RE: ABOVE.NET SECURITY TRUTHS?
Maybe I should read the entire message before responding.. hehe.. =) A switched private management lan resolves the cleartext problem. SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works); http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 limit/120s/120s5/sshv1.htm ..Dylan | -----Original Message----- | From: Paul Froutan [mailto:pfroutan@rackspace.com] | Sent: Friday, April 28, 2000 4:46 PM | To: rmeyer@mhsc.com | Cc: nanog@merit.edu | Subject: RE: ABOVE.NET SECURITY TRUTHS? | | | | I don't think you can. However, I use TACACS on all my switches and | routers. From what I know, TACACS passwords are encrypted | using the key on | your network devices and the TACACS server. So, that, in | combination with | a private management LAN not accessible by your customers | should lock down | your network pretty effectively. Any comments? | | At 4/28/00 -0700, you wrote: | | > > Exiled Dave | > > Sent: Friday, April 28, 2000 1:10 PM | > | > > Lets think about this, cisco in no way has such a flaw | > > that would allow someone to 'root' and erase all the | > > info on switches. The password was sniffed. | > | >Can one setup SSH on a Cisco 6509? | | Paul Froutan Email: | pfroutan@rackspace.com | Rackspace, Ltd <http://www.rackspace.com> | |
Hello Dylan, Knew this was coming . But I'd hoped that the supported platforms would have been a little larger . Just the 7200 & UP . Seems cisco thinks ssh puts a bit of load on a cpu ? I can't see that for just a terminal session though . Twyl, JimL On Fri, 28 Apr 2000, Greene, Dylan wrote:
Maybe I should read the entire message before responding.. hehe.. =) A switched private management lan resolves the cleartext problem. SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works); http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 limit/120s/120s5/sshv1.htm ..Dylan
+----------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network Engineer | 25416 22nd So | Give me Linux | | babydr@baby-dragons.com | DesMoines WA 98198 | only on AXP | +----------------------------------------------------------------+
For a long time, the reason was US export restrictions. Those have only recently been lifted, but not lifted completely. The penalties still have enough teeth in them to make roll-out more than a bit touchy. I'm actually surprised to hear that SSH is out already, in IOS v12.x. Since I play almost exclusively with Cat 6509's and 3512/24 XL's I haven't seen it, or maybe I wasn't looking.
From: Mr. James W. Laferriere [mailto:babydr@baby-dragons.com] Sent: Friday, April 28, 2000 2:34 PM
Hello Dylan, Knew this was coming . But I'd hoped that the supported platforms would have been a little larger . Just the 7200 & UP . Seems cisco thinks ssh puts a bit of load on a cpu ? I can't see that for just a terminal session though . Twyl, JimL
On Fri, 28 Apr 2000, Mr. James W. Laferriere wrote: | | | Hello Dylan, Knew this was coming . But I'd hoped that | the supported platforms would have been a little larger . | Just the 7200 & UP . Seems cisco thinks ssh puts a bit | of load on a cpu ? I can't see that for just a terminal | session though . Twyl, JimL | The ssh server should optimally generate new keys every so often (every few hours?) This generally takes a lot of CPU time, and on a 2501 it would probably take quite a while!!! Also, the ssh server requires more memory then a telnet server. This is a problem for older routers. While I'm at it, I believe Cisco is/will be using the OpenSSH code for newer implementations of ssh under IOS. --- Reverend Chris Cappuccio http://www.dqc.org/~chris/
Chris Cappuccio writes:
The ssh server should optimally generate new keys every so often (every few hours?)
This generally takes a lot of CPU time, and on a 2501 it would probably take quite a while!!!
So let it. There's usually no rush. A low priority process that begins generating a key immediately should have one ready by the time you'd like it changed. More problematic is the processing requirements of encryption and decryption, and the memory overhead overall.
-----Original Message----- From: Greene, Dylan [mailto:DGreene@NaviSite.com] Sent: Friday, April 28, 2000 2:10 PM To: 'Paul Froutan'; rmeyer@mhsc.com Cc: nanog@merit.edu Subject: RE: ABOVE.NET SECURITY TRUTHS?
Maybe I should read the entire message before responding.. hehe.. =)
A switched private management lan resolves the cleartext problem.
SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works);
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12 0/120newft/120
The private net is still subject to wire-tap tricks. If the switch supports SSH1 then that should be sufficient. MHSC.NET, and every host I setup for dot-com clients, gets a telnetd/ftpd-ectomy for free. If it needs CLI access, it gets SSH or, you have to go to the console. Even X11 and SMB sessions are forwarded through SSH. Given this sort of secure environment, plain-text Cisco sessions stand out like a sore thumb, to a sniffer. They only have to look for the packets that are NOT encrypted. A private net is even worse, you are guaranteed that each packet is part of a network management session. limit/120s/120s5/sshv1.htm ..Dylan | -----Original Message----- | From: Paul Froutan [mailto:pfroutan@rackspace.com] | Sent: Friday, April 28, 2000 4:46 PM | To: rmeyer@mhsc.com | Cc: nanog@merit.edu | Subject: RE: ABOVE.NET SECURITY TRUTHS? | | | | I don't think you can. However, I use TACACS on all my switches and | routers. From what I know, TACACS passwords are encrypted | using the key on | your network devices and the TACACS server. So, that, in | combination with | a private management LAN not accessible by your customers | should lock down | your network pretty effectively. Any comments? | | At 4/28/00 -0700, you wrote: | | > > Exiled Dave | > > Sent: Friday, April 28, 2000 1:10 PM | > | > > Lets think about this, cisco in no way has such a flaw | > > that would allow someone to 'root' and erase all the | > > info on switches. The password was sniffed. | > | >Can one setup SSH on a Cisco 6509? | | Paul Froutan Email: | pfroutan@rackspace.com | Rackspace, Ltd <http://www.rackspace.com> | |
On Fri, 28 Apr 2000, Greene, Dylan wrote:
SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works);
It is in some of the 12.0(x) S trains (S == 'service provider').. I am running 12.0(9)S on some 7507s and they have been doing fine (light load). There are still some quirks tho at least in the release I am running: jason@web1:~$ ssh -l jason -c 3des x.y.z.1 jason@x.y.z.1's password: r1>show slaveslot0: -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. image F5DA8D1A 6FCD3C 19 7195836 Jan 16 2000 08:31:12 rsp-jv-mz.111-27.CC 2 .. image D8598D7C F7BFD4 23 8909336 Mar 26 2000 09:21:21 rsp-k4pv-mz.120-9.S.bin Local: Corrupted check bytes on input. jason@web1:~$ So just dont do a 'show slaveslot0:' over SSH :-) Anyone else have this problem? Works fine via console or (shudder) telnet.. As far as CPU load(from a show proc cpu): PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 28 640 213 3004 0.00% 0.13% 0.12% 2 SSH Process This is with little EXEC work, I did a few 'show int' then the 'show proc cp'. Memory(show proc mem): PID TTY Allocated Freed Holding Getbufs Retbufs Process 28 2 603464 596892 13368 0 0 SSH Process 99 0 2089744 1218112 6892 0 0 SSH Event handle I would assume that the SSH processing happens only on the main CPU, would be cool to offload it to one/some of the VIPs.. As far as SSH on other models, if you have ever tried to get IPsec / crypto working on a 2500, you know why its a bad idea :) SSH on 6509s , that would be great! Still fighting with the idea of running real IOS on 6500s, if the real IOS part contains SSH, you can bet I would upgrade sooner than later. Anyone running 'real' IOS on 6500s? Any gotchas or superbugs? cheers, -- jason
SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works);
<snip>
So just dont do a 'show slaveslot0:' over SSH :-) Anyone else have this problem? Works fine via console or (shudder) telnet..
<snip>
SSH on 6509s , that would be great! Still fighting with the idea of running real IOS on 6500s, if the real IOS part contains SSH, you can bet I would upgrade sooner than later. Anyone running 'real' IOS on 6500s? Any gotchas or superbugs?
I have a VERY novel idea for you all and since noone has mentioned it, here goes: NOC----------Management Network---------SSH Drone | | | | Serial Lines -> | | | ---Router1 | | |--Switch1 | -Router2 -Switch2 I know. It's just too simple and it scales so very well so, it MUST be a bad idea. Even if you don't have a dedicated management network, you just put a box that speaks SSH out there with serial access to your routers/switches. If you DO have a management network, you connect that to it as well. No matter what, you're secure to the SSH drone and if someone is in your cabinets tapping the serial lines, you've got big physical security problems to deal with and you had might as well flat out give up on network security. A Force Recon colonel once told me, "If it's a stupid idea, and it works, it must not be a stupid idea." --- John Fraizer
Actually doing that now, with a Linux box and an old Livingston PM2E. Linux box runs SSHD, the portmaster runs directly into console ports 'stead of modems. I figured that was obvious. However, I don't run a co-lo either. Most of my systems reside in them. This is okay, until your ladders have to run through semi-public space. There is also a 50 foot length restriction, on RS-232 lines, unless you like running at less than 115K baud. Also, figure the expense of the extra hardware. In my case, it was unused sunk-cost anyway (surplus, for you non-suits).
John Fraizer Sent: Friday, April 28, 2000 6:31 PM
SSH version 1 is apparently supported in 12.0 as well (never played w/ it, so dunno how well it works);
<snip>
So just dont do a 'show slaveslot0:' over SSH :-) Anyone
else have this
problem? Works fine via console or (shudder) telnet..
<snip>
SSH on 6509s , that would be great! Still fighting with the idea of running real IOS on 6500s, if the real IOS part contains SSH, you can bet I would upgrade sooner than later. Anyone running 'real' IOS on 6500s? Any gotchas or superbugs?
I have a VERY novel idea for you all and since noone has mentioned it, here goes:
NOC----------Management Network---------SSH Drone | | | | Serial Lines -> | | | ---Router1 | | |--Switch1 | -Router2 -Switch2
I know. It's just too simple and it scales so very well so, it MUST be a bad idea.
Even if you don't have a dedicated management network, you just put a box that speaks SSH out there with serial access to your routers/switches.
If you DO have a management network, you connect that to it as well.
No matter what, you're secure to the SSH drone and if someone is in your cabinets tapping the serial lines, you've got big physical security problems to deal with and you had might as well flat out give up on network security.
A Force Recon colonel once told me, "If it's a stupid idea, and it works, it must not be a stupid idea."
--- John Fraizer
participants (7)
-
Chris Cappuccio
-
Greene, Dylan
-
Jason Ackley
-
John Fraizer
-
Mark Milhollan
-
Mr. James W. Laferriere
-
Roeland Meyer (E-mail)