Re: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
There are lots of ways to make this work: Digiboard or Rocketport in the Linux box. Real terminal server (Livingston is good, Computone Powerrack is cheaper, has more ports per Rack Unit, and is good enough for this usage) in the rack with direct Ethernet connect to a Linux box racked right above it, so physical security is still easy, then SSH to the Linux box. If you lock that Linux (or Open/Free/Net-BSD) box down so it accepts NOTHING other than that SSH traffic, you could even slap a hub down and use it to direct Ethernet management traffic, although that opens you up to possible sniffing if a router is cracked. Best to stick with the serial solutions, but they can be pretty damn cheap. Certainly cheaper than breakins. Figure anywhere from $500 to $1,500 for the Linux server (depending upon the quality of components, and whether you put it in a rack-mount case or just drop it on top of the terminal server), and $2,500 for a Computone Powerrack (with ISP discounts, and using the pricing I remember from years ago, which could very well have changed), with no expenditure on software at all (unless you count $1.99 for a CD from CheapBytes) and you're looking at a damned cheap, damned secure system that your entire staff can use. You could even log all the traffic on the Linux box, provide scripts for common tasks and keep them on the isolated server where they're safe, or even (if you needed to) tcpdump all the traffic to the terminal server for infinite levels of security micromanagement. All for less than the cost of the consultants who'd sell you the less-secure versions of securing this traffic. On Fri, 28 Apr 2000, "Roeland Meyer (E-mail)" wrote:
Date: Fri, 28 Apr 2000 19:24:32 -0700 To: "'John Fraizer'" <nanog@EnterZone.Net>, "'Jason Ackley'" <jason@ackley.net> From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com> Reply-To: <rmeyer@mhsc.com> Subject: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits).
Careful on this. There are a number of systems out there (Sun's in particular) that equate toggling on the serial line to a halt/shutdown command. Imagine your surprise when you reboot your cheap terminal server only to discover your vendors routers/switches/BSD-based load balancers/etc. employ this feature too...Ughh. Howard Hart ipDialog, Inc. Shawn McMahon wrote:
There are lots of ways to make this work:
Digiboard or Rocketport in the Linux box.
Real terminal server (Livingston is good, Computone Powerrack is cheaper, has more ports per Rack Unit, and is good enough for this usage) in the rack with direct Ethernet connect to a Linux box racked right above it, so physical security is still easy, then SSH to the Linux box.
If you lock that Linux (or Open/Free/Net-BSD) box down so it accepts NOTHING other than that SSH traffic, you could even slap a hub down and use it to direct Ethernet management traffic, although that opens you up to possible sniffing if a router is cracked.
Best to stick with the serial solutions, but they can be pretty damn cheap.
Certainly cheaper than breakins.
Figure anywhere from $500 to $1,500 for the Linux server (depending upon the quality of components, and whether you put it in a rack-mount case or just drop it on top of the terminal server), and $2,500 for a Computone Powerrack (with ISP discounts, and using the pricing I remember from years ago, which could very well have changed), with no expenditure on software at all (unless you count $1.99 for a CD from CheapBytes) and you're looking at a damned cheap, damned secure system that your entire staff can use. You could even log all the traffic on the Linux box, provide scripts for common tasks and keep them on the isolated server where they're safe, or even (if you needed to) tcpdump all the traffic to the terminal server for infinite levels of security micromanagement.
All for less than the cost of the consultants who'd sell you the less-secure versions of securing this traffic.
On Fri, 28 Apr 2000, "Roeland Meyer (E-mail)" wrote:
Date: Fri, 28 Apr 2000 19:24:32 -0700 To: "'John Fraizer'" <nanog@EnterZone.Net>, "'Jason Ackley'" <jason@ackley.net> From: "Roeland Meyer (E-mail)" <rmeyer@mhsc.com> Reply-To: <rmeyer@mhsc.com> Subject: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits).
Careful on this. There are a number of systems out there (Sun's in particular) that equate toggling on the serial line to a halt/shutdown command. Imagine your surprise when you reboot your cheap terminal server only to discover your vendors routers/switches/BSD-based load balancers/etc. employ this feature too...Ughh.
you'd think i'd know by now that powercycling one particular box of mine will always kill the egress router. i never learn. it took me about a year of "wtf?!" to actually get used to remembering that powercycling the box with the serial console on it will send a "break" to the router and i need to boot as fast as possible, tip in, and "c" it. later i just pulled the cable off. it was easier and i ended up accessing the router less than i was rebooting it because i hadn't recalled yet exactly what i'd done wrong. brain slow. but i can also appreciate the statement from the angle of one who plugs and unplugs sun keyboard cables as well: that's also a break signal. at least...until we upgraded to e450s and left the keys (removed, but) in the locked position so that the machine would ignore the standard set of break signals. -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
participants (3)
-
Andrew Brown
-
Howard Hart
-
Shawn McMahon