventhough, I have RSA enabled my SSH sessions, I don't allow passwdless login on any host [even it it's the same passwd]. It may be a small annoying speed-bump, for an SA, but it prevents run-amuck hackers and code from infecting other connected hosts. I've actually had this save my bacon a few times and I've seen some negative results using passwdless logins (system cracks AND runaway code[mine]). Finally: I'd like to see every internal and systems management packet using either 3DES or blowfish, or using SSH, SSL, or TLS systems (OpenSSL anyone?). I routinely do this within my systems, by design (webserver to Oracle databse server, and others) and if everyone else were doing it then B2B would be easier (more secure) as well. As I stated earlier, in a universe of encrypted packets, the plain-text ones stand out like sore-thumbs. If they are also systems management packets then the would-be cracker has a much easier time of things. Incidently, if this should wreak havoc with CALEA requirements, <sarcasm> it would just break my heart </sarcasm> <GRIN>. --- R O E L A N D M . J . M E Y E R CEO, Morgan Hill Software Company, Inc. An eCommerce and eBusiness practice providing products and services for the Internet. Tel: (925)373-3954 Fax: (925)373-9781
2000-04-29-14:38:59 Roeland Meyer:
WRT: external access
These days, what I'd recommend is issuing laptops. If a larger screen isn't needed for any other reason, a Sony Vaio Picturebook would be just dandy; it's small enough to be with you nearly all the time. Secure the _heck_ out of them, and have the only remote-access provision be to use them. Define them to lie within your security perimeter, and plan your trust requirements accordingly. E.g. the credentials that are stored on a given laptop need to be clearly identified so they can be revoked if the laptop is lost. Given a laptop that will always be used for the external access, techniques like ssh and vpn and whatnot work way better. For the rabidly cautious, prohibit "nap" mode, and make sure the creds are stored encrypted, with a passphrase that must be entered by hand. Maybe use an encrypted filesystem if there's no other easy way to do the deed.
WRT: Passwd diversification
GNU Keyring <URL:http://gnukeyring.sourceforge.net/> is your friend. Store passwords in your Palm, with no fears for the security of the backups or the loss of the Palm. And it can generate nice passwords, too. Makes it _easy_ to use really strong (computer-generated random strings from nearly all the printables, you pick the length) and distinct passwords for every distinct security domain, including every separate website that you register on. -Bennett
SSH1 is supported on the following platforms starting in 12.1(1)T:
C17x0, C25xx, C26xx, C36xx, C4x00, C7x00
Could anyone in the know shed light on whether ssh will be supported for 'line <n..n> transport input ssh'? The 2511 is a very compentent console server (solid state, <5 minute setup time, etc) and atleast for our company, this functionality would be give the motivation to go ahead and replace any other devices we had.. ..kg..
participants (4)
-
Bennett Todd
-
kevin graham
-
Roeland Meyer (E-mail)
-
Ron Buchalski