RE: Hard data on network impact of the "Code Red" worm?
From: Hank Nussbacher [mailto:hank@att.net.il] Sent: Monday, July 30, 2001 11:41 PM
bandwidth - typically FastEthernet. So targetting IIS servers is a sure way of maximizing your zombie power (the only more powerful worm would be an Apache zombie which has about 18M potential clients or a bind worm-zombie).
Cut it out! You're making my blood run cold. Four years ago, I had three systems cracked by mwsh. The entry was via BIND. They were a Linux boxen and the exploit downloaded mwsh source code and compiled it. It could, just as easily, do that with CodeRed sources. Fortunatelyy, most BIND installations have been upgraded since then. But, I'll bet that there are a few that haven't been. Is Raul Dhesi listening? <shudder>
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize . Tia , JimL +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
Hi
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize .
telnet is cleartext, that should be reason enough... --Rob
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference. having said that, i use ssh where i can. i like RSA rather than passwords as its so much more difficult for people to login as you, thats not ssh specific tho, thats just an alternative authentication scheme that just happens to ship with most ssh. so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho! Steve On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
Hi
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference.
not everyone has out-of-band networks for management. Management of devices is sometimes done thousands of miles away. Remember also that this traffic can be sniffed before it gets to the core (yes, ssh is sniffable aswell, but just not as easily, and atleast it's not in plaintext)
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that.... --Rob
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference.
not everyone has out-of-band networks for management. Management of devices is sometimes done thousands of miles away. Remember also that this traffic can be sniffed before it gets to the core (yes, ssh is sniffable aswell, but just not as easily, and atleast it's not in plaintext)
this is in-band. if as you say you are accessing from another network then this is where the encryption kicks in being useful, however that raises another question - do you just allow any host to connect providing they can authenticate? i know my login ports are restricted at both network and host level to specific authorized addresses...
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that....
exactly, its probably easier to hack the box by other means than sniffing auth details! Steve
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that....
Pardon for blowing your bubble but sniffing ssh keyexchange does not do you any good. The symmetric key is exchanged via a channel aready secured. The keys that is used to secure the channel used to exchange the symmetric key are exchanged via DH-based protocol. If you want to spend your time factoring primes for next 500 years to extract the key, you are more than welcome to try. It is crypto-101. Alex
On Tue, 31 Jul 2001 alex@yuriev.com wrote:
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that....
Pardon for blowing your bubble but sniffing ssh keyexchange does not do you any good. The symmetric key is exchanged via a channel aready secured. The keys that is used to secure the channel used to exchange the symmetric key are exchanged via DH-based protocol. If you want to spend your time factoring primes for next 500 years to extract the key, you are more than welcome to try. It is crypto-101.
If you can arp spoof as indicated in the message you are replying to, you can perform a MTM attack which SSH offers only minimal security against (in the form of stored host keys that users often choose to ignore or not verify the fingerprint). Look to SRP for a MTM-less password authentication solution.
Pardon for blowing your bubble but sniffing ssh keyexchange does not do you any good. The symmetric key is exchanged via a channel aready secured. The keys that is used to secure the channel used to exchange the symmetric key are exchanged via DH-based protocol. If you want to spend your time factoring primes for next 500 years to extract the key, you are more than welcome to try. It is crypto-101.
If you can arp spoof as indicated in the message you are replying to, you can perform a MTM attack which SSH offers only minimal security against (in the form of stored host keys that users often choose to ignore or not verify the fingerprint). Look to SRP for a MTM-less password authentication solution.
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a paper on this in 1997. Cheers, ALex
On Tue, 31 Jul 2001 alex@yuriev.com wrote:
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a paper on this in 1997.
Hard how? Are you talking about the complexity in coding the exploit app? So what! It only has to be written once: SSHv1 wget http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz tar -zxf dsniff-2.3.tar.gz man ./dsniff-2.3/sshmitm.8 The SSH security model is fundimentally weak against Man in the Middle, because it provides no methodology to verify the transmitted key (beyond crude manual methods... Not that PKI system used with SSL is all that effective either).
On Tue, 31 Jul 2001 alex@yuriev.com wrote:
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a paper on this in 1997.
Hard how? Are you talking about the complexity in coding the exploit app? So what! It only has to be written once:
Really? And does it work on all hosts, no matter how they are configured? Next... Alex
SSHv1 wget http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz tar -zxf dsniff-2.3.tar.gz man ./dsniff-2.3/sshmitm.8
The SSH security model is fundimentally weak against Man in the Middle, because it provides no methodology to verify the transmitted key (beyond crude manual methods... Not that PKI system used with SSL is all that effective either).
Hi
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a paper on this in 1997.
Well I saw a monkey do it in 10 minutes with ettercap. Sorry I did mention in 1 of my posts that the ssh key sniff was done using arp soofing, my text got lost somewhere along the line.... --Rob
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a paper on this in 1997.
Well I saw a monkey do it in 10 minutes with ettercap. Sorry I did mention in 1 of my posts that the ssh key sniff was done using arp soofing, my text got lost somewhere along the line....
*Yawn* warning: Executing /opt/bin/ssh1 for ssh1 compatibility. Host key not found from the list of known hosts. !! If host key is new or changed, ssh1 protocol is vulnerable to an !! attack known as false-split, which makes it relativily easy to !! hijack the connection without the attack being detected. It is !! highly advisable to turn StrictHostKeyChecking to "yes" and !! manually copy host keys to known_hosts. Are you sure you want to continue connecting (yes/no)? It does not matter what kind of security system you have if you dont bother to actually engage it. Alex
On Tue, Jul 31, 2001 at 11:48:55AM -0400, alex@yuriev.com exclaimed:
*Yawn*
warning: Executing /opt/bin/ssh1 for ssh1 compatibility. Host key not found from the list of known hosts. !! If host key is new or changed, ssh1 protocol is vulnerable to an !! attack known as false-split, which makes it relativily easy to !! hijack the connection without the attack being detected. It is !! highly advisable to turn StrictHostKeyChecking to "yes" and !! manually copy host keys to known_hosts. Are you sure you want to continue connecting (yes/no)?
It does not matter what kind of security system you have if you dont bother to actually engage it.
Amen to that.
Alex
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
Hi
Pardon for blowing your bubble but sniffing ssh keyexchange does not do you any good. The symmetric key is exchanged via a channel aready secured. The keys that is used to secure the channel used to exchange the symmetric key are exchanged via DH-based protocol. If you want to spend your time factoring primes for next 500 years to extract the key, you are more than welcome to try. It is crypto-101.
ssh1 keys can be sniffed easily enough with things like ettercap and the like. Last I checked, it couldn't do ssh2, dunno what the status is now.... --Rob
I hate bringing this up with openly paranoid types around. Someone just mentioned RSA as an authentication scheme for SSH which is a very good idea when it comes to managing lots of equipment. How many of us just hit "accept and save key" when their SSH client prompts them for it? This act alone can allow ANYONE that could sniff the packets to actually force you to login to _their_ equipment which will just pass on your packets to the equipment on the other side. You will not necessarily be able to notice anything is a miss and will be entering your passwords and commands in plaintext relative to the sniffer. SSH has a very specific purpose and a very specific function, but like anything else, if you don't know the nuances of it, it is nothing mode than a false sense of security. If you aren't worried about sniffers, [in band or out of band] ssh is needless overhead. If you are, you'd better damn well make sure you are doing proper key authentication and that the keys you are saving, in fact, come from your equipment. It also helps to make sure your equipment hasn't been compromised at any point in the exercise. Deepak Jain AiNET -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of fingers Sent: Tuesday, July 31, 2001 9:56 AM To: Stephen J. Wilcox Cc: Mr. James W. Laferriere; nanog@merit.edu Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ? Hi
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference.
not everyone has out-of-band networks for management. Management of devices is sometimes done thousands of miles away. Remember also that this traffic can be sniffed before it gets to the core (yes, ssh is sniffable aswell, but just not as easily, and atleast it's not in plaintext)
so thats my main logic, authentication... i cant understand the big paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully it's not as easy for the naughty eavesdropper to get into the right position for that.... --Rob
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho!
Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ? ... --Ariel
Steve
On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
*ponder* how will that work, you're not on my network and my routers wont forward local packets to you? Steve On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho!
Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ?
...
--Ariel
Steve
On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
*ponder*
But who said I am not on your network ? What if I penetrated your AAA server, or, some other server on your network ? And what about those that administer their networks from remote locations ? --Ariel
how will that work, you're not on my network and my routers wont forward local packets to you?
Steve
On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho!
Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ?
...
--Ariel
Steve
On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
*ponder*
But who said I am not on your network ? What if I penetrated your AAA server, or, some other server on your network ?
well your not. and if you were, i'm pretty well screwed! altho having said that, my network doesnt allow you to hop between machines.. but maybe you compromised my security? okay, i'm screwed again!
And what about those that administer their networks from remote locations ?
see other response.. either they are on a trusted network or they have their machines open to login from the entire internet? if the latter then they deserve hacking! Steve
--Ariel
how will that work, you're not on my network and my routers wont forward local packets to you?
Steve
On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho!
Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ?
...
--Ariel
Steve
On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
But who said I am not on your network ? What if I penetrated your AAA server, or, some other server on your network ?
well your not. and if you were, i'm pretty well screwed! altho having said that, my network doesnt allow you to hop between machines.. but maybe you compromised my security? okay, i'm screwed again!
Security is generally not an all-or-nothing game. Most script kiddies have enough skill to run a prefab'd exploit on your IIS server; some have enough skill to inject trojan ARP entries and use tcpdump; but far fewer have the ability to decrypt ssh packets (although new tools are making this easier). In cases where ssh is an option, why not use it? -- Bob <melange@yip.org> | Yes. I know. That is, indeed, *not* mayonnaise.
On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
*ponder*
But who said I am not on your network ? What if I penetrated your AAA server, or, some other server on your network ?
if this is done, you may well already be f*cked, but not neccessarily because of "sniffing" or "injecting ARP entries", all of which can be prevented by a decent switch with VLANs, and for more protection, static port ARP entries.
And what about those that administer their networks from remote locations
how will that work, you're not on my network and my routers wont forward local packets to you?
Steve
On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho!
Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ?
...
--Ariel
Steve
On Tue, 31 Jul 2001, fingers wrote:
Hi
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize .
telnet is cleartext, that should be reason enough...
--Rob
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Yo Up! On Tue, 31 Jul 2001 up@3.am wrote:
if this is done, you may well already be f*cked, but not neccessarily because of "sniffing" or "injecting ARP entries", all of which can be prevented by a decent switch with VLANs, and for more protection, static port ARP entries.
Many switchs will fail open when flooded. I have used this to bypass VLAN protection. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
On Tue, 31 Jul 2001, Ariel Biener wrote:
On Tue, 31 Jul 2001, Stephen J. Wilcox wrote:
paranoia on people sniffing tho! Hmmm, how about I inject an arp entry into your workstation, and redirect your traffic to where I want ?
Hmmm, how about I lockdown all MAC addresses on switch ports and configure port IP filters and set the switch so filter violations automatically disable your port? Then when you try this arp spoofing nonsense, your link goes down and I'll get paged so I can permanently correct your workstation with a sledgehammer. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Tue, 31 Jul 2001, Dan Hollis wrote:
Hmmm, how about I lockdown all MAC addresses on switch ports and configure port IP filters and set the switch so filter violations automatically disable your port?
Dan, really, how many people do you know that actually enforce any of the above techniques ? Talking about security is fun, and can get tiresome, but, a network administrator or system administrator, or even an organization makes a decision how far they wish to go with it, and how willing they are to hinder the normal course of working. Just as an example, lets assume you use a FastEthernet interafce, with MAC address X. Tomorrow you find out that you're using some 80% of it, and you define a portchannel, with two FEs. The ARP address will change. Now, if you are running through a few networks, or even, if you are managing a few 10s of routers, doing what you are suggesting creates imense overheads of management. The idea is to work as secure as possible, without hindering work, and without creating more work, and spending alot more time (this money) on these things. Think about it for a minute. --Ariel
Then when you try this arp spoofing nonsense, your link goes down and I'll get paged so I can permanently correct your workstation with a sledgehammer.
-Dan
-- [-] Omae no subete no kichi wa ore no mono da. [-]
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
On Tue, 31 Jul 2001 13:45:33 PDT, Dan Hollis said:
Hmmm, how about I lockdown all MAC addresses on switch ports and configure port IP filters and set the switch so filter violations automatically disable your port?
I'd love to do this to our users. I've suggested it. I was promptly told that if implemented, I'd be the guy answering the phone each time one of our 30K users replaced an Ethernet card or moved a computer across a room and plugged it into another "Known Working" portal. ;) However, we *do* dump the ARP caches on every switch every 5 minutes and keep a database on every time we see a change on a port. Good thing disk space is cheap, we've got the data going back to <when the heck did managed switches/hubs hit the markend>. No, it's not as secure - but I'd like to get work done once in a while too. ;) You want *security*? I'm surprised nobody has suggested running cable in pressurized conduit - I fully believe some paranoid TLA's use 400PSI and a pressure-drop alarm as a deterrent. I keep hearing rumors that involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;) The rest of us need to balance security against getting work done. Sure, there's MIM attacks against SSH. On the other hand, I'm pretty sure that if somebody talented enough that they can man-in-middle an SSH session *without* me seeing a "host key has changed" message decides to attack me, there isn't much I'll be able to do to stop him anyhow. On the other hand, I need to smack the admins of the 48 machines of ours that got CodeRed'ed. Guess which is considered more important by our management, smacking the CodeRed machines, or worrying about SSH holes? ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
in pressurized conduit - I fully believe some paranoid TLA's use 400PSI and a pressure-drop alarm as a deterrent. I keep hearing rumors that involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;)
It does not take 400 PSI, it just takes a couple more than atmospheric, and the really nasty sensors are not looking just for breaks, but for any pressure differential, such as caused by bending, moving, etc... buts thats mostly for fiber in 'secure' installations.
*without* me seeing a "host key has changed" message decides to attack me, there isn't much I'll be able to do to stop him anyhow.
Yep, whether it's a local or wide area connection that means they have physical access and if they have that, you can only hope the don't break things. It's happened twice at my place. Once to prove that we could, the second by a colo customer that after we verified things, retrieved his server from our dumpster. One of the problems with ethernet switches is it is easy to dup IP's as well as play with ARP, and not have immediate conflicts, the switch will send the packets to what it sees.
> > in pressurized conduit - I fully believe some paranoid TLA's use 400PSI > > and a pressure-drop alarm as a deterrent. I keep hearing rumors that > > involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;) > > It does not take 400 PSI, it just takes a couple more than atmospheric, > and the really nasty sensors are not looking just for breaks, but for > any pressure differential, such as caused by bending, moving, etc... > buts thats mostly for fiber in 'secure' installations. Yep. I've installed one network that was run in pressurized conduit. It wasn't high-pressure, but the pressure sensors were connected to an out-of-band dedicated network inside the conduit, and the pressure varied randomly over time. All the sensors had to read basically the same pressure as was being applied at that time, to keep the alarm from going off. This was just one element in an overall atmosphere of utter paranoia, so it didn't seem all that crazy at the time, about ten years ago. I thought it would yield lots of false-positives, but surprisingly, it didn't, and it was actually pretty good at pinpointing the location of any breaks or blockages, relative to the sensors. Ridiculously expensive. -Bill
true, but i would point out that if its your core equipment that you are accessing from your network that sits directly on the core then you should be happy with the fact that no one is eavesdropping and it makes no difference.
this is based on the fantasy that nobody inside is rotten. this is amusing at best, considering how much damage is done by inside jobs. randy
Randy Bush wrote:
this is based on the fantasy that nobody inside is rotten. this is amusing at best, considering how much damage is done by inside jobs.
esp. if you count that part of the damage that is not deliberately malicious (a.k.a. 'I was only trying to help'). Sources will relate over beer an interesting real-time full-sirens-and-lights attempt to trace and close down a hacker running all sorts of snoop programs etc. who turned out to be an employee 'only trying to help'. Also no ends of restrictions on ACLs etc. are put there by people 'only trying to help', people who don't understand RCS editing RCS controlled files via su and laying a booby trap for someone later on, etc. etc. Perhaps this wasn't the 'rotten' / 'inside job' you meant, but its >10 times more common, and >>10 times more dangerous. -- Alex Bligh Personal Capacity
On Tue, Jul 31, 2001 at 08:03:51AM -0700, Randy Bush exclaimed:
this is based on the fantasy that nobody inside is rotten. this is amusing at best, considering how much damage is done by inside jobs.
or, "paranoid enough isn't." I have yet to see a level of paranoia in the security arena high enough to be considered unhealthy.
randy
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Tue, 31 Jul 2001, Mr. James W. Laferriere wrote: Hi, We use des/3des ssh to access core equipment. The reasons are self explanatory I believe. --Ariel
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize . Tia ,JimL
+------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | onlyon AXP | +------------------------------------------------------------------+
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Hello All , Thank you for the disertations & insight into the possible methods of compromising an authentication attempt . But , I am really interested more in 'Why' each responsible indidvual(s) chose either telnet or ssh to manager their Core equipment . ssh 1 ) Has been the encrypted authentication . telnet 1 ) Has been legacy OS's / Equipment olny supporting telnet . On Tue, 31 Jul 2001, Mr. James W. Laferriere wrote:
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize .
Tia , JimL +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
I believe that folks are having problems saying why they use SSH instead of telnet, because the best practice is simply so self-evident. SSH gives you a measure of protection against bad people sniffing out your passwords. Telnet does not. SSH is encrypted. Telnet is not. It's pretty easy - only use telnet if you must. Use SSH if you possible can. Of course, this also holds true for using scp instead of ftp, although scp isn't as widely supported, yet. - Daniel Golding
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mr. James W. Laferriere Sent: Tuesday, July 31, 2001 11:25 AM To: nanog@merit.edu Subject: Re: telnet vs ssh on Core equipment , looking for reasons why ?
Hello All , Thank you for the disertations & insight into the possible methods of compromising an authentication attempt .
But , I am really interested more in 'Why' each responsible indidvual(s) chose either telnet or ssh to manager their Core equipment .
ssh 1 ) Has been the encrypted authentication .
telnet 1 ) Has been legacy OS's / Equipment olny supporting telnet .
On Tue, 31 Jul 2001, Mr. James W. Laferriere wrote:
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize .
Tia , JimL
+------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP |
+------------------------------------------------------------------+
Using ssh or some other form of encryption to connect to your routers is the best thing to do to avoid insecurity. The real question becomes insuring good security practices by the user of ssh to connect to the system. Some good practices but not necessarily requirements: 1) restricting the set of hosts by which one can connect with ssh so evil.user.example.com doesn't connect. 2) insuring good password security (including the use of SecurID or some similar technology to prevent someone from standing over your keyboard). 3) Having sufficent security on your oob equipment to prevent some kiddy that gets unlimited local calls from finding your modem. (There is various technology that can be used here from caller-id to touch-tone password systems to secure your devices). 4) tacacs logging on your equipment that supports it. 5) Use some config versioning system to detect changes to configs and archive them. This aides in the "who removed X route" stuff. This allows you to audit tacacs.log as well as get diffs of the router configs when the change is made. I'm sure someone could write a BCP or something like that for operating a internet connected network as far as securing your device(s). - Jared On Tue, Jul 31, 2001 at 09:23:58AM -0400, Mr. James W. Laferriere wrote:
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize . Tia , JimL
+------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Tue, 31 Jul 2001, Jared Mauch wrote:
5) Use some config versioning system to detect changes to configs and archive them. This aides in the "who removed X route" stuff. This allows you to audit tacacs.log as well as get diffs of the router configs when the change is made.
6) Finding a unix ssh that supports 3DES and DES. I curse those OpenSSH folks for making me have to trudge through the code to find out how to get DES working... 6a) Finding a release on CCO that supports 3DES. Charles
I'm sure someone could write a BCP or something like that for operating a internet connected network as far as securing your device(s).
- Jared
On Tue, Jul 31, 2001 at 09:23:58AM -0400, Mr. James W. Laferriere wrote:
Hello All , I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly . I will summarize . Tia , JimL
+------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Tue, 31 Jul 2001, Charles Sprickman wrote: :6) Finding a unix ssh that supports 3DES and DES. : :I curse those OpenSSH folks for making me have to trudge through the code :to find out how to get DES working... DES is supported in openssh for protocol 1 in the client with ssh -c des. also, does anyone curse cisco for refusing to support ssh protocol 2? they have much more resources than the openssh team.
On Tue, 31 Jul 2001, Kevin Steves wrote:
On Tue, 31 Jul 2001, Charles Sprickman wrote: :6) Finding a unix ssh that supports 3DES and DES. : :I curse those OpenSSH folks for making me have to trudge through the code :to find out how to get DES working...
DES is supported in openssh for protocol 1 in the client with ssh -c des.
Ooops. The FreeBSD port I built from is trailing a bit: spork@tiny[~]$ ssh -V SSH Version OpenSSH_2.2.0, protocol versions 1.5/2.0. And: spork@tiny[~]$ ssh -c des 216.223.x.x Unknown cipher type 'des' However it appears newer versions include it, but warn you: oscar[/var/spool/tftp/ios]# ssh -c des -l foo 216.223.x.x Warning: use of DES is strongly discouraged due to cryptographic weaknesses foo@216.223.x.x's password: Sorry for the noise, Charles
also, does anyone curse cisco for refusing to support ssh protocol 2? they have much more resources than the openssh team.
On Tue, 31 Jul 2001, Charles Sprickman wrote:
On Tue, 31 Jul 2001, Kevin Steves wrote:
On Tue, 31 Jul 2001, Charles Sprickman wrote: :6) Finding a unix ssh that supports 3DES and DES.
DES(not 3DES) is a compile time option for SSH1 (default is not to support DES) Try to convince to person in charge of SSH that even SSH1+DES while weak is much better than cleartext tel-net .... - Rafi
: :I curse those OpenSSH folks for making me have to trudge through the code :to find out how to get DES working...
DES is supported in openssh for protocol 1 in the client with ssh -c des.
Ooops. The FreeBSD port I built from is trailing a bit:
spork@tiny[~]$ ssh -V SSH Version OpenSSH_2.2.0, protocol versions 1.5/2.0.
And:
spork@tiny[~]$ ssh -c des 216.223.x.x Unknown cipher type 'des'
However it appears newer versions include it, but warn you:
oscar[/var/spool/tftp/ios]# ssh -c des -l foo 216.223.x.x Warning: use of DES is strongly discouraged due to cryptographic weaknesses foo@216.223.x.x's password:
Sorry for the noise,
Charles
also, does anyone curse cisco for refusing to support ssh protocol 2? they have much more resources than the openssh team.
On Tue, 31 Jul 2001, Charles Sprickman wrote:
6a) Finding a release on CCO that supports 3DES.
You need to get an authorization (if you're out of US - maybe even if you're in US) to get Cisco to let you download 3des versions of IOS. --Ariel
Charles
I'm sure someone could write a BCP or something like that for operating a internet connected network as far as securing your device(s).
- Jared
On Tue, Jul 31, 2001 at 09:23:58AM -0400, Mr. James W. Laferriere wrote:
Hello All ,I have charged myself with trying to find a statistic on how many individuals responsible for IP core equipment recommend telnet or ssh & why particularly .I will summarize . Tia ,JimL
+------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | P.O. Box 854 | Give me Linux | | babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP | +------------------------------------------------------------------+
-- Jared Mauch| pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/My statements are only mine.
-- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
participants (23)
-
Alex Bligh
-
alex@yuriev.com
-
Ariel Biener
-
Bill Woodcock
-
Bob K
-
Charles Sprickman
-
Dan Hollis
-
Daniel Golding
-
Deepak Jain
-
fingers
-
Gary E. Miller
-
Greg Maxwell
-
Jared Mauch
-
Kevin Steves
-
mike harrison
-
Mr. James W. Laferriere
-
Rafi Sadowsky
-
Randy Bush
-
Roeland Meyer
-
Scott Francis
-
Stephen J. Wilcox
-
up@3.am
-
Valdis.Kletnieks@vt.edu