Re: ABOVE.NET SECURITY TRUTHS?
Ive had some private messages asking if i was involved in this. I wasnt. I was asked to write this initial email by someone who KNOWS the real truth of what happened at above, and why they are being so tight-lipped. Lets think about this, cisco in no way has such a flaw that would allow someone to 'root' and erase all the info on switches. The password was sniffed. Unless above has some employee who felt the need to do do this. But, my Above rep laughling CONFIRMED that this was the problem. COMMON PASSWORDS. Cant we make it a LITTLE tougher on the script kiddies? And not make EVERY MAJOR switch the same password? This is safe to post, because my above sales rep told me what the old password was. God. THATS SECURITY. Sales reps telling Clients OLD PASSWORDS. So, if we wanna verify my authenticity, Here's what she told me: whY2Ghay/1Pee-Fr331y Sound framiliar Above? Im suprised by lack of comment from you. Im out to HELP. Not to hurt. __________________________________________________ Do You Yahoo!? Talk to your friends online and get email alerts with Yahoo! Messenger. http://im.yahoo.com/
Exiled Dave Sent: Friday, April 28, 2000 1:10 PM
Lets think about this, cisco in no way has such a flaw that would allow someone to 'root' and erase all the info on switches. The password was sniffed.
Can one setup SSH on a Cisco 6509?
I don't think you can. However, I use TACACS on all my switches and routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments? At 4/28/00 -0700, you wrote:
Exiled Dave Sent: Friday, April 28, 2000 1:10 PM
Lets think about this, cisco in no way has such a flaw that would allow someone to 'root' and erase all the info on switches. The password was sniffed.
Can one setup SSH on a Cisco 6509?
Paul Froutan Email: pfroutan@rackspace.com Rackspace, Ltd <http://www.rackspace.com>
Paul Froutan wrote:
I don't think you can. However, I use TACACS on all my switches and routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments?
Using TACACS+ with some sort of one-time-passwording works very well. Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
SecurID and ACE/Server work pretty well. -travis On Fri, 28 Apr 2000, Alec H. Peterson wrote:
Paul Froutan wrote:
I don't think you can. However, I use TACACS on all my switches and routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments?
Using TACACS+ with some sort of one-time-passwording works very well.
Alec
-- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
At 15:06 28/04/00 -0600, Alec H. Peterson wrote:
Paul Froutan wrote:
I don't think you can. However, I use TACACS on all my switches and routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments?
Using TACACS+ with some sort of one-time-passwording works very well.
TACACS encryption won't help if you follow the Cisco Essential IOS Features (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing and recommend: aaa accounting command 15 start-stop tacacs+ Unfortunately, this will log in your syslog the password commands in cleartext. You would have to be sure that the Unix/NT system you are logging all Cisco commands to is as secure as your router. How many of you run ISS/Cybercop/Netrecon scans every week on your logging servers to be sure they are secure? "aaa accounting command 15 start-stop tacacs+" can be considered an unintentional backdoor for many. I informed the Cisco authors when it was published to issue a document patch. -Hank
Alec
-- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
% TACACS encryption won't help if you follow the Cisco Essential IOS Features Good document! (http://www.cisco.com/warp/public/707/EssentialIOSfeatures_pdf.zip for anyone who hasn't seen it) % "aaa accounting command 15 start-stop tacacs+" can be considered an % unintentional backdoor for many. Use the source, Luke. Unfortunately you would still be shipping the data over the network, but the free tacacs+ source can be tweaked as you like to keep it from being logged. ----------------------------------------------------------------------------- Bryan S. Blank bryan@supernet.net (443)394-9529 tele (410)995-2191 page (410)802-6998 emer
Hank Nussbacher wrote:
TACACS encryption won't help if you follow the Cisco Essential IOS Features (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing and recommend:
aaa accounting command 15 start-stop tacacs+
Unfortunately, this will log in your syslog the password commands in cleartext. You would have to be sure that the Unix/NT system you are logging all Cisco commands to is as secure as your router. How many of you run ISS/Cybercop/Netrecon scans every week on your logging servers to be sure they are secure?
Hrm, that's odd, since I was using TACACS+ accounting a while ago (that exact command actually) and it never logged any passwords that I entered... Alec -- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
Hank, As you pointed out to Barry Greene and myself previously, the "aaa accounting" command as below will log commands typed in at "enable" level. So, if you are changing the onboard router password, yes, you will see the new password in your accounting logs, in clear text. However, I don't consider it good practice to keep any critical passwords on a router when an authentication mechanism such as TACACS+ is in place. Also, if I was modifying the onboard enable secret (last resort password when TACACS+ or Radius is configured) at any stage, I'd tftp-load the configuration from a remote server, not ever type it in live. We will explain this more clearly in the relevant section in the next version of IOS Essentials. Thanks for all the feedback! philip -- At 08:36 30/04/00 -0600, Alec H. Peterson wrote:
Hank Nussbacher wrote:
TACACS encryption won't help if you follow the Cisco Essential IOS Features (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing and recommend:
aaa accounting command 15 start-stop tacacs+
Unfortunately, this will log in your syslog the password commands in cleartext. You would have to be sure that the Unix/NT system you are logging all Cisco commands to is as secure as your router. How many of you run ISS/Cybercop/Netrecon scans every week on your logging servers to be sure they are secure?
Hrm, that's odd, since I was using TACACS+ accounting a while ago (that exact command actually) and it never logged any passwords that I entered...
Alec
-- Alec H. Peterson - ahp@hilander.com Staff Scientist CenterGate Research Group - http://www.centergate.com "Technology so advanced, even _we_ don't understand it!"
-------------------------------------------------------- Philip Smith ph: +61 7 3238 8200 Consulting Engineering, Office of the CTO, Cisco Systems --------------------------------------------------------
Paul Froutan wrote:
I don't think you can. However, I use TACACS on all my switches and
SSH is becoming available on the IOS and I believe it is available in the very latest of 'T' train IOS releases. I don't think the same is true for the CatIOS side of the house. Hopefully soon if not already.
routers. From what I know, TACACS passwords are encrypted using the key on your network devices and the TACACS server. So, that, in combination with a private management LAN not accessible by your customers should lock down your network pretty effectively. Any comments?
Yes, assuming that LAN is indeed private. The initial connection between the client and switch will still be unencrypted. The right ACLs for the VTY's also help. John
On Fri, 28 Apr 2000, Exiled Dave wrote:
Lets think about this, cisco in no way has such a flaw that would allow someone to 'root' and erase all the info on switches. The password was sniffed.
http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml
participants (10)
-
Alec H. Peterson
-
Alex Rubenstein
-
Bryan S. Blank
-
Exiled Dave
-
Hank Nussbacher
-
John Kristoff
-
Paul Froutan
-
Philip Smith
-
Roeland Meyer (E-mail)
-
Travis Pugh